Odd behavior with caching-only DNS servers

Mark Andrews Mark_Andrews at isc.org
Thu Feb 9 21:22:21 UTC 2006 


> At my company, we have our DMZ hosts setup to use 3 caching-only DNS
> servers dedicated to the DMZ environment.  The servers are running BIND
> 9.3.2 on Solaris 9.  The issue that I'm seeing / that is perplexing me
> thus far is this.  If I add a host on our primary DNS server (via the
> QIP IP Management interface), I can resolve the host by name or IP
> immediately from these caching only servers.

	Because there is no cached information about these hosts
	*before* the addition.  If there had been queries for the
	records there would be negative cache information and that
	would have to time out the same as positive cache information.

>  However, when a host is
> deleted and/or updated on the primary, the odd behavior begins.  Namely,
> while a lookup on any of our authoritative results fails (as expected),
> I am still able to lookup the host info (by name or IP) on these
> caching-only servers.

	That's how caches work.  They remember the information until
	the TTL expires.

> The only way I've been able to get this outdated
> info purged is by stopping / restarting the name server, flushing the
> cache, or simply waiting for the TTL to expire (per the default TTL
> setting in place).  Aside from this issue, another involves involves a
> host who originally had one IP but was moved to another.  A lookup by IP
> on some of these caching-only servers returns the expected result but a
> hostname lookup returns the old IP address.  This issue is more
> prevalent on one of the 3 servers than the other 2 but an issue
> nonetheless.

	You have different query patterns on the servers.

> What's further frustrating is that our internal servers are configured
> to forward queries outside our domain to a set of 3 caching-only servers
> (separate from the DMZ servers), where the queries in the aforementioned
> scenarios work as expected (i.e. query failing or returning updated
> info).  
> 
> In terms of the BIND configuration, they are more or less identical sans
> ACL's restricting who can/can't query them.  I've been working this
> issue for a bit now but nothing obvious is sticking out at me.  I can
> easily resolve things by making the default TTL lower but that is really
> not the answer.
> 
> Any insight, suggestions, etc would be appreciated.
> 
> - Bill

	If you know you are going to change a RRset lower the TTL
	on that RRset atleast a TTL period before the intended
	change to the data in the RRset.  Restore the TTL when you
	change the data.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list