Hello,
I setup the DNS-PROXY on the juniper in order to have the same resolution of my S3 bucket IP on my firewall/client, this is working well.. as the TTL of this domain for example:
s3.us-east-1.amazonaws.com is 7seconds it was necessary to make sure client/firewall resolve the same IP at the same time.
But i'm facing a big problem with policy that dosen't match the destination IP (s3). if i run this command:
> show security policies policy-name mypolicy detail
....
Destination addresses:
s3: 52.217.68.118/32
...
The IP show here is updated every 20seconds, while the TTL is much lower and if i try to ping this domain from my juniper i see the IP changing every x seconds.
So why the policy update every 20 seconds and not when the DNS resolution catch a new IP.
What is the purpose of that? how can i make sure the policy update the destination IP when dns cache expire and not after 20seconds?
There is no indicator anywhere that is saying it must update the policy destination address after 20 seconds, i just count..
Thanks you,
------------------------------
Oliver Duruiss
------------------------------