Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.

Constant DNS lookups to google domains and others in FQDN hosts - FIX

I found a few similar questions from different people over the years as to why their XG makes constant DNS lookups to huge amounts of domains with none of the posts having a useful answer. Unfortunately all those threads were locked due to age so I've made this as a new discussion.

By default,  the XG will DNS query every single entry in the FQDN hosts list EVERY 10 SECONDS which is a huge amount of unnecessary lookups that completely ignore the TTL values set for those domains.

edit: See reply post below. It was not the Firewall setting a 10 second TTL but the upstream DNS server. The commands below still work to override the TTL and backoff the number of lookups.

You can actually find the fix in the CLI command reference guide.

The needed command is :  fqdn-host

"Set cache- ttl value for FQDN Host. The cache-ttl value represents the time (in seconds) after which the cached FQDN Host to IP Address binding will be updated. ...

Default – 3600 seconds"

This is clearly incorrect,  the default is nothing like 3600 seconds. Presumably it's incorrectly implemented as the actual default value of 10 seconds is just crazy.

To fix.  SSH to the device. Choose option 4. Device Console

Then to fix  use  "set fqdn-host cache-ttl 180"

Substitute 180 (in seconds) for your own appropriate value, 3 mins seems a fair balance to me. It's still lower than the TTL of any of those domains, so shouldn't be able to cause any issues but will drastically reduce unneeded  lookups on your DNS servers.

I can see in my DNS server logs this take affect immediately and the constant lookups backed off to the set value.



Added TAGs
[edited by: emmosophos at 6:45 PM (GMT -7) on 25 Oct 2021]
  • Just wondering: My console value is: 

    console> show fqdn-host
    cache-ttl: dns-reply-ttl

    Maybe you there is the issue in your installation? Because i checked multiple instances, none uses a fixed default value. It always uses the TTL, which seems to be accurate . 

    Checked the dump for some queries: It always query for after the TTL was reached. 

    __________________________________________________________________________________________________________________

  • That's interesting thanks! That looks like the behaviour i would expect.

    This is a clean install of 18.5.1 software iso (on XG 125 hardware but with home license)

    I'm happy that this seems to have fixed things in my instance, i'll leave this post up in case it helps someone else one day. There seems to be a few others who have reported seeing similar things over the years.

  • Maybe other Home users like can report back on there default value, if there is some sort of error in the default value. Because i checked only Hardware and Azure Appliances, which seems to be correct. 

    Which value was in your config? 60 sec or something else? 

    __________________________________________________________________________________________________________________

  • It wouldn't tell me the value it was using. The show command just returned:

    cache-ttl: default

    Without saying what default was.  But from the behaviour it appeared to be using a value of "10" until changed.

  • Can you set it back to default? 

    __________________________________________________________________________________________________________________

  • I'm not sure how?

    console> set fqdn-host cache-ttl default
    % Error: Unknown Parameter 'default'

    I've tried "default"  "0" and blank with no luck.

  • I was able to set it to    "dns-reply-ttl"  like in your screenshot.

    set fqdn-host cache-ttl dns-reply-ttl

    And it was happy to take that value - which obviously would be better than the fixed time I had to set above.

    Thanks for your help with this.

  • Ok. So i did some more digging, and some of the other discussions around this also mentioned using pi-hole or adblock type systems as upstream DNS.

    It looks like it is in fact the upstream DNS setting a 10 second TTL and the XG is actually respecting that.

    My upstream DNS server is enforcing search engine safesearch which triggers this issue:

    github.com/.../1518

    "At the moment DNS rewrites have the same TTL as blocked query. Which is 10 seconds by default. "

    It's just a coincidence that the list of addresses in the default FQDN hosts list is mostly made up of the safesearch domains so the logs made it look like that's what was triggering it.

    It explains why only a few others were seeing the same behaviour.

    So in my case (or anyone else using pi-hole / adblock home and safesearch)  it probably is more correct to fix the upstream if possible instead of messing with the XG's cache-ttl setting

  • Hi,

    my home system settings

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I have exactly the same issue - I am using Pi-hole for ad-/tracker blocking and it uses a TTL of 2.

    But I am not using any kind of SafeSearch - so it's a bit strange from my POV.