Screen OS

Hello,

I've configured the following on the ssg5:

Refresh domain name IP Addresses:
  Every day at:           06:28 o'clock
  Last performed look-up: 06/26/2013 23:40:57
  Next scheduled look-up: 06/27/2013 06:28:00

but for all Domain-based objects, the ssg5 does an lookup every 10 seconds.

The cache itself seems to work:

     Host name:  media.fastclick.net IP: 63.215.202.6  TTL= 43s

Is there any possibility to reduce the ttl / the lookup frequenzy to 86400 s?

(I like to avoid using IPs.)

Thank you!

Hello.

The DNS TTL is learned from the external DNS server.  There is no way to modify this value on the firewall itself.

Regards,

Sam

That means, that the only way to negate the resolves every 10 sek is, to use IPs instead of hostnames?

Or do you have any other tips?

Yes, unfortunately, that is the only option that I'm aware of.

Regards,

Sam

OK, thanks!

Are you sure the firewall is repeating the lookup every 10 seconds?

The host you listed, media.fastclick.net, has a TTL of 300s.

First let's find out where fastclick.net info comes from:

Optimus:~ kr$ dig fastclick.net in ns

; <<>> DiG 9.7.6-P1 <<>> fastclick.net in ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62621
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 11

;; QUESTION SECTION:
;fastclick.net. IN NS

;; ANSWER SECTION:
fastclick.net. 142678 IN NS eur2.akam.net.
fastclick.net. 142678 IN NS eur7.akam.net.
fastclick.net. 142678 IN NS ns1-100.akam.net.
fastclick.net. 142678 IN NS ns1-27.akam.net.
fastclick.net. 142678 IN NS usw1.akam.net.
fastclick.net. 142678 IN NS asia9.akam.net.
fastclick.net. 142678 IN NS use4.akam.net.
fastclick.net. 142678 IN NS eur3.akam.net.

;; ADDITIONAL SECTION:
eur2.akam.net. 59878 IN A 213.254.238.132
eur3.akam.net. 59879 IN A 195.59.44.133
eur7.akam.net. 59887 IN A 195.59.188.171
use4.akam.net. 59878 IN A 69.31.29.57
usw1.akam.net. 59878 IN A 96.17.144.195
asia9.akam.net. 59878 IN A 124.40.52.132
asia9.akam.net. 59878 IN AAAA 2a02:26f0:67::64
ns1-27.akam.net. 59879 IN A 193.108.91.27
ns1-27.akam.net. 59879 IN AAAA 2600:1401:2::1b
ns1-100.akam.net. 59879 IN A 193.108.91.100
ns1-100.akam.net. 59879 IN AAAA 2600:1401:2::64

;; Query time: 107 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Jun 27 15:11:21 2013
;; MSG SIZE  rcvd: 406

Ok... now I'll ask one of those listed nameservers directly about the hostname media.fastclick.net:

Optimus:~ kr$ dig @usw1.akam.net media.fastclick.net

; <<>> DiG 9.7.6-P1 <<>> @usw1.akam.net media.fastclick.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44536
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;media.fastclick.net. IN A

;; ANSWER SECTION:
media.fastclick.net. 300 IN CNAME vcm-media.valueclick.akadns.net.

;; Query time: 108 msec
;; SERVER: 96.17.144.195#53(96.17.144.195)
;; WHEN: Thu Jun 27 15:11:37 2013
;; MSG SIZE  rcvd: 79

Ok... it's an alias (CNAME) to vcm-media.valueclick.akadns.net.  Fine, let's find out what the nameservers are for akadns.net:

Optimus:~ kr$ dig akadns.net in ns

; <<>> DiG 9.7.6-P1 <<>> akadns.net in ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25410
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 10

;; QUESTION SECTION:
;akadns.net. IN NS

;; ANSWER SECTION:
akadns.net. 68314 IN NS ns11-128.akadns.net.
akadns.net. 68314 IN NS ns2-129.akadns.net.
akadns.net. 68314 IN NS ns6-131.akadns.org.
akadns.net. 68314 IN NS ns6-129.akadns.net.
akadns.net. 68314 IN NS ns2-131.akadns.org.
akadns.net. 68314 IN NS ns1-129.akadns.net.
akadns.net. 68314 IN NS ns17-133.akadns.org.
akadns.net. 68314 IN NS ns20-131.akadns.org.
akadns.net. 68314 IN NS ns3-131.akadns.org.
akadns.net. 68314 IN NS ns3-129.akadns.net.

;; ADDITIONAL SECTION:
ns1-129.akadns.net. 59878 IN A 193.108.88.129
ns2-129.akadns.net. 60078 IN A 2.22.230.129
ns2-131.akadns.org. 59828 IN A 2.22.230.131
ns3-129.akadns.net. 63788 IN A 23.61.199.129
ns3-131.akadns.org. 59828 IN A 23.61.199.131
ns6-129.akadns.net. 63974 IN A 95.100.168.129
ns6-131.akadns.org. 59828 IN A 95.100.168.131
ns11-128.akadns.net. 60883 IN A 96.7.50.128
ns17-133.akadns.org. 59828 IN A 124.40.52.133
ns20-131.akadns.org. 59828 IN A 213.155.153.131

;; Query time: 90 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Jun 27 15:12:13 2013
;; MSG SIZE  rcvd: 421

So far, so good.  Now we'll ask about vcm-media.valueclick.akadns.net directly from one of the akadns.net servers:

Optimus:~ kr$ dig @ns1-129.akadns.net vcm-media.valueclick.akadns.net

; <<>> DiG 9.7.6-P1 <<>> @ns1-129.akadns.net vcm-media.valueclick.akadns.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33726
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;vcm-media.valueclick.akadns.net. IN A

;; ANSWER SECTION:
vcm-media.valueclick.akadns.net. 300 IN A 63.215.202.6

;; Query time: 170 msec
;; SERVER: 193.108.88.129#53(193.108.88.129)
;; WHEN: Thu Jun 27 15:12:37 2013
;; MSG SIZE  rcvd: 65

Both the CNAME returned from fastclick.net and the A record returned from akadns.net have TTLs of 300s.

I don't know why your firewall would send a query every 10s, I would consider that incorrect behavior.

Top! Thank You! I did not looked so deep, just how often the requests are made.