How long do WILDCARD FQDN last for if not updated?
All Replies
-
But you can update the IP change if changed by DNS I really don't see the problem its a simple fix as Twitch does not update the DNS IP your streaming from causing a drop out on a allow rule keeping the IP in the list for x hours will stop that and DNS can override the IP if changed.
Its like whats the point of going to the trouble of putting FQDN if there is a simple fix to this probelm?
0 -
Zyxel_Stanley said:
The fix firmware we provided to you has changed behavior for keep exist session even the policy control rule has been changed.
(After FQDN TTL countdown to 0, then system will release IP from policy control function, then system will disconnect all of exist session for security reason)
Since this changing is only for specific scenario, so we decided do not leverage it into official version.
Whats the big problem?0 -
Hi @PeterUK
Some of attack will use exist session to hack into intranet.
So default policy control rule will block all of exist sessions if any IP-rule has been change.
>>>Once any IP object has changed, policy control rule will (1) flush session (2) delete IP-rule in system (3) add IP-rule in system.
It means if there are many IP objects in 1 rule. System will flush all of sessions even there only 1 IP object is changed.
However we planning to add “session-status-update zyfilter inactive” improvement to forum release.
1 -
Zyxel_Stanley said:
However we planning to add “session-status-update zyfilter inactive” improvement to forum release.
Not sure I follow the problem why it can't work today guess its a programmer thing the way you link DNS to policy control rule and that this low TTL lookups was over looked when implementing WILDCARD FQDN.
thanks0 -
So I updated my test as I found it did'nt work that way I hoped but I now understand how long do WILDCARD FQDN last for.
How long do WILDCARD FQDN last for if not updated? - Page 2 — Zyxel Community
So you load a page with dnsip1.ddns.net and dnsip.ddns.net Two different IP's with TTL 60 when this goes to TTL 0 it stays listed until you run a page with dnsip.ddns.net this starts the clean up of any *ddns.net IP's with TTL that are 0.
So you could stop the clean up of any *ddns.net IP's with TTL that are 0 so it stays in the list?
The only security reason I can see is a given *ddns.net IP that was listed as fine then may not be when TTL goes to 0 and a new IP takes its place and the old IP is not secure.
So I guess the only way to do this safely the USG can see if when doing the clean up of IP's with TTL 0 that the USG sees if that IP is still in use by session data.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight