Is there entry limit when resolving FQDN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Is there entry limit when resolving FQDN?

L0 Member

When I tried resolve the FQDN, abc.com, and it shows 4 IP address of

54.192.150.W, 

54.192.150.X, 

54.192.150.Y, 

54.192.150.Z                  use this address

ipv6 not resolved.

 

After I performed 'request system fqdn refresh force yes’

 

The resolve FQDN shows another 4 IP address of 

13.33.33.W

13.33.33.X              use this address

13.33.33.Y

13.33.33.Z

ipv6 not resolved

 

Both range of IP addresses are correct. But why does the firewall not show all the IP associated with the FQDN?

 

Is there any display limit so that it can only display 4 IP addresses?

1 accepted solution

Accepted Solutions

L6 Presenter

This is because of the DNS server response. abc.com authoritative DNS servers are only providing 4 A record responses at a time, from a larger record set, with 60 second TTL (a "slow" version of fast-flux DNS). The authoritative response also varies depending on where in the country the query is performed (region specific responses).

 

So if you are using multiple distinct DNS servers, and those DNS servers get authoritative results from different authoritative servers. The local DNS server are frequently going to have different results and you will get whichever version of results responds the fastest. The PA is just working with the final result it got at the moment.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @Wenwei_Y

 

while I can't think of explanation of what you are experiencing, it should not be display limit. The limit is 32 IP addresses: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0

 

I tried to check a few FQDN objects we have configured and it is returning 8 or more IP addresses. 

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L4 Transporter

This might be due to how the DNS server itself provides the information. There are services which have dozen on IPs assigned to it.

If one does a name resolution (nslookup on Windows, host on Linux) of mail.office365.com, the result will be different every 10 seconds or so. This permits the provider to distribute to load among the different servers.

If the destination will be called using web protocols, using an URL instead of fqdn might solve the issue. If the application is something different, then you have to fetch all possible IPs and add them to the policy (or an object-group).

 

L6 Presenter

This is because of the DNS server response. abc.com authoritative DNS servers are only providing 4 A record responses at a time, from a larger record set, with 60 second TTL (a "slow" version of fast-flux DNS). The authoritative response also varies depending on where in the country the query is performed (region specific responses).

 

So if you are using multiple distinct DNS servers, and those DNS servers get authoritative results from different authoritative servers. The local DNS server are frequently going to have different results and you will get whichever version of results responds the fastest. The PA is just working with the final result it got at the moment.

  • 1 accepted solution
  • 3059 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!