NP7 and session-ttl

Forum|Forum|2 years ago
October 16, 2023
1 reply
1310 views

Hello

We have FortiOS 7.0.12, NP7.

We need to reduce ttl of DNS sessions to something below 120s.

Using config system session-ttl for UDP 53 with a value under 120 shows this warning message:

Warning: TTL(60) sent to NPU is limited to 120 seconds, software TTL is unchanged.

The question are:

Is there a way to set session-ttl of UDP 53 to less than 120s on NP7 FortiOS 7.0.x?
What could be the side effects of setting DNS' ttl to 30s in kernel and leave it 120s in NPU?

FortiGate

gggeorge

New Member

There is no way to set the session timeout (TTL) of UDP 53 to less than 120 seconds on NP7 FortiOS 7.0.x. This is because the NPU hardware has a minimum TTL of 120 seconds for UDP 53 sessions.

If you set the TTL to 30 seconds in the kernel and leave it at 120 seconds in the NPU, the NPU will continue to use a TTL of 120 seconds for all UDP 53 sessions. I mean some DNS sessions may last longer than 30 seconds, even if the kernel is configured to use a shorter TTL...

And yup, there are a few potential side effects of setting the DNS TTL to 30 seconds in the kernel - increased network traffic, increased load on the DNS server, and reduced DNS cache hit rate.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded