How long do WILDCARD FQDN last for if not updated?
All Replies
-
I have 128 WILDCARD FQDN in one group plus another group I do have most of them one by one for testing but the same thing should happen if I first load up other sites first then https://www.twitch.tv/twit
I try a reboot of the USG and load https://www.twitch.tv/twit first with the group and see what happens
my IPv4 FQDN Object Cache List is over 400 listed.
0 -
Did a reboot with the groups of sites and loaded https://www.twitch.tv/twit first watched the TTL for the stream IP go to 0 some minutes later the stream drops out so I send you the config.0
-
I also did a test and reboot with just the following enabled for Twitch
*jtvnw.net
*imworldwide.com
*twitchsvc.net
*twitchcdn.net
*twitch.tv
*ttvnw.net
*gstatic.com
*google.co.uk
*google.com
*amazon-adsystem.com
Same thing happened took about 10 minutes after TTL went to 0 and then the IP listed disappeared.
I also noted that in IPv4 FQDN Object Cache List was showing my other sites that are not enabled? Is that mean to happen?
0 -
Hi @PeterUK
We are analyzing the symptom during FQDN DNS TTL timeout.
0 -
So their was a fix for this "session-status-update zyfilter inactive" would like a update when or if it be in released for USG/VPN/Zywall ?
Thanks0 -
Hi @PeterUK
The fix firmware we provided to you has changed behavior for keep exist session even the policy control rule has been changed.
(After FQDN TTL countdown to 0, then system will release IP from policy control function, then system will disconnect all of exist session for security reason)
Since this changing is only for specific scenario, so we decided do not leverage it into official version.
0 -
But its needed say I want to BWM ttvnw_net so that streaming video gets Guaranteed Bandwidth when the TTL goes to 0 and then is removed the session goes to low priority.
A option that keeps the FQDN in the list after TTL goes to 0 for x hours would help.
0 -
Zyxel_Stanley said:
(After FQDN TTL countdown to 0, then system will release IP from policy control function, then system will disconnect all of exist session for security reason)
Their is no security reason if it was done so that the IPv4 FQDN Object Cache List for listed IP with TTL 0 just stay listed for x hours there is no harm in doing this.
I'm asking to extend the IP Cache List locally by x hoursPlease rethink this.
0 -
I have done a test showing the problem if a workaround is not done
firewall rules
LAN1 to WAN - DNS allow
LAN1 to WAN - HTTP destination FQDN *.ddns.net - allow
LAN1 to WAN - HTTP - deny
Go
http://dnsip1.ddns.net/FQDN%20test.html
And click the click here then wait 5 minutes before clicking the link to which you get no page loaded if you click the link without waiting you get page with loaded.
0 -
Hi @PeterUK
it will have side effect if keep DNS record for additional house:
In most scenarios, the FQDN server are using dynamic IP address. If change behavior to keep old IP address for additional hours, then will have connection fail after server changing to new address.
The enhancement is included in the forum release but will not in official version.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight