Thursday, August 6, 2015

bind - possible to see remaining DNS negative cache for domain?



For normal DNS lookups, one can use Dig to get an answer including the remaining TTL for a DNS record. If that answer is from a cache, the TTL will "count down" until the next authoritative query, and the remaining time until that query will appear (as noted in this question: Check remaining TTL for nameserver).



How can I get the corresponding "remaining time" for a negative-cached record? The answer is by definition a "NXDOMAIN" or non-existent domain; there appears to be no TTL associated with this answer aside from the SOA record (max possible time value).



I also have access to the [BIND 9] server directly, so ways to get this information out of the cache directly are also welcome, even though I am hoping there is a query-based way to do this.


Answer



There is no query based way to get server state. Glue, negative cache timers, etc. must be dumped from memory using the rndc dumpdb command.





  • Record types beginning with \- are negatively cached. \-A, \-AAAA, etc.

  • \-ANY indicates a true NXDOMAIN. No records live alongside or beneath this entity.



The above might be confusing if you have not been exposed to the concept of NODATA before. (RFC 2308) It means an answer of NOERROR with 0 answers was seen, as opposed to NXDOMAIN. NXDOMAIN indicates that no records with that name exist at all.



Example negative cached entries:




test1.example.com. 442 \-ANY ;-$NXDOMAIN
test2.example.com. 352 \-AAAA ;-$NXRRSET


Parsing this file automatically is not for the faint of heart, especially when the label name is omitted due to repetition.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...