This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant DNS lookups to google domains and others in FQDN hosts - FIX

I found a few similar questions from different people over the years as to why their XG makes constant DNS lookups to huge amounts of domains with none of the posts having a useful answer. Unfortunately all those threads were locked due to age so I've made this as a new discussion.

By default,  the XG will DNS query every single entry in the FQDN hosts list EVERY 10 SECONDS which is a huge amount of unnecessary lookups that completely ignore the TTL values set for those domains.

edit: See reply post below. It was not the Firewall setting a 10 second TTL but the upstream DNS server. The commands below still work to override the TTL and backoff the number of lookups.

You can actually find the fix in the CLI command reference guide.

The needed command is :  fqdn-host

"Set cache- ttl value for FQDN Host. The cache-ttl value represents the time (in seconds) after which the cached FQDN Host to IP Address binding will be updated. ...

Default – 3600 seconds"

This is clearly incorrect,  the default is nothing like 3600 seconds. Presumably it's incorrectly implemented as the actual default value of 10 seconds is just crazy.

To fix.  SSH to the device. Choose option 4. Device Console

Then to fix  use  "set fqdn-host cache-ttl 180"

Substitute 180 (in seconds) for your own appropriate value, 3 mins seems a fair balance to me. It's still lower than the TTL of any of those domains, so shouldn't be able to cause any issues but will drastically reduce unneeded  lookups on your DNS servers.

I can see in my DNS server logs this take affect immediately and the constant lookups backed off to the set value.



This thread was automatically locked due to age.
Parents
  • Just wondering: My console value is: 

    console> show fqdn-host
    cache-ttl: dns-reply-ttl

    Maybe you there is the issue in your installation? Because i checked multiple instances, none uses a fixed default value. It always uses the TTL, which seems to be accurate . 

    Checked the dump for some queries: It always query for after the TTL was reached. 

    __________________________________________________________________________________________________________________

  • That's interesting thanks! That looks like the behaviour i would expect.

    This is a clean install of 18.5.1 software iso (on XG 125 hardware but with home license)

    I'm happy that this seems to have fixed things in my instance, i'll leave this post up in case it helps someone else one day. There seems to be a few others who have reported seeing similar things over the years.

Reply
  • That's interesting thanks! That looks like the behaviour i would expect.

    This is a clean install of 18.5.1 software iso (on XG 125 hardware but with home license)

    I'm happy that this seems to have fixed things in my instance, i'll leave this post up in case it helps someone else one day. There seems to be a few others who have reported seeing similar things over the years.

Children