To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

block unsafe query setting cause DNS query to local intranet DNS zone 3 seconds delay on response

CNenad
CNenad Posts: 13 Security Scout
edited January 2022 in Business Suite

Hello,

from 2021/05/05 we can see that our servers with Server Security Premium 14.10 have delay of approx 3 seconds (2,8) for DNS query / response for A record in local intranet zone (local DNS server is authoritative for that zone). It happens on servers which do not have internet connection.

This delay in response cause delay in processing data because connection to needed remote host is also delayed and all tasks are slower and need more time to finish.

What was changed in definitions update on 2021/05/05 that can cause this issue ?

Why to block or slow down query for local intranet DNS zone ?

Why we do not see this issue on servers which have outgoing internet connection ?

What should be now recommended setting ? Of course, now I will implement check on every server for DNS query delay just to be on the safe side for future similiar or same issues.

I know that there is new Server Security Premium 15.01 and we will make upgrade but this issue cause a lot of trouble because of delay untill we've found root cause.

Thank you for any advice.

Best regards

Nenad

Answers

  • JamesC
    JamesC Staff, Moderator Posts: 559 W/ Moderator

    Hi Nenad

    As initial troubleshooting steps, can you please try to disable the following one-by-one and let me know if the situation improves?

    1. disable DNS filter (from Web Traffic Scanning > Botnet Blocker)
    2. and/or disable ORSP (Cloud Security) , from Real-time Scanning > Cloud Security
  • CNenad
    CNenad Posts: 13 Security Scout

    Hello jamesch,

    Thank you for your reply.

    We've found root cause by changing setting from "block unsafe queries" to "allow all queries" in Policy Manager (Advanced), F-Secure Network Filter 14.10, Settings, DNS Query filtering. It seems that I cannot found Web Traffic Scanning - Botnet blocker. I can found setting in F-Secure Security Cloud Client under Client is enabled = Yes. Is this setting you wrote ?

    After installing F-Secure Server Security Premium version 15.01 setting "block unsafe queries" does not bring delay anymore into dns query from client to DNS server communication.

    Still, I would like to know why this happened with version 14.10 after 2021-05-05 because it may happen again sometime in the future, specially because this is local intranet DNS server and local intranet DNS zone.

    Best regards

    Nenad

  • JamesC
    JamesC Staff, Moderator Posts: 559 W/ Moderator
    edited May 2021

    Hi Nenad

    Version 15 uses a newer NIFv2 (network interface framework) , but version 14.10 uses NIFv1 . For us to investigate further, we will need you to submit a support ticket attaching FSDiag from the affected server.


    https://www.f-secure.com/en/business/support-and-downloads/support-request


     It seems that I cannot found Web Traffic Scanning - Botnet blocker

    It is this setting

    wts.PNG


    F-Secure Security Cloud Client under Client is enabled = Yes. Is this setting you wrote ?

    Yes, correct - highlighted below

    Security Cloud.PNG


  • CNenad
    CNenad Posts: 13 Security Scout

    Hello jamesch,

    thank you for info. I always use advanced view.

    We will send support ticket. For FSDIAG log is it needed from Policy Manager server or from servers with ver. 14.10 where DNS query delay occur ?

    Best regards

    Nenad

  • JamesC
    JamesC Staff, Moderator Posts: 559 W/ Moderator

    Hi Nenad,

    Please include FSDiag from PM server , and host with Server Security 14.10 too

This discussion has been closed.

Categories