Sunday, August 31, 2014

domain name system - How long a DNS timeout is cached for?



If none of the servers for the whole zone can be contacted, how long will such fact be cached for?


Answer



According to the 1998-03 rfc2308#section-7.1, if the resolution is not successful, and results in a SERVFAIL (e.g., from a timeout), then it MAY be cached, but if so, it MUST NOT be cached for longer than 5 minutes.



In practice, it appears that it's often not cached at all, or, if cached, is cached for a purely symbolic amount of time, like a single second.










  • Prior to BIND 9.9.6-S1 (released in 2014), apparently, SERVFAIL was not cached at all.



    It was introduced with commit a878301 (2014-09-04).



    E.g., at the time of this question and in all versions of BIND released prior to 2014, the BIND recursive resolver DID NOT cache SERVFAIL, if the above commit and the documentation about the first introduction in 9.9.6-S1 is to be believed.


  • In the latest BIND, the default servfail-ttl setting has been set at 1s since 2015 (as of 2016), and has been hardcoded to a ceiling of 30s (in place of the RFC-mandated ceiling of 300s).




    See commit 90174e6 (2015-10-17).



    During 2014/2015, the default was 10s, and the ceiling was 300s, but, as per the quotes below, the higher numbers were found to be unreasonably pessimistic.







Noteworthy references (with respective quotes) include:





  • https://kb.isc.org/article/AA-01178/ (2014/2016-01-07)




    The outcome of caching SERVFAIL responses has included some situations where it was seen to be detrimental to the client experience, particularly when the causes of the SERVFAIL being presented to the client were transient and from a scenario where an immediate retry of the query would be a more appropriate action.










  • http://cr.yp.to/djbdns/third-party.html (2003-01-11)




    The second tactic is to claim that widespread DNS clients will do something Particularly Evil when they are unable to reach all DNS servers. The problem with this argument is that the claim is false. Any such client is clearly buggy, and will be unable to survive in the marketplace: consider what happens if the client's routers briefly go down, or if the client's network is temporarily flooded.








In summary, SERVFAIL is unlikely to be cached, but even if cached, it'll be at most a double- or even a single-digit number of seconds.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...