Maybe not exactly what you was searching for but;
DNS lookups work pretty well for minor sites. But for larger use-cases such as Microsoft Azure services or Github, you need to either use dynamic address groups or build application that checks the SNI-header and permit/deny the traffic.
There is information in the documentation that if caches all recordes when resolving. And from my experience it works, but as mentioned above, if the next lookup would give another set of IPs, then they might not match what the client is trying to access.
Original Message:
Sent: 04-06-2021 15:45
From: John Gerro
Subject: SRX dns lookup on domain names defined in security policy
Hi,
SRX allows users to define address book entries with FQDNs, I am wondering how this works in the background at scale, from the documentation, SRX will do a DNS lookup whenever a packet comes into SRX, I imagine that would significantly delay the packet processing and is that necessary? should Junos reasonably trust the TTL of a DNS record and only do look ups when cache expires? or Junos will run a background kind of cron job to scan all FQDNs and periodically resolve those FQDNs to IP addresses and update packet processing engine (i.e. SPU)?
Thanks,
JG
------------------------------
John Gerro
------------------------------