Why is the TTL value of DNS packets sometimes changed to 30 seconds?

Why is the TTL value of DNS packets sometimes changed to 30 seconds?

8514
Created On 03/13/23 04:26 AM - Last Modified 04/30/24 19:28 PM


Question


Why is the TTL value of DNS packets sometimes changed to 30 seconds?

Environment


  • PA-Series Next-Generation Firewall
  • PAN-OS 10.2
  • DNS Security

Answer


  1. If the device has a DNS security license and the Anti-Spyware profile is applied to DNS traffic, DNS signature lookup processing is performed to the Cloud.
  2. If there is no response (or timeout) from the Cloud, the  TTL of that DNS packet  is changed to 30 seconds.
  3. This value 30 seconds cannot be adjusted.
  4. The change of this timeout value is the following setting.
Device > Setup > Content-ID > Realtime Signature Lookup > DNS Signature Lookup Timeout (ms)
  1. The exclusion of this DNS signature lookup process is the following setting.
Objects > Anti-Spyware > [Profile] > DNS Exceptions > DNS Domain/FQDN Allow list
  1. The global counter "ctd_dns_modify_ttl" is counted when a TTL change occurs.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb43CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language