6

I'm running a caching DNS server currently to improve latency in a network.

The question is: can I override the TTL I get from a server using BIND9 or other software on Linux?

short "dig www.google.com" here:

; <<>> DiG 9.6.1-P2 <<>> www.google.com

;; ANSWER SECTION: www.google.com. 604441 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 74.125.45.147

Can I change that '300' into 15 minutes?

Thanks you so much for your time!!.

OmniWired
  • 139
  • 1
  • 1
  • 6
  • 3
    As mentioned several times, please don't do this. Just take a quick look around on serverfault to find out how many questions there are from sysadmins who have to deal with DNS servers that don't obey the TTL. Try: http://serverfault.com/questions/54758/how-long-does-it-take-for-dns-to-update-new-records-strange-dns-behaviour or http://serverfault.com/questions/103281/why-did-this-website-dns-change-fail-in-some-parts-of-the-us or http://serverfault.com/questions/96453/dns-not-resolving-for-some-people-locations – Mark Henderson Feb 17 '10 at 22:03
  • Do not worry it was a proof of concept, that CAN be done. Also this will not propagate more than 2 people in this network. And this was part as an Academic effort to show a internet connection with the lowest latency possible. I understand your concerns. This was the first time I use this web page, and I'm amazed by the good replies. – OmniWired Feb 18 '10 at 00:10
  • Also see @derobert's answer. He provides a couple different options and a links to explanations: How to configure bind9 caching period: [http://unix.stackexchange.com/questions/162267/how-to-configure-bind9-caching-period/162314#162314](http://unix.stackexchange.com/questions/162267/how-to-configure-bind9-caching-period/162314#162314) – XP1 Jul 11 '16 at 13:56

5 Answers5

7

CAN this be done? Sure - there are broken DNS servers (e.g. the ones AOL runs) that do this, and every admin I know hates it.

SHOULD this be done? Almost certainly no.

Generally speaking the TTL was set to a particular value for a reason (in google's case, probably fault tolerance: You'll only be unable to reach google for 5 minutes if that server blows up), and you shouldn't muck about with it.

You're already getting a performance boost by keeping the google.com record in your cache for the 5 minutes it's intended to live for since your individual workstations won't be running out to the internet for resolution -- don't over-optimize and break the expected behavior :)

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • should I change the question and say: how can I run a evil, not standard compliant server, so evil it cache for 15 minutes? So I can learn "what shouldn't be done". Thanks you everyone for the quick responses. – – OmniWired Feb 17 '10 at 20:33
  • You could TAKE OVER THE WORLD this way. Muaaahahahaha. Yes. Evil. – kubanczyk Feb 17 '10 at 20:52
  • yes, and learning in the process, amazing! I'm sure it can be done, but I can't seem to find an answer... Maybe with some crazy BIND9 configuration zone... – OmniWired Feb 17 '10 at 21:00
  • 3
    Well, my general intent was to convince you *not* to do it. If you insist the only way I know of would be to actually to patch BIND to add a `min-cache-ttl` configuration directive (analogous in function to the existing `max-cache-ttl`). AFAIK no caching DNS server in the wild allows you to do this, though I haven't looked at Microsoft's... – voretaq7 Feb 17 '10 at 21:09
  • I thought that as well. I'm downloading dnsmasq source as we speak. I believe will be easier to patch dnsmasq because the source code to analyze is shorter. – OmniWired Feb 17 '10 at 21:14
7

the DIRTIEST most ugliest thing that can be done is...

1-Downloading the source 2-find the file called cache.c 3-find the function is_expired

4- Change it in this way

static int is_expired(time_t now, struct crec *crecp)
{
  if (crecp->flags & F_IMMORTAL)
    return 0;

  if (difftime(now, crecp->ttd) < 0)
    return 0;

  return 0; // IT WAS IN ONE
}

When the function ask did expire? we always saw no

In this way it will never expire and you will conquer the world.

OUTPUT:

; <<>> DiG 9.6.1-P2 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28477
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     603937  IN  CNAME   www.l.google.com.
www.l.google.com.   4294966733 IN   A   209.85.195.99
www.l.google.com.   4294966733 IN   A   209.85.195.104
www.l.google.com.   4294966733 IN   A   209.85.195.147

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 17 18:34:47 2010
;; MSG SIZE  rcvd: 110
OmniWired
  • 139
  • 1
  • 1
  • 6
2

If you're really interested in history rather than accuracy, the quickest dirtiest hack you can do is probably make your name server an authoritative master for the domain and recreate the zonefile as frequently as needed through a script. Definitely only recommended for taking over the world though, not for real life.

In general if you really want a record of very short TTL to persist within an application, it seems the only sensible way is to cache it within the application.

Cedric Knight
  • 1,098
  • 6
  • 20
1

Min TTL

Yes, you can do this in ISC Bind with a simple change to their source code. They will not provide a mechanism for you to do this for ideological reasons.

Yes, you can also set or override the min-ttl of recursive DNS requests in Unbound DNS without having to recompile anything. That said, you should compile the latest version, as the 1.4 branch in the EPEL repo has a few bugs that will not be fixed and so that you can set all of the glibc hardening flags.

cache-min-ttl: 60

While it is correct that folks should use caution when applying this on recursors used by many applications and/or people, there are several use cases where it may be appropriate. This assumes the person overriding min-ttl understands what applications are utilizing their DNS infrastructure and what impact overriding this can have. To say that it should never be done would be an incorrect generalization.

My Personal Experience

I have used the cache-min-ttl: setting in Unbound DNS to mitigate some privacy attacks of tracking websites. I have also used it to correct invalid DNS set by folks that are setting a TTL of 0 which technically violates a few RFC's. Given that I control my own recursors and they are only used by me, the risk is very low.

Aaron
  • 2,809
  • 2
  • 11
  • 29
-1

See similar question here dnsmasq: how to increase TTL? and another one here Is there an alternative to "dnsmasq"?

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
  • in that question it doesn't fix my problem. I need to cache for longer periods of time (more than 300 seconds) one particular web site. – OmniWired Feb 17 '10 at 20:09
  • The dnsmasq article point to this: "Normally responses which come form /etc/hosts and the DHCP lease file have Time-To-Live set as zero, which conventionally means do not cache further. If you are happy to trade lower load on the server for potentially stale date, you can set a time-to-live (in seconds) here." And is not what I'n looking to accomplish. I want to use an address resolved by the dns for a longer period than the one I been given – OmniWired Feb 17 '10 at 20:14
  • 1
    @omniwired - The reason you can reduce the TTL is because TTL = "You *may* cache this record for *at most* S seconds". Good, Correct DNS servers shouldn't ever let you cache records longer than their TTL... – voretaq7 Feb 17 '10 at 20:22