FQDN resolution not keeping up with heavily load balanced sites.
7952
Created On 01/25/23 22:44 PM - Last Modified 02/10/25 20:55 PM
Question
Traffic is hitting incorrect policy with FQDN configured in destination. Issue is intermittent and mostly seen with FQDNs with low DNS TTL and frequently changing IP address.
Environment
Security policy with FQDN configured in destination to match the security policy.
Answer
DNS uses caching mechanism on client and DNS servers. When A record is cached on DNS client(host machine) and firewall. It is possible that both firewall and client has different IP addresses. This results in intermittent security policy mismatch. This is working as expected.
Here is an explanation:
Let's say TTL record is 10 seconds
- Firewall will refresh the FQDN every 10 seconds and let's say firewall refreshed the FQDN at 00:00:00 seconds to be IP address a.a.a.a
- Client A at 00:00:00 resolves the FQDN from DNS server and gets IP address as a.a.a.a with TTL 10 seconds.
- Client B at 00:00:05 resolves the FQDN from DNS server and gets IP address as a.a.a.a with TTL 10 seconds.
- Client C at 00:00:n resolves the FQDN from DNS server and gets IP address as a.a.a.a with TTL 10 seconds
At 00:00:10 firewall refreshes FQDN and gets IP address as b.b.b.b
- Client A at 00:00:10 resolves the FQDN from DNS server and gets IP address as b.b.b.b with TTL 10 seconds.
- Client B still has 5 seconds left in the TTL so it's going to use a.a.a.a and will not match the rule at the firewall.
- Client C still has 10-n seconds left in the TTL so it's going to use a.a.a.a and will not match the rule at the firewall.
Additional Information
Use other features like URL filtering or EDL for FQDNs that changes IP address frequently.