SPF DNS resolution timeout ?
-
Sometimes in our SG the DNS resolution of SPF records fails.
Which is the timeout for the following phase on the logs ?Thu 2023-07-06 10:56:38: -- Executing: SPF --
Thu 2023-07-06 10:56:38: Performing SPF lookup (xxxx.com / 1xx.1xx.1xx.5x)
Thu 2023-07-06 10:56:38: * Result: none; no SPF record in DNS
Thu 2023-07-06 10:56:38: -- End: SPF (0.000000 seconds) --
Doing some manual testing, I can see that sometimes it takes up to 2-5 seconds to obtain a working SPF record from DNS. But as the previous log reports, it seems only one second is allowed... (all 4 lines are 10:56:38).
What is the SPF lookup timeout for Security Gateway?
Can we change it ?
Thank you
-
Tyler Staff
@Giovanni
This isn't a value that can be changed. Have you tested using other DNS servers then the DNS server(s) SG is configured to use to verify if this is an issue with the DNS server?
https://help.mdaemon.com/SecurityGateway/en/dns_servers.html
-
It's hard to reproduce, I'm trying to find a way to reproduce it.
Yes, it's a DNS server issue. No need to change DNS to prove it 😀Currently SG is using windows DNS, which in turn is configured to use a local Microsoft/Active Directory DNS server.
I have been able to sniff DNS traffic with wireshark those rare times when the prolbem did occur: the Microsoft DNS server interrupts recursive search of TXT record for unknown reason after the first steps.If only the client was able to retry the query after 2 seconds, the MS DNS will have a very high probability to answer correctly.
I will do more testing in the next days/week.
-
Tyler Staff
@Giovanni
It turns out I was partially correct. The timeout value is something that cannot be changed in Security Gateway. However, Security Gateway uses default values in Windows and this can be modified with a registry entry.
You can change the DNS lookup timeout by creating a DNSQueryTimeouts Multi-String Value in the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key within the registry. You can specify up to 5 values in this entry to retry up to 5 times at 5 specific timeout lengths. For example, if your value is 1 2 2 4 8 0 (the default value), each attempt would be 1, 2, 2, 4, and 8 seconds. The final value must be zero. The MS article below goes into more details.
https://learn.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)?redirectedfrom=MSDN
-
The results of a couple of days of sniffing with "Use Windows DNS Servers": some DNS TXT resolutions still fails for two different reasons.
One reason is that MS DNS server sometimes stops a DNS recursive resolution. A retry request is required from the client, but as you said in the previous post, the 1st retry from the windows DNS client is after 1 second, and SG only waits one second... and this means that SG will never be able to read a retry response.
The second reason is that MS DNS server can takes too long to answer, from 3 to 5 seconds. And again, SG will only wait one second for the answer.
In both cases, a change in SG will be welcome: an higher timeout when there is no answer from the DNS. This wait time can be interrupted when the DNS servers will answers with a NXDOMAIN (or similar negative response) or the wanted positive answer.
Now I'm testing with "Use manually configured DNS Servers". Let's see what happens in the next days.