FQDN rules, asterisks and DNS recursion
While trying to open outgoing traffic from unauthenticated PCs to microsoft update websites, I have to add FQDNs like *.update.microsoft.com to a rule.
Despite that, PC were not able to open connections to sites like fe2cr.update.microsoft.com.
Analyzing the FQDN firebox cache, there is no sign of fe2cr.update.microsoft.com in the cache.
Why?
After investigation I discovered that Firebox is unable to track DNS resolution of our internal recursive DNS resolver when the site has many CNAME to different domain names.
I had to use an external resolver (conditional resolver in Microsoft DNS) for the domain microsoft.com. This caused only a single UDP packet to traverse the watchguard with the resolved hostname, and the firebox FQDN cache got correctly populated.
Is this a bug? It's not mentioned on the documentation that "yon cannot have an internal recursive DNS resolver to make FQDN policies with asterisks work".
Comments
I checked one of my firefoxes which uses my internal MS AD DNS servers and it has these domain names in the cache:
[155] 52.238.248.0 3600 82 NAA remain 0h:58m:32s 00000152 fe2.update fe2.update.microsoft.com.nsatc.net
[156] 52.242.97.97 3600 253 NAA remain 0h:58m:35s 00000152 fe3cr.delivery.mp fe3.delivery.dsp.mp.microsoft.com.nsatc.net
[157] 52.249.36.203 3600 90 NAA delay 0h:0m:51s 00000342 fe2.update fe2.update.microsoft.com.nsatc.net
[158] 52.249.36.204 3600 90 NAA delay 0h:0m:51s 00000342 fe2.update fe2.update.microsoft.com.nsatc.net
I do not have configured any conditional forwardes, only "normal forwardes to my hosting providers dns caching servers.
I believe this should still work, but the firebox is going to get most of it's DNS info in this case by watching DNS queries from the client itself. If the firewall can't see them because the client is sending DNS queries to something on the same subnet or for some other reason, it may not be filling out the FQDN table like you're expecting.
Are the DNS queries flowing through the firewall in your case?
(From one trusted network to another trusted, or similar is fine. just so long as it's traversing the firewall.)
-James Carson
WatchGuard Customer Support
@James_Carson
If it´s me you are asking nearly all of my dns traffic is going through ipsec vpn tunnels to the AD DNS servers.
/Robert
@James_Carson
Would it be a better solution to use dns forwarding on the firebox and set the firebox to use conditional forwarding for our internal AD domain names?
/Robert
@RVilhelmsen that could work. Depending on the firewall, it may not be particularly fast at doing that, though.
-James Carson
WatchGuard Customer Support