Technical Tip: How to deal with FQDN with short DNS TTL

JianWu · ‎08-15-2024

Description

This article describes that FQDN-based address objects are easier to use in firewall policy.

In many cases, an FQDN may return a list of IPs. In such cases, the default setting is good enough. However, in some cases, only one IP is returned and the DNS TTL is very short. It can be as short as 5 seconds (often seen in cloud-based FQDN).

This will cause an issue if the default setting is used. The client DNS query and FortiGate DNS query can be different IPs and in such cases, the firewall policy will not get hit as the resolved IPs are not the same.

Scope

FortiGate, FQDN, DNS TTL.

Solution

There are a few options to address this to make sure the IP resolved by a user is also used in FortiGate.

Change cache-ttl for individual FQDN type address object. This is an option if only a limited '#' of FQDN have such an issue:

config firewall address
edit "FQDN_s3-fips.us-gov-west-1.amazonaws.com/"
set type fqdn
set fqdn "s3-fips.us-gov-west-1.amazonaws.com"
set cache-ttl 86400 <----- Default value is 0.
next

In the example above, the default cache-ttl is 0. It means it will use the global setting defined under 'config system dns' fqdn-cache-ttl. (available since 7.2)

The default value for fqdn-cache-ttl is also 0. It means it will use the value provided by the DNS query response. In this specific case, it is 5 seconds and very short.

To overcome this, set cache-ttl under each FQDN type address object, this has higher priority over the global setting (fqdn-cache-ttl).

Related document:

config firewall address

Change fqdn-cache-ttl in the global DNS setting.

If many FQDN-based address objects have such an issue, it would be easier to change the global setting. It is still possible to customize cache-ttl for each object if needed:

config system DNS
set primary 208.91.112.53
set secondary 8.8.8.8
set dns-cache-limit 5000
set dns-cache-ttl 1800
set fqdn-cache-ttl 0
set fqdn-min-refresh 60
end

Note:

When choosing the value for fqdn-cache-ttl or cache-ttl, not necessarily the longer the better (max is 86400). For a stable setting, that could be true, but for a dynamic cloud-based service, choose a value that is small enough that in case the service provider makes a change (removing IP entry), the removed IP does not have to stay in the cache for too long.

Notes for a few important settings here:

dns-cache-limit 5000: The default value is not bad, if memory is not a concern, increasing such value will allow FortiGate to accommodate more DNS entries in the cache, and it can improve the DNS query response time after the limit is reached. To view the changed dns-cache-limit, use the following command:

diag test application dnsproxy 3

dns-cache-ttl 1800: This is the default cache TTL for DNS, this can be tracked by the command below. When this '#' is changed, the DNS cache is cleared and refreshed.

diagnose test application dnsproxy 7
worker idx: 0
vfid=0, name=www.youtube.com, ttl=116:116:1799
142.251.116.91 (ttl=116) 142.250.113.91 (ttl=116) 142.250.114.91 (ttl=116) 142.250.114.93 (ttl=116) 142.250.113.136 (ttl=116)
142.250.115.91 (ttl=116) 142.250.114.136 (ttl=116) 142.250.113.93 (ttl=116) 142.250.115.93 (ttl=116) 142.250.138.93 (ttl=116)
142.251.116.190 (ttl=116) 142.251.116.93 (ttl=116) 142.250.115.136 (ttl=116) 142.250.114.190 (ttl=116) 142.251.116.136 (ttl=116)
142.250.113.190 (ttl=116)

fqdn-min-refresh 60: 60 seconds is the default value for FQDN refresh if the TTL for a FQDN is 5 seconds. The minimum refreshed time for FortiGate is still 60 seconds, the actual query performed is 5 seconds before the value set here. With the default setting, it is every 55 seconds.
fqdn-cache-ttl 0: This is explained above, to track the value, you can use the command below.

In this example, this FQDN has 124 active IPs in the FQDN cache. This means after setting it up, it may take some time for all of the possible IPs to be cached before this time is reached, there is still a chance that the user may resolve to an IP that is not yet available in the FortiGate FQDN cache. In such a case, the Firewall policy will not be hit.

To shorten the initial time, choose to reduce the fqdn-min-refresh, remember this setting has a global impact (all VDOM).

In this example below, min_ttl from DNS server is 5 seconds. cache_ttl (defined under address object) is 86400. For the first entry 108.175.48.22 (ttl=5:0:55356), it still has 55356 seconds before it is removed from the FQDN cache:

Forti (global) # diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=s3-fips.us-gov-west-1.amazonaws.com ver=IPv4 wait_list=0 timer=16 min_refresh=60 min_ttl=5 cache_ttl=86400 slot=-1 num=124 wildcard=0
108.175.48.22 (ttl=5:0:55356) 108.175.49.22 (ttl=5:0:57062) 108.175.48.66 (ttl=5:0:58713) 108.175.48.38 (ttl=5:0:60860) 108.175.48.74 (ttl=5:0:61741)
108.175.50.22 (ttl=5:0:63282) 108.175.49.6 (ttl=5:0:67191) 108.175.49.50 (ttl=5:0:67466) 108.175.49.66 (ttl=5:0:68402) 108.175.50.14 (ttl=5:0:68787) 108.175.49.46 (ttl=5:0:68952)
108.175.50.26 (ttl=5:0:69943) 108.175.50.166 (ttl=5:0:70988) 108.175.49.54 (ttl=5:0:71098) 108.175.50.6 (ttl=5:0:72199) 108.175.50.38 (ttl=5:0:72585) 108.175.48.194 (ttl=5:0:73025)
108.175.48.90 (ttl=5:0:73190) 108.175.49.86 (ttl=5:0:74291) 108.175.48.50 (ttl=5:0:75337) 108.175.48.62 (ttl=5:0:75447) 108.175.48.94 (ttl=5:0:75667) 108.175.48.190 (ttl=5:0:75887)
108.175.49.150 (ttl=5:0:75917) 108.175.50.78 (ttl=5:0:76217) 108.175.50.42 (ttl=5:0:76603) 108.175.49.134 (ttl=5:0:76768) 108.175.49.10 (ttl=5:0:76988) 108.175.50.2 (ttl=5:0:77043)
108.175.49.166 (ttl=5:0:77263) 108.175.48.70 (ttl=5:0:77318) 108.175.48.6 (ttl=5:0:77373) 108.175.49.170 (ttl=5:0:77538) 108.175.50.194 (ttl=5:0:77648) 108.175.50.10 (ttl=5:0:77814)
108.175.49.162 (ttl=5:0:77924) 108.175.49.178 (ttl=5:0:78488) 108.175.50.82 (ttl=5:0:78873) 108.175.48.134 (ttl=5:0:79038) 108.175.48.186 (ttl=5:0:79313) 108.175.49.18 (ttl=5:0:79534)
108.175.49.198 (ttl=5:0:79589) 108.175.50.18 (ttl=5:0:79644) 108.175.49.58 (ttl=5:0:79809) 108.175.48.78 (ttl=5:0:79864) 108.175.49.186 (ttl=5:0:79974) 108.175.49.182 (ttl=5:0:80029)
108.175.50.66 (ttl=5:0:80084) 108.175.49.154 (ttl=5:0:80194) 108.175.50.150 (ttl=5:0:80525) 108.175.50.94 (ttl=5:0:80580) 108.175.48.18 (ttl=5:0:81130) 108.175.49.90 (ttl=5:0:81240)
108.175.50.162 (ttl=5:0:81350) 108.175.50.30 (ttl=5:0:81405) 108.175.50.182 (ttl=5:0:81460) 108.175.48.198 (ttl=5:0:81515) 108.175.50.146 (ttl=5:0:81625) 108.175.49.146 (ttl=5:0:81845)
108.175.50.198 (ttl=5:0:81901) 108.175.50.142 (ttl=5:0:81956) 108.175.48.2 (ttl=5:0:82011) 108.175.49.30 (ttl=5:0:82066) 108.175.49.14 (ttl=5:0:82176) 108.175.48.174 (ttl=5:0:82231)
108.175.48.42 (ttl=5:0:82451) 108.175.49.62 (ttl=5:0:82506) 108.175.50.62 (ttl=5:0:82561) 108.175.49.74 (ttl=5:0:82616) 108.175.48.170 (ttl=5:0:82671) 108.175.50.70 (ttl=5:0:82781)
108.175.48.34 (ttl=5:0:82836) 108.175.50.186 (ttl=5:0:83001) 108.175.48.30 (ttl=5:0:83056) 108.175.48.142 (ttl=5:0:83111) 108.175.50.138 (ttl=5:0:83167) 108.175.50.74 (ttl=5:0:83222)
108.175.48.46 (ttl=5:0:83398) 108.175.48.10 (ttl=5:0:83508) 108.175.50.90 (ttl=5:0:83563) 108.175.50.46 (ttl=5:0:83618) 108.175.49.82 (ttl=5:0:83674) 108.175.49.94 (ttl=5:0:83729)
108.175.50.50 (ttl=5:0:83784) 108.175.49.78 (ttl=5:0:84059) 108.175.50.178 (ttl=5:0:84114) 108.175.49.38 (ttl=5:0:84169) 108.175.48.182 (ttl=5:0:84224) 108.175.50.58 (ttl=5:0:84279)
108.175.48.54 (ttl=5:0:84389) 108.175.49.190 (ttl=5:0:84444) 108.175.49.70 (ttl=5:0:84499) 108.175.50.34 (ttl=5:0:84522) 108.175.49.34 (ttl=5:0:84632) 108.175.48.150 (ttl=5:0:84687)
108.175.49.194 (ttl=5:0:84742) 108.175.50.190 (ttl=5:0:84797) 108.175.49.138 (ttl=5:0:84853) 108.175.48.138 (ttl=5:0:84963) 108.175.50.130 (ttl=5:0:85018) 108.175.48.202 (ttl=5:0:85128)
108.175.49.2 (ttl=5:0:85183) 108.175.49.130 (ttl=5:0:85238) 108.175.50.174 (ttl=5:0:85293) 108.175.48.206 (ttl=5:0:85348) 108.175.49.158 (ttl=5:0:85403) 108.175.50.158 (ttl=5:0:85458)
108.175.49.174 (ttl=5:0:85513) 108.175.49.26 (ttl=5:0:85568) 108.175.50.54 (ttl=5:0:85623) 108.175.48.178 (ttl=5:0:85678) 108.175.49.142 (ttl=5:0:85733) 108.175.50.86 (ttl=5:0:85788)
108.175.50.134 (ttl=5:0:85843) 108.175.48.130 (ttl=5:0:85898) 108.175.48.14 (ttl=5:0:85922) 108.175.48.58 (ttl=5:0:85977) 108.175.49.42 (ttl=5:0:86032) 108.175.48.162 (ttl=5:0:86087)
108.175.48.26 (ttl=5:0:86142) 108.175.50.154 (ttl=5:0:86197) 108.175.50.170 (ttl=5:0:86252) 108.175.48.146 (ttl=5:0:86307) 108.175.48.166 (ttl=5:0:86362)

If multi-vdom is enabled, the diagnose test application is run under global VDOM. The command below run under each VDOM (such as root) can return similar result:

Forti (root) # diagnose firewall fqdn getinfo-ip s3-fips.us-gov-west-1.amazonaws.com
getinfo s3-fips.us-gov-west-1.amazonaws.com id:205 generation:130 count:124 data_len:1612 flag 1

Forti (root) # diagnose firewall fqdn getinfo-ip agw1ps3nessrms.s3-fips.us-gov-west-1.amazonaws.com

....

...

ip list: (1 ip in total)
ip: 108.175.48.206
Total ip fqdn range blocks: 124.
Total ip fqdn addresses: 124.

Only the last two IP entries are posted here.

For details, refer to the documents and CLI references:

Important DNS CLI commands

config system dns

Related KB articles: