FQDN Expire cache by TTL look back and questions

PeterUK

So I have used FQDN in the past a lot and back when it was released had asked for some changes some was done others were not.

One of the changes was when FQDN TTL is 0 and gets removed from the Cache that the firewall session continues which I'm guessing hold true for FLEX H?

The other problem was BWM like on my VPN300 where when FQDN TTL is 0 and gets removed from the Cache it no longer BWM even when the session is still active. This is something I would like to be looked into if hopefully FQDN gets added to BWM.

Moving on it seems problems that where problems have been improved by by some sites like youtube and twitch where by when they give you a IP to stream of a live video you TTL the IP and when it gets to 0 the browser re-looks up the DNS for that video which adds TTL and so the the FQDN Cache gets updated.

But not all sites do this like Zyxel site to do with *.amazonaws.com links where navigating the site does not load for some time until you disable Expire cache by TTL then it works! But having done that over time there was over 500 IP's for just *.amazonaws.com which brings me to a important question is there a total limit of IP's for FQDN wildcard the FLEX H can handle?

But maybe another way to solve this then Expire cache by TTL and keep IP's forever is to set a custom TTL to remove IP's from list and reset the TTL if seem again.

Thanks

Zyxel_Melen

Hi @PeterUK

I'm checking your questions and I want to check which FQDNs did you encounter the issue in your third question? Could you list some FQDN with us?

Additionally, about the BWM support FQDN, I have created an idea post and our team is under evaluating.

PeterUK

Would that be the navigating Zyxel site? or BWM with FQDN on current models?

So I have a FQDN allow list like a lot for HTTPS access then a block rule for HTTPS.

Zyxel_Melen

Hi @PeterUK

One of the changes was when FQDN TTL is 0 and gets removed from the Cache that the firewall session continues which I'm guessing hold true for FLEX H?

The session will be kept.

Would that be the navigating Zyxel site? or BWM with FQDN on current models?

BWM with FQDN on H series.

Attach the idea post link:

https://community.zyxel.com/en/discussion/30567/usg-flex-h-bwm-support-fqdn-object

So I have a FQDN allow list like a lot for HTTPS access then a block rule for HTTPS.

Could you help to point out which FQDN object of which security policy encounter this issue? We did a local test but the session was kept, so we didn't encounter the issue you mentioned.

PeterUK

So here is a short list for going to https://www.zyxel.com/global/en

so you have a firewall to allow for HTTPS from VLAN47 to WAN3 for destination the following

/ object address-object address "zyxel_com" "type" "fqdn" "*.zyxel.com"

/ object address-object address "microsoft_com" "type" "fqdn" "*.microsoft.com" "expire_ttl" "true"

/ object address-object address "amazonaws_com" "type" "fqdn" "*.amazonaws.com" "expire_ttl" "true"

/ object address-object address "gstatic_com" "type" "fqdn" "*.gstatic.com" "expire_ttl" "true"

/ object address-object address "addtoany_com" "type" "fqdn" "*.addtoany.com" "expire_ttl" "true"

/ object address-object address "zyxelgroup_com" "type" "fqdn" "*.zyxelgroup.com" "expire_ttl" "true"

/ object address-object address "hotjar_com" "type" "fqdn" "*.hotjar.com" "expire_ttl" "true"

/ object address-object address "googletagmanager_com" "type" "fqdn" "*.googletagmanager.com" "expire_ttl" "true"

/ object address-object address "google_com" "type" "fqdn" "*.google.com" "expire_ttl" "true"

/ object address-object address "heatmap_it" "type" "fqdn" "*.heatmap.it" "expire_ttl" "true"

/ object address-object address "adroll_com" "type" "fqdn" "*.adroll.com" "expire_ttl" "true"

/ object address-object address "facebook_com" "type" "fqdn" "*.facebook.com" "expire_ttl" "true"

/ object address-object address "linkedin_com" "type" "fqdn" "*.linkedin.com" "expire_ttl" "true"

/ object address-object address "google-analytics_com" "type" "fqdn" "*.google-analytics.com" "expire_ttl" "true"

/ object address-object address "doubleclick_net" "type" "fqdn" "*.doubleclick.net" "expire_ttl" "true"

/ object address-object address "cookie-script_com" "type" "fqdn" "*.cookie-script.com" "expire_ttl" "true"

/ object address-object address "google_co_uk" "type" "fqdn" "*.google.co.uk" "expire_ttl" "true"

/ object address-object address "googleapis_com" "type" "fqdn" "*.googleapis.com" "expire_ttl" "true"

/ object address-object address "cloudflare_com" "type" "fqdn" "*.cloudflare.com" "expire_ttl" "true"

/ object address-object address "azureedge_net" "type" "fqdn" "*.azureedge.net" "expire_ttl" "true"

/ object address-object address "jsdelivr_net" "type" "fqdn" "*.jsdelivr.net" "expire_ttl" "true"

/ object address-object address "licdn_com" "type" "fqdn" "*.licdn.com" "expire_ttl" "true"

/ object address-object address "crazyegg_com" "type" "fqdn" "*.crazyegg.com" "expire_ttl" "true"

/ object address-object address "cloudfront_net" "type" "fqdn" "*.cloudfront.net" "expire_ttl" "true"

/ object address-object address "snapengage_com" "type" "fqdn" "*.snapengage.com" "expire_ttl" "true"

/ object address-object address "facebook_net" "type" "fqdn" "*.facebook.net" "expire_ttl" "true"

Then and block HTTPS from VLAN47 to WAN3

When your navigating the site it should be fine then leave for about 5mins then navigate some more and the site stops loading but this is likely normal due the expire_ttl and clears up to list that the browser was using so disable Expire cache by TTL is the fix for *.amazonaws.com

I think each FQDN can also hold 512 IP's before removing the oldest?

I will post about the problem with FLEX200 non H about BWM problem to hope to get that fixed

https://community.zyxel.com/en/discussion/30637/bwm-problem-with-wildcard-fqdn-to-guaranteed-bandwidth

Zyxel_Melen

Hi @PeterUK

Thanks for the information. Below is the information about your question.

1. Cache TTL timeout will not affect the current session.
2. The FQDN holds 512 IPs. And when it over this number, device will remove the oldest cache IP address.

To investigate this further, could you help to:

1. Test this again and let us know the test site URL. (Maybe another site than https://www.zyxel.com/global/en?)
2. Capture the DNS query packet from the WAN and the client.

Thanks!

PeterUK

Other sites are fine from what I can tell its just to use of *.amazonaws.com the browser does a DNS lookup for them and SYN and SYN ACK happens then with Expire cache by TTL enabled and the browser pulls other IP's by *.amazonaws.com clears up 0 TTL IP's but the browser till open then trys to use IP's it last used so SYN happens for a IP that was in the FQDN cache but was removed so the SYN is blocked.

So this is not a session problem if the session is still open long after the IP is remove from the FQDN cache but if the browser try to open a new session where the IP is no longer in the FQDN cache.

I'm not sure of other sites that may run into this problem

PeterUK

So I try to capture the FQDN cache for *.amazonaws.com the site uses with Expire cache by TTL enabled and it changes a lot

Then the problem happens

Yet I never see this IP in the FQDN cache 52.217.142.201 that I could see but its TTL is super low of 5 seconds so I'm wondering if it even gets cached? where as disable Expire cache by TTL does cache it?

Zyxel_Melen

We are not sure it is the domain IP doesn't cache or reach the maximum number 512 in this case, but we recommend:

1. Disable the cache TTL. This makes the firewall to query the IP two minutes by default. You can also change the query period by commend usgflex200hp running config# object address-object fqdn query-period {N minutes}.
2. Use Content filter to pass the allowed websites. In the latest firmware version, content filter supports to allow HTTP(S) traffic for allow lists only. This method will be more reliable than FQDN.

Hope this helps.

PeterUK

Sorry Melen I think I need to clear some things up about this

1. That not how FQDN wildcard works yes if you do www.grc.com or grc.com or for a give subdomain then yes the USG looks up the DNS but if you do wildcard like *.amazonaws.com how is the USG to known what subdomain you be looking up? It can't so the way it works is when you do DNS on the client either directly or indirectly (like over a bridge) to the USG will listen from source port 53 (I'm guessing for security it checks the Transaction ID of that of the question?) for DNS answers then adds to the IP cache list.
2. The content filtering is a allow all system that blocks by Categories their no way (that I know of) to do a block all and do a allow list and the content filtering itself does not use DNS to block or allow but looks at the TCP SNI in client hello I'm not sure if the FLEX H does DNS content filter like FLEX 200 as it has a tab saying it does where as the FLEX H just say content filtering it might be the case you have combined the two for FLEX H I'm not sure?

I also would like to stick to the FQDN system to insure its working correctly what I'm doing is not prefect but it will do for what I need it to do such that some sites share the same CDN and so are allowed which is fine but thats not the problem we are looking into.

The FLEX H does DNS to my BIND as recursive DNS server I think and you should check that you DNS records like the one I showed has a incorrect TTL of 5 seconds I think the minimum is like 30 seconds when pulling from the server that not in cache.

The other the thing is if USG with Expire cache by TTL enabled caches low TTL?

Edit did some testing with my bind to do low TTL and the USG does cache them but like a said when the IP with low TTL gets put in the cache and goes to 0 when more DNS for the wildcard happens it removes them such that the USG can't use them IP's so what I said from the start would help by extending the TTL for the FQDN cache as another counter Seperate from the DNS TTL counter.

Edit but here is what I don't get even with a 5 seconds TTL the browsers will make the connection in that time yet its blocked…🤔

so it be like this DNS lookup happens with low TTL or (any TTL) the DNS in USG can use that low TTL to remove from its the cache but the FQDN cache extends the TTL (per set minutes/hours) I bit like the option to disable Expire cache by TTL but Expires per your set TTL and should the DNS for the same IP be looked up again resets the TTL with extended TTL.

Zyxel_Melen

Hi @PeterUK

Let us summarize the questions and reply:

• FQDN Wildcard Issue
  • The USG cannot directly resolve wildcards like *.amazonaws.com because the device doesn't know the subdomain in advance.
  • ->This is consistent with the working principle that you mentioned. By adding the resolution results to the IP cache, it can be observed that even if the FQDN of www.amazonaws.com is added but no rule is applied, no cache is generated.
• How the FQDN feature works
  • It is believed that the USG listens for DNS replies from source port 53 and adds the resolution results to the IP cache based on the transaction ID.
  • ->As above, the understanding is correct.
• Differences between DNS and Content Filtering
  • Content Filtering does not block traffic through DNS, but rather checks the SNI in the TCP Client Hello. I'd like to clarify whether FLEX H truly has a "DNS-based content filter."
  • ->Yes, the DNS filter enhances blocking effectiveness, for example, in the case of Encrypted SNI. As shown in the image below (Our lab test result), some are blocked by the web block (content filter) and DNS scanned because they use ESNI. Simply put, web CF is prioritized unless ESNI is used.
    Please refer to Page 331 of the User's Guide for more details of information on rule exclusions. link
    
• DNS TTL and USG Caching
  • The test indicates that some DNS record TTLs are set too low (e.g., 5 seconds), which I suspect may affect the USG's FQDN cache.
  • -> The problem is that the TTL is assigned by the fwd, not defined by zywall. This is inherently a problem with using FQDNs.
• Behavior after "disabling Expire cache by TTL" is as follows:
  • After disabling Expire cache by TTL, cached IP addresses will be "retained as much as possible" regardless of TTL. If all cached IP addresses have expired and the fqdn object does not have a wildcard, by default, the DUT will trigger a query every two minutes to collect new IP addresses. If the number of new IP addresses exceeds 512, the oldest will be removed first.
  • With wildcards, the DUT cannot actively query the domain. It relies on client query results to collect cached IP addresses and retaining as much as possible. Similarly, if the number exceeds 512, old IP addresses will be removed.