Issue
Fireware v12.10.3 updates the agent the Firebox uses to contact the WebBlocker Cloud Server. The updated agent performs a dual-stack DNS query that requests both the IPv4 A and IPv6 AAAA records for rp.cloud.threatseeker.com.
If your Firebox is configured to use DNS servers that do not support dual-stack DNS queries or do not respond to IPv6 AAAA records, the Firebox might be unable to contact the WebBlocker Cloud Server and you might see errors that indicate DNS resolution timed out.
Example log messages:
2024-04-24 12:18:25 webblocker[2671]: categorize_url: curl returned error: Resolving timed out after 15000 milliseconds
2024-04-24 12:18:25 Deny 10.0.1.1 142.251.215.227 https/tcp 63161 443 Trusted External ProxyDrop: HTTPS service unavailable (HTTPS-proxy-00) HTTPS-Client.Standard.Out proc_id="https-proxy" rc="594" msg_id="2CFF-0002" proxy_act="HTTPS-Client.Standard.Out" error="Webblocker server is not available" action="WBtest" cats="" dstname="google.ca" geo_dst="USA" Traffic
If your system is affected, you will not see outbound connections to rp.cloud.threatseeker.com (the WebBlocker Cloud Server). Firebox DNS diagnostics will successfully resolve rp.cloud.threatseeker.com.
Workaround/Solution
If you encounter a "curl returned error: Resolving timed out after 15000 milliseconds" error, verify that your Firebox DNS servers are configured to respond to AAAA record DNS lookups. You cannot perform AAAA record DNS lookups from the Firebox diagnostic tools.
From a system behind the Firebox, make two DNS queries with nslookup - one query for an IPv6 record, such as google.com, and one query for rp.cloud.threatseeker.com.
nslookup -type=AAAA google.com <IP address of DNS server>
nslookup -type=AAAA rp.cloud.threatseeker.com <IP address of DNS server>
If both DNS queries timeout, the Firebox cannot use the DNS server you queried.
If the google.com query returns an IPv6 address and the rp.cloud.threatseeker.com query does not return an SRVFAIL or timeout response, the Firebox can use the DNS server.
After you find a compatible DNS server, update the DNS servers for your Firebox.
