Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-24-2022 09:13 PM
When I tried resolve the FQDN, abc.com, and it shows 4 IP address of
54.192.150.W,
54.192.150.X,
54.192.150.Y,
54.192.150.Z use this address
ipv6 not resolved.
After I performed 'request system fqdn refresh force yes’
The resolve FQDN shows another 4 IP address of
13.33.33.W
13.33.33.X use this address
13.33.33.Y
13.33.33.Z
ipv6 not resolved
Both range of IP addresses are correct. But why does the firewall not show all the IP associated with the FQDN?
Is there any display limit so that it can only display 4 IP addresses?
08-25-2022 09:05 AM - edited 08-25-2022 09:18 AM
This is because of the DNS server response. abc.com authoritative DNS servers are only providing 4 A record responses at a time, from a larger record set, with 60 second TTL (a "slow" version of fast-flux DNS). The authoritative response also varies depending on where in the country the query is performed (region specific responses).
So if you are using multiple distinct DNS servers, and those DNS servers get authoritative results from different authoritative servers. The local DNS server are frequently going to have different results and you will get whichever version of results responds the fastest. The PA is just working with the final result it got at the moment.
08-24-2022 10:20 PM
Hello @Wenwei_Y
while I can't think of explanation of what you are experiencing, it should not be display limit. The limit is 32 IP addresses: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0
I tried to check a few FQDN objects we have configured and it is returning 8 or more IP addresses.
Kind Regards
Pavel
08-24-2022 11:03 PM
This might be due to how the DNS server itself provides the information. There are services which have dozen on IPs assigned to it.
If one does a name resolution (nslookup on Windows, host on Linux) of mail.office365.com, the result will be different every 10 seconds or so. This permits the provider to distribute to load among the different servers.
If the destination will be called using web protocols, using an URL instead of fqdn might solve the issue. If the application is something different, then you have to fetch all possible IPs and add them to the policy (or an object-group).
08-25-2022 09:05 AM - edited 08-25-2022 09:18 AM
This is because of the DNS server response. abc.com authoritative DNS servers are only providing 4 A record responses at a time, from a larger record set, with 60 second TTL (a "slow" version of fast-flux DNS). The authoritative response also varies depending on where in the country the query is performed (region specific responses).
So if you are using multiple distinct DNS servers, and those DNS servers get authoritative results from different authoritative servers. The local DNS server are frequently going to have different results and you will get whichever version of results responds the fastest. The PA is just working with the final result it got at the moment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
