cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

Issue FQDN address with dns records with short TTL

L1 Bithead

I have configured a firewall rule to allow some servers  to ssh to vs-ssh.visualstudio.com to allow the servers to use ssh to connect to the git repo of Azure devops.

 

This rule uses fqdn address object to allow the servers to only connect on ssh to this server. The problem is that this dns address resolves to 1 ip address, but it changes each time you query (especially if you use google dns) and the record has a very short TTL (60 seconds). Which means even if the server and the palo alto firewall both use the same dns proxy to resolve the record, the server could still get a different ip address back than the firewall has stored in the running security policies.

 

The only solution I can see is try to override the TTL of the dns entries and force that entries have a minimum TTL of 10 minutes. Except that I wouldn't know how to do this with just the Palo Alto firewall. DNS proxy has the option to change TTL in its cache, but that is to force dns proxy to cache entries for the maximum of that value. 

 

vs-ssh.visualstudio.com isn't the only dns record which has this issue. More and more content delivery networks are using this trick (other example is crl.microsoft.com).

 

Who Me Too'd this topic