Fast DNS Resolution Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Fast DNS Resolution Issues

Cyber Elite
Cyber Elite

Hello Community,

I checking to see what everyone is doing for their allow lists for some thing like an S3 bucket. 

 

Scenario: Lets say my server has no internet access due to policies denying the traffic. I then create an object, FQDN,  xyz-s3.amazon[.]com (just as an example), add it to a policy that allows my server to access just that s3 bucket. 

Problem: Most of the CDN (Content Delivery Network) providers use FAST DNS switching, which in some cases causes DNS caching issues. This happens because of quick changing FQDNs at the CDN side.

 

Solutions?

Set the minimum FQDN Refresh timer(sec) to  0 (Zero) https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/fqdn-refresh-re...

 

Anyone doing this and have you seen any issues? Are you doing something else that is working? I know about custom URL's and plan on doing this as well, however there are many instances where the URL filter will not be hit, ie not a HTTP request.

 

Thanks in advance for your input.

 

Cheers!

2 REPLIES 2

L6 Presenter

I have had the same problem, with fast-flux DNS, and I haven't come up with a good solution. The 0 refresh timer hasn't seemed to be a fix. The problem is 2-fold; one that the DNS TTL is very short, the second that the returned records are a constantly changing subset among a larger group. So you can never be sure that the PA got the same DNS response as the client (particularly if you have multiple DNS servers) and even if the PA and client do get the same DNS right now, 30sec from now the PA will refresh and get a new IP, while the client will still be connected on the old IP (no longer matching the FQDN).

 

We have several case where data providers are using data stores on Amazon/Salesforce clusters with fast-flux DNS. A Java app then connects to the data store to pull data... but that breaks on SSL decryption, because the app uses an internal CA certificate store instead of the PC's store, and I can't correctly exempt it from decryption do to the DNS issues. Where I can I have used URL filters instead of address objects, and that seems to work well. Where the traffic isn't HTTP I have had to write a bash script to repeatedly query/build a list of every IP on the fast-flux cluster and then add that as an address group to bypass. Less than idea and every few weeks to months it breaks and has to be redone.

Cyber Elite
Cyber Elite

@OtakarKlier,

I haven't found a great way of dealing with these sort of situations. If you use FQDN you'll occasionally have things get out of sync between the firewall and the client (which may not matter depending on requirements), and URL Categories as you mentioned will only work with a HTTP request. 

I've been using EDLs as a solution for this and using an external script to feed addresses for the EDL with the firewall. The firewall only supports updating the EDLs every fine minutes, but you can speed that up by dropping it to manual and using the API to request the refresh of the EDL on a more frequent basis. Not really solving the issue, but it gets closer to working without as many issues. 

  • 2345 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!