How long do WILDCARD FQDN last for if not updated?

PeterUK
PeterUK Posts: 2,655  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

When I watch a stream from twitch.tv the video is by *.ttvnw.net which I BWM as high priority. The problem is the DNS is not updated when watching a stream the cache goes the TTL 0 and stays a bit before it disappears (have not timed it). So would it be possible to extend this with a option?

«13

All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    So the How long do WILDCARD FQDN last for... seems to very from 30 seconds to 10-15 minutes longer when the TTL goes to 0.

    Problem if I'm doing a trusted WILDCARD FQDN list say for *twitch.tv were the stream is form *ttvnw.net when the TTL goes to 0 plus 30 seconds or 10-15 minutes longer the stream is dropped by USG and twitch reconnects so extending this would help.

    ...and some  WILDCARD FQDN stay listed for hours...their doesn't seem to be a reason why?  


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK  

    TTL is replied from DNS server. The value is defined on server side. (there is no way to extend it)

    When TTL is expired (TTL=0) and client sends DNS query again, then TTL will renew.

    If TTL stay at 0, it means client doesn’t need the DNS cache at that moment. So network still without problem at that moment.

    You can find TTL value in DNS reply packet:


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020
    In the IPv4 FQDN Object Cache List their are some that go to TTL 0 and stay thier for hours and some go to TTL 0 and stay thier for seconds after disappearing which is a problem for some lookup like: 
    video-edge-c6d428.lhr04.abs.hls.ttvnw.net
    for a Video stream when the TTL goes to 0 in the  IPv4 FQDN Object Cache List what I'm asking for is a option to keep the IP entry for set number of hours longer. that way the stream don't disconnect.

    Thanks
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK

    DNS protocol is for resolving domain name to IP address. 

    After client resolved IP address successfully, then DNS cache will exist on client until it is expired.

    If TTL is expired on client and client need(resolve) again, client will send DNS query automatically.

     

    In your case, the data(stream) is forwarding between client and server. Then DNS cache is not required for client. Since session already established.

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020

    The resolving domain name to IP address happens I can see this in monitor > system status > FQDN object

    The stream is up and running on www.twitch.tv/twit the TTL goes to 0 some seconds (some times minutes) later the stream disconnects! I see the browser do the DNS and stream comes back likely because www.twitch.tv stream don't do a DNS update during the stream unlike Amazon or youtube.

    Therefore we need the IP to stay in the Cache for longer then the TTL for a set number of hours then it can disappear.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    Made a Video of it happening keep a eye on 99.181.67.139 near the end when it drop out. 
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK

    The IP address 99.181.67.139 of DNS cache was appeared during video dropped.

    So it means PC without this DNS cache and sent a request because it was needed for new session.

    Even the DNS cache exist on USG, the TTL still expired on client.


    We have also tested it by https://www.twitch.tv/twit the video stream seems without lag situation even DNS cache expired.

    So your symptom may come from other reason.

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    Guess I can't use WILDCARD FQDN the way it needs to be.

    Maybe because your not testing with a big list of WILDCARD FQDN were you don't run https://www.twitch.tv/twit first of all so you build up the  IPv4 FQDN Object Cache List with other sites  then run https://www.twitch.tv/twit and the USG does a cleanup to removes 0 TTL entries and the stream stops for me...

    You wouldn't have to do DNS to keep the IP in IPv4 FQDN Object Cache List just a setting to keep the IP's longer then they should is all I am asking and it would fix this issue I promise you.   

    and if I bypass my WILDCARD FQDN with a rule to allow from DMZ to WAN HTTP/HTTPS the stream runs fine for hours.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    Ok I have done a longer Video with DNS 8.8.8.8 and port 443 (had the radio on in the background at the start before turning it off) so if this Video don't convince you I guess nothing will.

    https://ufile.io/pyj1gvil
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK

    How many functions that FQDN group object has referenced in the rule?

    Can you disable the rules one by one and check if symptom happen again?

    You can also provide configuration to me by private message for further check.

Security Highlight