Some DNS Groups Not Resolving All IPs

We have several UTM 9 firewalls in our AWS environment, all of which are in the same region (US East Virginia).

All of them have a handful of the same firewalls rules, allowing outbound access to various URLs that are defined as DNS Groups.

The problem is that on some firewalls, the DNS Group will resolve to numerous IP (as they properly should), but on other firewalls, the DNS Group will only resolve to 2 or 3 IPs.

When working properly, some of these URLs should resolve to dozens or even hundreds of different IPs.

Under Network Services - DNS, I have the same basic setup on all firewalls, allowing the internal network. So there is nothing different about the network setup between the multiple firewalls we have.

The issue appears to be totally random in regards to which firewalls will resolve all the possible IPs for a given DNS Group, versus which firewalls will only resolve a small percentage of possible IPs.

Anybody have any idea what the problem may be, or how I can get around this? Is there a way to force the firewall to rebuild its cache of IPs (other than rebooting the firewall)?

Thanks!

  • Rob, I've never heard of this problem.  What version are these UTMs on?

    At the bottom of the 'Global' tab of 'Network Services >> DNS', you will find the [Flush Resolver Cache Now] button.

    Cheers - Bob

  • Hi

    We experience the same problem.
    Multiple appliances (>10) at different locations with a connection to the same DNS-server show a different amount of learned IP's for the same DNS group.

    hostname example: autodiscover.outlook.com

    The number of resolved IP's is between 18 and 119

    SG/UTM Firmware version: 9.604-2

  • In reply to Bart Heylen:

    Hi  

    The resolution to the Hostname autodiscover.outlook.com varies for different regions and different servers. I assume it is due to the way it has been configured and not due to the UTM. You may try to resolve the hostname using different DNS servers from any machine outside UTM9 Network and can still see different resolutions. 

  • In reply to Bart Heylen:

    Hoi Bart and welcome to the UTM Community!

    It's common for this to happen with broadly used FQDNs.

    I just used Domain Dossier on centralops.net for this one and got the following:

    52.96.22.8
    40.97.196.8
    40.97.197.136
    52.96.22.184
    2603:1036:804:c::8
    2603:1036:804:2::8
    2603:1036:804:9::8
    2603:1036:805:28::8

    All of the TTLs were 60 seconds, so a minute later, a second query returned:

    40.97.120.248
    40.97.120.216
    52.96.22.8
    40.97.198.40
    2603:1036:805:a0::8
    2603:1036:804:b::8
    2603:1036:802:1::8
    2603:1036:805:b4::8

    Cheers Bob

  • In reply to BAlfson:

    Thanks to Jaydeep and BAlfson for the fast reply.

    Unfortunately we experienced the case that the end-user was using an IP which was not learned on the firewall.

    I am afraid I have to look for another way to solve my problem here. Thanks anyway.