Bug #16710
closed
Firewall host aliases with duplicate FQDN will only populate one table
0%
Description
I discovered that if you have firewall host aliases using FQDN that CNAME which then rotate between two A records where the A records are duplicates across both aliases than the table will be missing one of the IP. This results in firewall rules failing as they are missing IP that should be present as each alias is used for different firewall rules. While they currently resolve to the same A records the initial FQDN is different with one being used for a client to access a hosted service and the other for the device to talk to backend servers so they could change. While this unique scenario revealed this behavior this appears to be a bug that could impact other legitimate needs.
Alias1
alias1.contoso.com
;; QUESTION SECTION: ;alias1.contoso.com. IN A ;; ANSWER SECTION: alias1.contoso.com. 1027 IN CNAME prd.trafficmanager.contoso.com. prd.trafficmanager.contoso.com. 39 IN CNAME prd-a.east.contoso.com. prd-a.east.contoso.com. 10 IN A 1.1.1.1
This will also intermittently resolve to
prd-b.east.contoso.com. 10 IN A 2.2.2.2
Alias 2
alias2.contoso.com
;; QUESTION SECTION: ;alias2.contoso.com. IN A ;; ANSWER SECTION: alias2.contoso.com. 905 IN CNAME prd-api.trafficmanager.contoso.com. prd-api.trafficmanager.contoso.com. 59 IN CNAME prd-b.east.contoso.com. prd-b.east.contoso.com. 9 IN A 2.2.2.2
This will also intermittently resolve to
prd-a.east.contoso.com. 10 IN A 1.1.1.1
Updated by 
Updated by 
Updated by