topic Re: DNS Signature Lookup Timeout Error in General Topics

DNS Signature Lookup Timeout Error

ReubenFarrelly — Wed, 19 Aug 2020 00:01:18 GMT

I'm seeing quite a lot of messages logged in the syslog output from my PA VM-100 running PAN-OS 10.0.0:

Aug 19 07:31:29 firewall-1 1,2020/08/19 07:31:29,007051000047085,SYSTEM,general,2560,2020/08/19 07:31:29,,general,,0,0,general,medium,"DNS signature lookup timed out",1461969,0x0,0,0,0,0,,firewall-1,0,0,1970-01-01T10:00:00.000+10:00

What exactly does "DNS signature lookup timed out" mean?

My VM has two local DNS servers configured, which are functioning well and the PA VM has access to do direct external lookups as well if it needs to do so. It is located on the end of a quiet 250/100M internet fibre connection here in Australia, so connectivity and congestion is not an issue.

The DNS Signature Lookup Timeout (ms) value is set to 300 - far far above what should be necessary.

Can anyone explain the traffic flow that might cause this (do these DNS queries go direct, or via configured resolver, and over what transport) ?

If this is an error, how do I go about debugging it to find the root cause?

Thanks,
Reuben

Re: DNS Signature Lookup Timeout Error

VarunRao — Wed, 19 Aug 2020 02:11:57 GMT

Hi Mate,

I would suggest identifying which traffic is causing these errors. Is it legit DNS query being timed out. Worth playing with the timers once more try increasing more, maybe some queries are timing out genuinely.

If it is like hitting a wall again, would suggest getting in touch with Palo TAC. Could be cosmetic bug or genuine misconfiguraton.

Hope that helps,

Re: DNS Signature Lookup Timeout Error

ReubenFarrelly — Mon, 28 Sep 2020 06:37:41 GMT

Thanks VR.

Can you suggest how I would find out what traffic it is? The log message doesn't indicate much other than a DNS query timed out. I'm assuming it is to do with the DNS Security feature.

Can you or anyone else explain the traffic flow behind this feature? I can't find it documented anywhere.

Re: DNS Signature Lookup Timeout Error

acanevari — Thu, 20 May 2021 18:01:48 GMT

Any resolution to this?

Re: DNS Signature Lookup Timeout Error

CyberEye — Sun, 28 Nov 2021 11:33:45 GMT

Hi all,

I am also getting the same error in Paloalto. I changed the DNS signature lookup timeout to 2000 mseconds but still facing the same issue. Let me know if anyone got a solution or actual root cause of the issue

Re: DNS Signature Lookup Timeout Error

nevolex — Tue, 11 Apr 2023 10:11:48 GMT

I am still facing the same issue, i have set the timers to 50000 😞

Re: DNS Signature Lookup Timeout Error

kiwi — Wed, 12 Apr 2023 11:29:49 GMT

Hi @nevolex ,

In DNS security, there is a DP timeout for waiting for the DNS security verdict. When a DNS response comes after the timeout and the FW does not have a verdict, this response lets through. If the verdict is received later and indicates the previously let-through domain was malicious, this log is generated.

You could disable DNS security or set actions to allow. A permanent fix should be available in PAN-OS 10.0.10.

If you're already running a newer PAN-OS version then you might be hitting a different issue and I would recommend reaching out to support.

Hope this helps,

-Kiwi.

Re: DNS Signature Lookup Timeout Error

nevolex — Thu, 13 Apr 2023 09:51:21 GMT

Hi @kiwi

I am using version 10.2.4, how do I set actions to allow please?

I currently whitelisted io.dns.service.paloaltonetworks.com, not to use app-id policy for that (I use service routes for palo alto inband traffic) and some of my policies have app-id with no ssl decryption I noticed a few web services stopped working with app-ids, just too hard to fix when you just want to allow all from trust - to untrust zone 🙂

Than you

Re: DNS Signature Lookup Timeout Error

kiwi — Thu, 13 Apr 2023 10:07:13 GMT

Hi @nevolex ,

You can change the DNS Security actions in the Anti-Spyware profile:

Source: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/enable-dns-security

You might want to reach out to support to see if you're hitting the same issue as seen in PAN-OS 10.0 or if you're hitting a different issue entirely.

Re: DNS Signature Lookup Timeout Error

nevolex — Wed, 19 Apr 2023 03:21:16 GMT

still having the same issue, very frustrating as Internet drops when that happens

Re: DNS Signature Lookup Timeout Error

nevolex — Fri, 21 Apr 2023 06:51:44 GMT

the issue was very likely related to app-id (default-app) used in the outbound polices, allowing all the ports/ apps for paloato urls resolved the issue (works for 24 hours already without flapping )

Re: DNS Signature Lookup Timeout Error

nevolex — Sat, 22 Apr 2023 08:44:35 GMT

not related to app-id (default-app) , still experience the issues

Re: DNS Signature Lookup Timeout Error

nevolex — Fri, 05 May 2023 21:19:11 GMT

it seems like the issue has been finally resolved by changing the mtu size on the wan interface to 1350bytes

thank