block unsafe query setting cause DNS query to local intranet DNS zone 3 seconds delay on response
from 2021/05/05 we can see that our servers with Server Security Premium 14.10 have delay of approx 3 seconds (2,8) for DNS query / response for A record in local intranet zone (local DNS server is authoritative for that zone). It happens on servers which do not have internet connection.
This delay in response cause delay in processing data because connection to needed remote host is also delayed and all tasks are slower and need more time to finish.
What was changed in definitions update on 2021/05/05 that can cause this issue ?
Why to block or slow down query for local intranet DNS zone ?
Why we do not see this issue on servers which have outgoing internet connection ?
What should be now recommended setting ? Of course, now I will implement check on every server for DNS query delay just to be on the safe side for future similiar or same issues.
I know that there is new Server Security Premium 15.01 and we will make upgrade but this issue cause a lot of trouble because of delay untill we've found root cause.
Thank you for any advice.
As initial troubleshooting steps, can you please try to disable the following one-by-one and let me know if the situation improves?
- disable DNS filter (from Web Traffic Scanning > Botnet Blocker)
- and/or disable ORSP (Cloud Security) , from Real-time Scanning > Cloud Security
Thank you for your reply.
We've found root cause by changing setting from "block unsafe queries" to "allow all queries" in Policy Manager (Advanced), F-Secure Network Filter 14.10, Settings, DNS Query filtering. It seems that I cannot found Web Traffic Scanning - Botnet blocker. I can found setting in F-Secure Security Cloud Client under Client is enabled = Yes. Is this setting you wrote ?
After installing F-Secure Server Security Premium version 15.01 setting "block unsafe queries" does not bring delay anymore into dns query from client to DNS server communication.
Still, I would like to know why this happened with version 14.10 after 2021-05-05 because it may happen again sometime in the future, specially because this is local intranet DNS server and local intranet DNS zone.
Version 15 uses a newer NIFv2 (network interface framework) , but version 14.10 uses NIFv1 . For us to investigate further, we will need you to submit a support ticket attaching FSDiag from the affected server.
It seems that I cannot found Web Traffic Scanning - Botnet blocker
It is this setting
F-Secure Security Cloud Client under Client is enabled = Yes. Is this setting you wrote ?
Yes, correct - highlighted below