SRX

Expand all | Collapse all

Setting the TTL for DNS Records Stored in the SRX's Cache from Security Policy Lookups

Jump to Best Answer
  • 1.  Setting the TTL for DNS Records Stored in the SRX's Cache from Security Policy Lookups

    Posted 05-01-2020 13:06

    Hi All,

     

    I am using DNS for some address book entries used in security policies. However, I am repeatedly running into issues where the cached resolution of the hostname on the SRX is different from what it is when traffic is received. This happens frequently with CDN's and is a little outside of my control. There have been some posts regarding this in the past, but those have not come to any resolution so I would figure I'd bring this topic up again. Is it possible to set the TTL of the cached entries on the SRX itself? I'd love to force the device to just do a lookup everytime it receives traffic, rather than using a cached entry that is incorrect...



  • 2.  RE: Setting the TTL for DNS Records Stored in the SRX's Cache from Security Policy Lookups
    Best Answer

     
    Posted 05-02-2020 00:37

    Hi,

     

    This issue of SRX cached resoltuion of hostname being different from the actual IP when traffic is received happens mostly in case of the TTL of the resolved address being very low. There is a difference in behavior on SRX based on the TTL value of the resolved address being above or below 16.

     

    If the TTL received by the SRX is above 16, SRX keeps its dns-cache as it received. If the TTL received is less than 16, SRX will update the TTL as 16 even though its received a TTL value of 5. So this can be one example where such issues are observed.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB33986

     

    Is it possible to set the TTL of the cached entries on the SRX itself? I'd love to force the device to just do a lookup everytime it receives traffic, rather than using a cached entry that is incorrect... -> This is not possible and for good reasons. Consider there are large number of such low TTL DNS entries and if you are do a DNS request at that rate or whenever you receive traffic, this is going to create performance issues on the device consuming too many resources. (NSD/FLOWD, session scans at high rate).

     

    Possibilities to resolve this issue are to increase the TTL of those CDN's at the server or if the CDN's have a range of IP addresses they always resolve to, you can replace the DNS address to those range of addresses in the security policy.

     

    Hope this helps.

     

    Thanks and Regards,

    Pradeep Kumar M

     

    || If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||

     



  • 3.  RE: Setting the TTL for DNS Records Stored in the SRX's Cache from Security Policy Lookups

    Posted 05-04-2020 11:27

    Thanks for the response Pradeep. I understand the concerns about potential performance issues, makes sense to me. I agree the best option here would be to adjust the TTL at the server level. Just wanted to see if it could be done on the SRX level.

     

    Thanks.