topic Is there entry limit when resolving FQDN? in General Topics

Is there entry limit when resolving FQDN?

Wenwei_Y — Thu, 25 Aug 2022 04:13:10 GMT

When I tried resolve the FQDN, abc.com, and it shows 4 IP address of

54.192.150.W,

54.192.150.X,

54.192.150.Y,

54.192.150.Z use this address

ipv6 not resolved.

After I performed 'request system fqdn refresh force yes’

The resolve FQDN shows another 4 IP address of

13.33.33.W

13.33.33.X use this address

13.33.33.Y

13.33.33.Z

ipv6 not resolved

Both range of IP addresses are correct. But why does the firewall not show all the IP associated with the FQDN?

Is there any display limit so that it can only display 4 IP addresses?

Re: Is there entry limit when resolving FQDN?

PavelK — Thu, 25 Aug 2022 05:20:09 GMT

Hello @Wenwei_Y

while I can't think of explanation of what you are experiencing, it should not be display limit. The limit is 32 IP addresses: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0

I tried to check a few FQDN objects we have configured and it is returning 8 or more IP addresses.

Kind Regards

Pavel

Re: Is there entry limit when resolving FQDN?

JoergSchuetter — Thu, 25 Aug 2022 06:03:47 GMT

This might be due to how the DNS server itself provides the information. There are services which have dozen on IPs assigned to it.

If one does a name resolution (nslookup on Windows, host on Linux) of mail.office365.com, the result will be different every 10 seconds or so. This permits the provider to distribute to load among the different servers.

If the destination will be called using web protocols, using an URL instead of fqdn might solve the issue. If the application is something different, then you have to fetch all possible IPs and add them to the policy (or an object-group).

Re: Is there entry limit when resolving FQDN?

Adrian_Jensen — Thu, 25 Aug 2022 16:18:21 GMT

This is because of the DNS server response. abc.com authoritative DNS servers are only providing 4 A record responses at a time, from a larger record set, with 60 second TTL (a "slow" version of fast-flux DNS). The authoritative response also varies depending on where in the country the query is performed (region specific responses).

So if you are using multiple distinct DNS servers, and those DNS servers get authoritative results from different authoritative servers. The local DNS server are frequently going to have different results and you will get whichever version of results responds the fastest. The PA is just working with the final result it got at the moment.