What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS Server?

What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS Server?

34762
Created On 09/25/18 19:43 PM - Last Modified 06/12/23 20:53 PM


Resolution


To demonstrate the FQDN handling on the device when the DNS TTL Expires or when the firewall cannot reach the DNS servers, use the following example:

  • DNS server used: 172.17.132.52
  • Two Dummy FQDNs available for resolution:
  • dummy1: box34.plano2003.com resolves to 172.17.128.34
  • dummy2: pa29.plano2003.com resolves to 172.17.128.29

These FQDNs are added to config and used in a rule, once config was committed, we see the device has saved the FQDN resolutions and assigned relevant TTLs:

admin@PA-500-37> request system fqdn show

FQDN Table : Last Request time Tue Dec 11 16:12:28 2012

--------------------------------------------------------------------------------

IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

box34.plano2003.com (Objectname dummy1):

172.17.128.34 3510 90

pa29.plano2003.com (Objectname dummy2):

172.17.128.29 3510 90

Confirm the DNS server is still reachable:

admin@PA-500-37> ping host 172.17.132.52

PING 172.17.132.52 (172.17.132.52) 56(84) bytes of data.

64 bytes from 172.17.132.52: icmp_seq=1 ttl=127 time=0.941 ms

Force an FQDN refresh to confirm that in the event the server is reachable, FQDNs are being refreshed:

admin@PA-500-37> request system fqdn refresh force yes

Verify last refresh time updates:

admin@PA-500-37> request system fqdn show

FQDN Table : Last Request time Tue Dec 11 16:12:28 2012

--------------------------------------------------------------------------------

IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

box34.plano2003.com (Objectname dummy1):

172.17.128.34 3510 90

pa29.plano2003.com (Objectname dummy2):

172.17.128.29 3510 90

Make the DNS server unreachable via MGT interface:

admin@PA-500-37> ping host 172.17.132.52

PING 172.17.132.52 (172.17.132.52) 56(84) bytes of data.

From 172.17.128.37 icmp_seq=1 Destination Host Unreachable

TTL continues to count down, yet entry not purged when server is unreachable.

admin@PA-500-37> request system fqdn show

FQDN Table : Last Request time Tue Dec 11 16:20:03 2012

--------------------------------------------------------------------------------

IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

box34.plano2003.com (Objectname dummy1):

172.17.128.34 3271 329

pa29.plano2003.com (Objectname dummy2):

172.17.128.29 3271 329

Let TTL expire leaving DNS server unreachable, we see the TTL takes a negative value, continues to countdown yet is not purged:

admin@PA-500-37> request system fqdn show

FQDN Table : Last Request time Tue Dec 11 16:52:41 2012

--------------------------------------------------------------------------------

IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

box34.plano2003.com (Objectname dummy1):

172.17.128.34 -33 3633

pa29.plano2003.com (Objectname dummy2):

172.17.128.29 -33 3633

The device tries to refresh the FQDNs at the configured FQDN refresh timer.  Default refresh timer is 30 minutes.  It can be modified using the following command, a commit is needed after the change.

admin@PA-500-37# set deviceconfig system fqdn-refresh-time

<value> <1800-14399> Seconds for Periodic Timer to refresh expi...

owner: achitwadgi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbhCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language