Performance Degradation - Impact of FQDN Address Objects on the CPU
11/28/2023 143 People found this article helpful 397,049 Views
Description
When creating FQDN Address Objects, various DNS queries are generated by the firewall. When there are too many unresolved Address Objects, the firewall will stop querying the server after the threshold specified.
However, when there is a wildcard FQDN Address Objects like *.microsoft.com or *.google.com, many subdomains need to be resolved every time the TTL Expires but there is an option to avoid this. The option in the diag page "Refresh sub-domains of wildcard FQDN address objects" is availablen in case you want to trigger the DNS resolution for all the expired sub-domains on an FQDN after the TTL expires.
Let's explain it better with an example:
The last resolution for support.microsoft.com will be deleted as soon as the TTL Expires (every DNS resolution has a TTL).
Cause
For big domains like *.microsoft.com or *.google.com, in just one hour we may probably have in memory hundreds/thousands of sub-domains and the SonicWall has to refresh all of them every, let's say, 60-120 seconds or even less (it depends on the TTL set by the DNS Server). This will highly impact the CPU performance, possibly leading to firewall lockup or reboot.
Note that DNS Queries for FQDNs are one of the most impacting processes on the SonicWall's CPU in general.
Resolution
If you see a high CPU or Connection Usage you may want to double check your FQDN Address Objects configuration.
- First of all you can download the TSR from System | Diagnostics | Download Report and search for "RESOLVE ERROR": here you will be able to see all the FQDNs currently not resolved and then check why they're not resolved (delete them if not needed any longer).
- After that you will need to check all the wildcard FQDNs with big domains: it is never suggested to use wildcard FQDNs like *.microsoft.com as they are CPU Intensive and may require thousands of DNS queries every few minutes.
If you notice performance degradation using FQDN Address Objects, please verify that the following options are disabled in the diag page (as per screenshot below):
Related Articles
Categories
Was This Article Helpful?
YESNO