Page 1 of 1
firewall address list domains resolution frequency
Posted: Sun Jan 30, 2022 6:53 pm
by elico
I have used for quite some time domain names in the firewall address lists.
Lately I have started monitoring my devices with syslog and I am seeing that every second the RouterOS device is sending a DNS query for all the domains in the address lists.
I assumed that the device will do that a bit smarter ie only when the ttl of the record is reached it will run a dns query.
Has anyone else have seen this? Maybe anyone have seen any documentation regrading the behavior of the address lists dns resolution?
Re: firewall address list domains resolution frequency
Posted: Sun Jan 30, 2022 7:32 pm
by Sob
It's supposed to use TTL. What RouterOS version do you have?
Re: firewall address list domains resolution frequency
Posted: Sun Jan 30, 2022 7:57 pm
by ivicask
It's supposed to use TTL. What RouterOS version do you have?
I noticed the same(any versions ever), what TTL you talk about ?In this case timeout value is empty because i never want entry to expire and get removed from address list, there is no TTL setting.
I get over 1 Million DNS requests per day on around 5k DNS names in address lists, which is apsurde
Re: firewall address list domains resolution frequency [SOLVED]
Posted: Sun Jan 30, 2022 9:20 pm
by Sob
TTL of DNS record. So if I do:
/ip firewall address-list
add address=forum.mikrotik.com list=test
Then unless it was already cached somewhere, it gets resolved and will be valid for two hours (because that's TTL returned by DNS server). And it will be only resolved again once it expires, so after two hours. That's how it works here.
Re: firewall address list domains resolution frequency
Posted: Mon Jan 31, 2022 11:39 am
by elico
It's supposed to use TTL. What RouterOS version do you have?
I am using both 6.49.2 and 7.1.1.
However now I have captured the dns requests and responses on the DNS server to make sure what happens and...
It seems that indeed the TTL is being considered but, some domains have very weird ttl's.
For example there is a bank domain which has two A records:
1 with 10 seconds TTL
2 with 0 seconds TTL
So it's continuously running requests over and over again in an endless loop on this specific domain.
There are other domains which has 30 or 60 seconds TTL and these look fine.
Sorry for the fuss.
Re: firewall address list domains resolution frequency
Posted: Mon Jan 31, 2022 1:47 pm
by Sob
Yes, some use really short TTLs, you'll have loads of queries for them. Additionally, unless you have dedicated resolver only for this, you're getting cached records, and if their original TTL from authoritative server is X, you'll get them with TTL anywhere between X and zero, depending on when they were requested by something else before.
Re: firewall address list domains resolution frequency
Posted: Mon Jan 31, 2022 2:10 pm
by msatter
You can set minimal-TTL of a resolved domains... Oh no, you can't do that with a Mikrotik.