Performance Degradation - Impact of FQDN Address Objects on the CPU

When creating FQDN Address Objects, various DNS queries are generated by the firewall. When there are too many unresolved Address Objects, the firewall will stop querying the server after the threshold specified.

However, when there is a wildcard FQDN Address Objects like *.microsoft.com or *.google.com, many subdomains need to be resolved every time the TTL Expires but there is an option to avoid this. The option in the diag page "Refresh sub-domains of wildcard FQDN address objects" is availablen in case you want to trigger the DNS resolution for all the expired sub-domains on an FQDN after the TTL expires.

Let's explain it better with an example:

• You have *.microsoft.com as FQDN Address Object
• Only Microsoft.com will be resolved by the SonicWall
• The sub-domains will be resolved as soon as the firewall receives a query for them (i.e. a computer trying to access support.microsoft.com)
• Now the firewall will have also the resolution for support.microsoft.com

The last resolution for support.microsoft.com will be deleted as soon as the TTL Expires (every DNS resolution has a TTL).

For big domains like *.microsoft.com or *.google.com, in just one hour we may probably have in memory hundreds/thousands of sub-domains and the SonicWall has to refresh all of them every, let's say, 60-120 seconds or even less (it depends on the TTL set by the DNS Server). This will highly impact the CPU performance, possibly leading to firewall lockup or reboot.
Note that DNS Queries for FQDNs are one of the most impacting processes on the SonicWall's CPU in general.

If you see a high CPU or Connection Usage you may want to double check your FQDN Address Objects configuration.

• First of all you can download the TSR from System | Diagnostics | Download Report and search for "RESOLVE ERROR": here you will be able to see all the FQDNs currently not resolved and then check why they're not resolved (delete them if not needed any longer).
• After that you will need to check all the wildcard FQDNs with big domains: it is never suggested to use wildcard FQDNs like *.microsoft.com as they are CPU Intensive and may require thousands of DNS queries every few minutes.

If you notice performance degradation using FQDN Address Objects, please verify that the following options are disabled in the diag page (as per screenshot below):