Symptom
The DNS connection honors the UDP timeout, resulting in numerous connections remaining in the connection table until the timeout occurs (default is 2 minutes).
Conditions
FTD interfaces in inline mode
Workaround
Tweak Global UDP timeout from Platform Policy
Further Problem Description
Given the nature of DNS packets, if they are not torn down after a DNS reply (DNS guard), this can lead to unnecessary usage of the connection table. In scenarios with a high rate of DNS packet transmission, this could potentially lead to a breach of the connection limit.
This enhancement is designed to enforce DNS guard even when the FTD interface is in inline mode.
