The list of Microsoft domains that will be queried from the
updatable objects for Microsoft Office365:
https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
The domains being queried are on this list.
Requests are doubled by adding www. prefix to each
query causing alot of NXDomain result.
This can be fix this with a kernel parameter
to prevent these lookups:
To prevent nxdomain set
kernel add_www_prefix_to_domain_name to 0 on the fly:
fw ctl set int add_www_prefix_to_domain_name 0
And to make the change permanent (survive reboot) add a line to
$FWDIR/boot/modules/fwkern.conf:
add_www_prefix_to_domain_name=0
And, to further reduce the queries you can consider modifying
rad_kernel_domain_cache_refresh_interval to
double it's current value.
By doing these changes you could reduce the queries related to FQDN domain
objects + updatable objects, to approximately 25% of their current
level.
R77.30 Domain Objects / R80+ Non-FQDN Domain Object
All new connections going through the rulebase, every rule with these object
the Firewall will do a reverse DNS lookup for the destination IP to see if the
response matches the object. This is regardless of which member is Active as
the Standby can send its own traffic to be checked via the rule base.
R80+ FQDN Domain Objects
After each policy install
and every 30-60 seconds after that the Firewall will perform a DNS lookup for
the Domain Objects.
Updatable Objects
The Firewall will obtain a list of domains from our servers related to the
service of the Updatable Object. From there all domains are treated like FQDN
Domain Objects where they are checked after policy install and 30-60 seconds
after that.
For both R80+ FQDN Domain
Objects and Updatable Object both members will perform the check and all DNS
servers configured will be queried to make sure all IPs releated to the Domain
is cached for the rules. If there is no response, response is late (over 1
second), wsdnsd is problematic, or received a fault from the server then
the request is made again
