Hi,
This issue of SRX cached resoltuion of hostname being different from the actual IP when traffic is received happens mostly in case of the TTL of the resolved address being very low. There is a difference in behavior on SRX based on the TTL value of the resolved address being above or below 16.
If the TTL received by the SRX is above 16, SRX keeps its dns-cache as it received. If the TTL received is less than 16, SRX will update the TTL as 16 even though its received a TTL value of 5. So this can be one example where such issues are observed.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB33986
Is it possible to set the TTL of the cached entries on the SRX itself? I'd love to force the device to just do a lookup everytime it receives traffic, rather than using a cached entry that is incorrect... -> This is not possible and for good reasons. Consider there are large number of such low TTL DNS entries and if you are do a DNS request at that rate or whenever you receive traffic, this is going to create performance issues on the device consuming too many resources. (NSD/FLOWD, session scans at high rate).
Possibilities to resolve this issue are to increase the TTL of those CDN's at the server or if the CDN's have a range of IP addresses they always resolve to, you can replace the DNS address to those range of addresses in the security policy.
Hope this helps.
Thanks and Regards,
Pradeep Kumar M
|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||