Slashdot Mirror


Providers Ignoring DNS TTL?

cluge asks: "It seems that several large providers give their users DNS servers that simply ignore DNS time to live (TTL). Over the past decade I've seen this from time to time. Recently it seems to be a pandemic, affecting very large cable/broadband and dial up networks. Performing a few tests against our broadband cable provider has shown that only one of the three provided DNS servers picked up a change in seven days or less. After turning in a trouble ticket with that provider - two of the three provided DNS servers were responding correct - while the third was still providing bad information more than two weeks after that specific change. What DNS caches ignore TTL by default? Is there a valid technical reason to ignore TTL?" "This struck me as odd, and I decided to run a few tests using my own domain. Lowering the TTL to twenty four hours, and making changes and then checking to see when a change was picked up. I queried twelve outside DNS servers/caches that I had access to (Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!). Checks performed against these outside DNS servers indicate that it may take as much as four to five weeks before a DNS change is picked up! Most DNS servers picked up the change within 48 hours. A small number did not (three out of twelve - that's a quarter of them!)

This merits more study, and prompts a few questions. So, before I begin with a more serious broad study, I'd like to get some feedback on the problem as I've seen it. I know the tin foil hat crowd will see the failure to propagate DNS correctly as censorship, and the OS/bind/djb/whatever zealots will simply see this as an argument for their particular religion.

Based on the responses I get, I will then setup and test a couple of domains with different DNS servers for 6 weeks and report back the findings. [volunteers welcome!]"

15 of 445 comments (clear)

  1. I Noticed Too by ArchAngel21x · · Score: 4, Insightful

    It kind of defeats the point of root DNS servers being updated so fast if the ISPs are going to drag their feet and take their time updating their cache. I speculate it is server admin laziness.

    1. Re:I Noticed Too by Alioth · · Score: 4, Insightful

      The thing is if the server admins were lazy, the default configuration of any caching DNS server that I've come across is to do the Right Thing. Therefore if you have a lazy admin, it should be working.

      They've actually had to go to extra effort to break it on purpose.

  2. Re:Faulty system by wiredlogic · · Score: 5, Insightful

    DNS isn't about "the web". It's much bigger than that.

    --
    I am becoming gerund, destroyer of verbs.
  3. old TTL? by l33td00d42 · · Score: 3, Insightful

    it sounds possible the OP lowered the TTL on entries expecting that to have a retroactive effect on servers with the entries already cached. can we get confirmation that this is not what is happening?

  4. Re:Yes there is by Kupek · · Score: 4, Insightful

    Caching, at all levels of computing, gives enormous performance gains. In the DNS world, without caching, everyone would hit top level domains which would introduce a serious bottleneck to what should be a distributed system.

  5. Test case by Other · · Score: 4, Insightful

    I'm a bit curious about this test case. It says the TTL was changed TO 24 hours and then checked to see how long it took for results to propogate. What was the TTL set to for these entries before the change? If it was set to 2 weeks and was just queried before the change occured, there is no reason for the server to recheck just because it was changed to 24 hours.

    The TTL should stay the same for a while and then try simply making a change without modifying any other configuration to avoid any other problems with this test.

  6. Why would you reboot? by Karma+Farmer · · Score: 4, Insightful

    Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!

    If you're rebooting client machines to check DNS records, then I'm forced to view your entire study with caution.

  7. ELOGICFAULT by Anonymous Coward · · Score: 5, Insightful

    If it's all about trust, then you don't want to extend the TTL, you want to *shorten* it. That way if you're hit with a cache-poisioning attack, you get the correct record *faster*, instead of holding on to crap for weeks.

    Besides, this behavior blows up all sorts of geographical load balancing, datacenter failover, etc. type solutions (google for a F5 3DNS device sometime).

    Bad stuff, mucking about with the TTL that someone has assigned to a record. It's not arbitrary information. To those fucking with TTLs, how about we arbitrarily alter the numbers in your paycheck? Oh? What's that? That doesn't seem like a good idea? Gee. Go Fig. HANDS OFF MY TTL, ASSHAT.

    -AC

  8. Re:Faulty system by MightyMartian · · Score: 4, Insightful
    Screwing around with DNS TTLs has a larger effect than the web. Quite commonly when we're doing a major change, particularly with mail servers, we set our TTL low a few days in advance. If some idiot running a DNS sets it up so that my TTL is ignored, then guess what, whoever is using that DNS is suddenly not going to be able to get mail to my server.

    It's irresponsible tampering, it's that simple.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  9. Re:You can use TTL to keep customers from leaving! by Mysticode · · Score: 3, Insightful

    Fine, set an upper limit on the TTL but don't ignore the TTL if it is lower than your limit.

  10. Re:People abusing it on the other end... by fm6 · · Score: 3, Insightful
    The bandwidth is negligible, even if thousands of sites do this.
    But there are millions of sites out there. Still negligible?

    If DNS bandwidth were a non-issue, you wouldn't even be able to set TTL -- it would just be hardwired to a small value. But it is. Don't lapse into spammer logic: "I'm only wasting a tiny amount of resources, so it doesn't matter." But it does matter, because lots of other people are thinking the same thing.

  11. Re:I know AOL used to be an offender, likely still by ScentCone · · Score: 5, Insightful

    Our additude at the time was well screw the AOL users, there's no one importing using AOL anyways

    I'd be curious who's the audience for the site(s) you're talking about. I'm pretty uncomfortable calling tens of millions of users unimportant, especially when it comes to e-commerce. Different "additude", I guess. Or attitude, even.

    I maintain an ancient AOL account specifically so I can see things the way that some of my customers' customers see them. But it has one other advantage: if I've just made DNS changes to domain I care about, I set up a temporary new A record (like X.whatever.com) and then surf to it through AOL's proxies. This seems to get their name servers to notice that the SOA record is new, and it flushes out the rest of their cache. This seems to work on all sorts of servers, most of the time.

    --
    Don't disappoint your bird dog. Go to the range.
  12. Re:If you want to help then by Fizzl · · Score: 3, Insightful

    Oh shut up already.

    If you don't want to volunteer, Fine.
    If you think that the poster doesn't know how to plan the test; go make your own test. ...With black jack, and hookers.

    He specifically said the test methodology will be improved on suggestions on the mailing list. How about contributing there instead of making an uppity jackass of yourself here.

    (Would like to post my rant AC, but I don't want you think the GP is responsible for this reply)

  13. New TTL won't take effect until old TTL runs out by VGPowerlord · · Score: 4, Insightful
    I haven't seen this mentioned in any of the comments I've read so far, but changing the TTL on your server will not have any immediate effect on other companies servers.

    In fact, servers that are obeying TTL won't see the new record until the old record's TTL expires.

    The querent doesn't say whether or not there was any wait for the old TTL to expire. They don't even mention what the old TTL was!

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  14. Ignoring TTLs not necessarily intentional by shirpa_kewl · · Score: 5, Insightful

    I work at a hugeISP and we sometimes receive tickets accusing us of ignoring TTLs. However, it has always boiled down to one of three things.

    1. Change in the hosting of a domain to new DNS servers without properly removing the domain from the old hosting DNS servers.

    When this happens, a DNS server caching a domain's info will continue to check the old servers until the old server stops answering.

    2. A change in the TTL of a domain to a lesser value.

    If you change the TTL of a domain from 7 days to 1 hour, DNS servers currently caching that domain's information will hold onto it for 7 days before discovering the new TTL.

    3. A bug in BIND 8 that prevents it from pulling updated information from the primary DNS server for a domain.

    We see this rarely, but it requires a restart of an affected DNS server. We have not diagnosed the specific cause yet since we're moving servers to BIND 9.