- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Impact of FQDN Address Objects on the CPU
03/26/2020 
78 People found this article helpful
42,893 Views
Description
When creating FQDN Address Objects, more DNS queries are made by the firewall. When we have unresolved Address Objects, the SonicWall will stop querying the server after the threshold specified.
However, when we have wildcard FQDN Address Objects like *.microsoft.com or *.google.com, many subdomains need to be resolved every time the TTL Expires. So we added an option to delete all the subdomains resolved after the TTL Expires so the SonicWall doesn't have to query the DNS every x seconds.
The diag option "Refresh sub-domains of wildcard FQDN address objects" (the diag page is available at https://IPofyourSonicWall/diag.html) might be enabled should you want to trigger the DNS resolution for all the expired sub-domains on an FQDN after the TTL expires
Let's explain it better:
- Let's say you have *.microsoft.com as FQDN Address Object
- Only Microsoft.com will be resolved by the SonicWall
- The sub-domains will be resolved as soon as the SonicWall gets a query for them (i.e. a computer trying to access support.microsoft.com)
- Now the SonicWall will have also the resolution for support.microsoft.com
The last resolution for support.microsoft.com will be deleted as soon as the TTL Expires (every DNS resolution has a TTL). Now we could think that it's better that the SonicWall doesn't delete it so next time the DNS resolution will be already there.
However, for big domains like *.microsoft.com or *.google.com, in 1 hour we will probably have in memory hundreds/thousands of sub-domains and the SonicWall has to refresh all of them every, let's say, 60-120 seconds or even less (it depends on the TTL set by the DNS Server). You understand that this will highly impact the CPU performances and you could get the firewall locked up or worse, rebooting.
DNS Queries for FQDNs are one of the most impacting processes on the SonicWall's CPU in general.
Resolution
There isn't a resolution for this as this is something related to the configuration.
If you see a high CPU Usage you may want to double check your FQDN Address Objects configuration. First of all you can download the TSR from System | Diagnostics | Download Report and search for "RESOLVE ERROR": here you will be able to see all the FQDNs currently not resolved and then check why they're not resolved (delete them if not needed any longer).
After that you will need to check all the wildcard FQDNs with big domains: it is never suggested to use wildcard FQDNs like *.microsoft.com as they will require too many DNS queries.
However, should you noticed a huge impact on performances, please check in the diag page that everything as configured as below:
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
Categories
- Firewalls > SonicWall NSA Series > System
- Firewalls > SonicWall SuperMassive 9000 Series > System
- Firewalls > TZ Series > System
YES
NO