How long do WILDCARD FQDN last for if not updated?

13»

All Replies

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 2021
    But you can update the IP change if changed by DNS I really don't see the problem its a simple fix as Twitch does not update the DNS IP your streaming from causing a drop out on a allow rule keeping the IP in the list for x hours will stop that and DNS can override the IP if changed.  

    Its like whats the point of going to the trouble of putting FQDN if there is a simple fix to this probelm?
       
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    The fix firmware we provided to you has changed behavior for keep exist session even the policy control rule has been changed.

    (After FQDN TTL countdown to 0, then system will release IP from policy control function, then system will disconnect all of exist session for security reason)

    Since this changing is only for specific scenario, so we decided do not leverage it into official version.

    What security reason! its a safe thing to do you can have a allow rule for *ttvnw.net with a above schedule block rule for *ttvnw.net. 

    Whats the big problem?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    Some of attack will use exist session to hack into intranet.

    So default policy control rule will block all of exist sessions if any IP-rule has been change.

    >>>Once any IP object has changed, policy control rule will (1) flush session (2) delete IP-rule in system (3) add IP-rule in system.

    It means if there are many IP objects in 1 rule. System will flush all of sessions even there only 1 IP object is changed.


    However we planning to add “session-status-update zyfilter inactive” improvement to forum release.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2021

    However we planning to add “session-status-update zyfilter inactive” improvement to forum release.

    If their is going to be a fix then thats good can't wait for it.

    Not sure I follow the problem why it can't work today guess its a programmer thing the way you link DNS to policy control rule and that this low TTL lookups was over looked when implementing WILDCARD FQDN.

    thanks
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2021

    So I updated my test as I found it did'nt work that way I hoped but I now understand how long do WILDCARD FQDN last for.

    How long do WILDCARD FQDN last for if not updated? - Page 2 — Zyxel Community

    So you load a page with dnsip1.ddns.net and dnsip.ddns.net Two different IP's with TTL 60 when this goes to TTL 0 it stays listed until you run a page with dnsip.ddns.net this starts the clean up of any *ddns.net IP's with TTL that are 0.

    So you could stop the clean up of any *ddns.net IP's with TTL that are 0 so it stays in the list?

    The only security reason I can see is a given *ddns.net IP that was listed as fine then may not be when TTL goes to 0 and a new IP takes its place and the old IP is not secure.

    So I guess the only way to do this safely the USG can see if when doing the clean up of IP's with TTL 0 that the USG sees if that IP is still in use by session data.


Security Highlight