How long do WILDCARD FQDN last for if not updated?

PeterUK

When I watch a stream from twitch.tv the video is by *.ttvnw.net which I BWM as high priority. The problem is the DNS is not updated when watching a stream the cache goes the TTL 0 and stays a bit before it disappears (have not timed it). So would it be possible to extend this with a option?

PeterUK

So the How long do WILDCARD FQDN last for... seems to very from 30 seconds to 10-15 minutes longer when the TTL goes to 0.

Problem if I'm doing a trusted WILDCARD FQDN list say for *twitch.tv were the stream is form *ttvnw.net when the TTL goes to 0 plus 30 seconds or 10-15 minutes longer the stream is dropped by USG and twitch reconnects so extending this would help.

...and some  WILDCARD FQDN stay listed for hours...their doesn't seem to be a reason why?  

Zyxel_Stanley

Hi @PeterUK  

TTL is replied from DNS server. The value is defined on server side. (there is no way to extend it)

When TTL is expired (TTL=0) and client sends DNS query again, then TTL will renew.

If TTL stay at 0, it means client doesn’t need the DNS cache at that moment. So network still without problem at that moment.

You can find TTL value in DNS reply packet:

PeterUK

In the IPv4 FQDN Object Cache List their are some that go to TTL 0 and stay thier for hours and some go to TTL 0 and stay thier for seconds after disappearing which is a problem for some lookup like: 
video-edge-c6d428.lhr04.abs.hls.ttvnw.net
for a Video stream when the TTL goes to 0 in the  IPv4 FQDN Object Cache List what I'm asking for is a option to keep the IP entry for set number of hours longer. that way the stream don't disconnect.

Thanks

Zyxel_Stanley

Hi @PeterUK

DNS protocol is for resolving domain name to IP address. 

After client resolved IP address successfully, then DNS cache will exist on client until it is expired.

If TTL is expired on client and client need(resolve) again, client will send DNS query automatically.

 

In your case, the data(stream) is forwarding between client and server. Then DNS cache is not required for client. Since session already established.

PeterUK

The resolving domain name to IP address happens I can see this in monitor > system status > FQDN object

The stream is up and running on www.twitch.tv/twit the TTL goes to 0 some seconds (some times minutes) later the stream disconnects! I see the browser do the DNS and stream comes back likely because www.twitch.tv stream don't do a DNS update during the stream unlike Amazon or youtube.

Therefore we need the IP to stay in the Cache for longer then the TTL for a set number of hours then it can disappear.

PeterUK

Made a Video of it happening keep a eye on 99.181.67.139 near the end when it drop out. 

Zyxel_Stanley

Hi @PeterUK

The IP address 99.181.67.139 of DNS cache was appeared during video dropped.

So it means PC without this DNS cache and sent a request because it was needed for new session.

Even the DNS cache exist on USG, the TTL still expired on client.

We have also tested it by https://www.twitch.tv/twit the video stream seems without lag situation even DNS cache expired.

So your symptom may come from other reason.

PeterUK

Guess I can't use WILDCARD FQDN the way it needs to be.

Maybe because your not testing with a big list of WILDCARD FQDN were you don't run https://www.twitch.tv/twit first of all so you build up the  IPv4 FQDN Object Cache List with other sites  then run https://www.twitch.tv/twit and the USG does a cleanup to removes 0 TTL entries and the stream stops for me...

You wouldn't have to do DNS to keep the IP in IPv4 FQDN Object Cache List just a setting to keep the IP's longer then they should is all I am asking and it would fix this issue I promise you.   

and if I bypass my WILDCARD FQDN with a rule to allow from DMZ to WAN HTTP/HTTPS the stream runs fine for hours.

PeterUK

Ok I have done a longer Video with DNS 8.8.8.8 and port 443 (had the radio on in the background at the start before turning it off) so if this Video don't convince you I guess nothing will.

https://ufile.io/pyj1gvil

Zyxel_Stanley

Hi @PeterUK

How many functions that FQDN group object has referenced in the rule?

Can you disable the rules one by one and check if symptom happen again?

You can also provide configuration to me by private message for further check.