Meraki documentation question forum

GIdenJoe
Kind of a big deal
Kind of a big deal

Meraki documentation question forum

Hi all,

 

When I'm going to bed at night I like to read a bit.
I don't read stories but I read documentation, yeah I know, wracking the brain just before sleep... however I like doing it.
Recently I've started to re-read Meraki documentation articles before falling asleep.

The documentation is usually written in an easy enough way to everyone even if you're not familiar with each topic that is presented.

Since Meraki devices do not expose their inner workings by means of debugging/logging it's sometimes hard to fully grasp how a certain technology works and in what cases it would fail or not produce the results you thought they would.

The Meraki documentation does mention some details about certain protocols or features but not everything.

 

So I was wondering if there would be a way, like on this community to ask the Meraki engineers to further elaborate on specific topics from certain Meraki documents.

I'll give an example:
In this article I've read yesterday: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

there is a section dedicated to FQDN support in outbound rules and the need for the MX to see the DNS request to be able to block or allow a certain session towards that host.

 

What for me is not clear is how the MX manages this because it is not clear how the MX stores this.
For example if the DNS server is on-premise behind the CORE switch (which also can be Meraki)  The MX will never see the DNS request from the client itself but will see a DNS forwarder request coming from that server to a DNS on the internet.
Will the MX keep a cache of DNS requests, and for how long.  What with DNS resolutions that yield a different IP each time a certain fqdn is requested?

Or will the MX only match on a DNS request from a certain client and only act on the rule for that client alone (which would not work in this case).

I could ask question just about each document... so I'm curious.  What are your thoughts.

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

An MX watches all DNS request going to the WAN or via AutoVPN.  If any of these match an access rule using an FQDN then that result will be kept and used.

GIdenJoe
Kind of a big deal
Kind of a big deal

@PhilipDAth, that is what the documentation says, but that's not the question.
I the example of the FQDN I need to know more detail as I outlined in the question.

- Can the request come from another host (like a local DNS server that has forwarders configured)

- How many entries for the same FQDN are supported

- How long are they kept in a cache or is it only for a certain flow.

 

But my main question is:
For feedback and request for more detail, can we have a separate forum.
I realize not all information can be put in the main document so a separate forum could be a solution and maybe the Meraki people can update documents or make follow-up documents.

PhilipDAth
Kind of a big deal
Kind of a big deal

- Can the request come from another host (like a local DNS server that has forwarders configured)

 

Yes, as long as the ultimate DNS request flows through the MX.

 

- How many entries for the same FQDN are supported

 

If you are referring to how many A record responses are allowed - I've never run into the limit.  DNS itself allows between 13 to 25 A record responses depending on a couple of factors - so I would be surprised if it couldn't cache just 25 results per FQDN.

 

- How long are they kept in a cache or is it only for a certain flow.

 

The DNS entry has a TTL to say how long to keep the entry.  It expires out of the cache when the TTL is reached.

GIdenJoe
Kind of a big deal
Kind of a big deal

Hmm, you seem to have alot of inside knowledge of the product.
Did you used to work for Meraki or have really good ties with them?

 

I can only imagine many many tests being done to verify the behavior if you wouldn't know the information up front.

PhilipDAth
Kind of a big deal
Kind of a big deal

I do a lot of deployments and I do have good ties to Cisco Meraki.  However, most of my knowledge has come from doing deployments.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels