Providers Ignoring DNS TTL?

cluge asks: "It seems that several large providers give their users DNS servers that simply ignore DNS time to live (TTL). Over the past decade I've seen this from time to time. Recently it seems to be a pandemic, affecting very large cable/broadband and dial up networks. Performing a few tests against our broadband cable provider has shown that only one of the three provided DNS servers picked up a change in seven days or less. After turning in a trouble ticket with that provider - two of the three provided DNS servers were responding correct - while the third was still providing bad information more than two weeks after that specific change. What DNS caches ignore TTL by default? Is there a valid technical reason to ignore TTL?" "This struck me as odd, and I decided to run a few tests using my own domain. Lowering the TTL to twenty four hours, and making changes and then checking to see when a change was picked up. I queried twelve outside DNS servers/caches that I had access to (Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!). Checks performed against these outside DNS servers indicate that it may take as much as four to five weeks before a DNS change is picked up! Most DNS servers picked up the change within 48 hours. A small number did not (three out of twelve - that's a quarter of them!)

This merits more study, and prompts a few questions. So, before I begin with a more serious broad study, I'd like to get some feedback on the problem as I've seen it. I know the tin foil hat crowd will see the failure to propagate DNS correctly as censorship, and the OS/bind/djb/whatever zealots will simply see this as an argument for their particular religion.

Based on the responses I get, I will then setup and test a couple of domains with different DNS servers for 6 weeks and report back the findings. [volunteers welcome!]"

Dumb question

[BoneFlower]

How would I check my ISPs DNS servers for this?

Re:Dumb question

[Alioth]

Use the 'dig' and 'host' commands.

For example

dig @your-isps-nameserver.net -t A www.example.com

For example:

$ dig @192.168.0.1 -t A www.slashdot.org

; <<>> DiG 9.2.4 <<>> @192.168.0.1 -t A www.slashdot.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54561
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0

;; QUESTION SECTION:
;www.slashdot.org. IN A

;; ANSWER SECTION:
www.slashdot.org. 7184 IN A 66.35.250.151

;; AUTHORITY SECTION:
slashdot.org. 7184 IN NS ns2.vasoftware.com.
slashdot.org. 7184 IN NS ns3.vasoftware.com.
slashdot.org. 7184 IN NS ns1.osdn.com.
slashdot.org. 7184 IN NS ns1.vasoftware.com.
slashdot.org. 7184 IN NS ns2.osdn.com.

;; Query time: 3 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Apr 19 11:38:58 2005
;; MSG SIZE rcvd: 159

Note the TTL of 7184 seconds (this is how long the nameserver at 192.168.0.1 will continue to use the cached record for before fetching it again from slashdot.org's authoratative nameservers).

Re:Dumb question

[Dtyst]

There are many online DNS tools DNS report being one of the best and DNS stuff being very powerful but harder to use. I also like Dig it Man! for simple DNS checks. Also many large internet providers usually have allkinds of online network tools available online on their webpages.

Re:Dumb question

uhm, yeah.

dig has been deprecated for QUITE some time.

please use nslookup.

Re:Dumb question

This is a good indication that your gentoo has been hacked. You need to wipe and reinstall immediately.

Re:Dumb question

Root login is deprecated and may be removed in a future release.

TTL's

[dlhm]

Of course there is a reason, To save bandwidth, and to provide the 3rd world internet service we have come to expect here in the USA.

Let me guess...

[sqlrob]

RoadRunner

They can't run a DNS server properly to save their lives.

TTL is ignored, SpamAssassin is a "trojan DDOSing our network"

Re:Let me guess...

[sqlrob]

I got a "Your machine is trojaned" e-mail with few details. A thorough scan of my network showed diddley-squat. I finally got to reasonable level support and the issue was poisoning the cache with negative lookups. I was testing the mail, and URLs within the mail as well. I think there was an average of 20 lookups/mail.

People running MailWasher on Windows also got the same warning from RR. All this was probably about a year ago.

I Noticed Too

[ArchAngel21x]

It kind of defeats the point of root DNS servers being updated so fast if the ISPs are going to drag their feet and take their time updating their cache. I speculate it is server admin laziness.

Re:I Noticed Too

[Alioth]

The thing is if the server admins were lazy, the default configuration of any caching DNS server that I've come across is to do the Right Thing. Therefore if you have a lazy admin, it should be working.

They've actually had to go to extra effort to break it on purpose.

24 hours ?

in VOIP networks TTLs can be as low as 10 minutes

Re:24 hours ?

[gclef]

heh. Have a look at www.yahoo.com...they're at 60 seconds. Yay Akamai.

(For those that haven't messed with Akamai, they're intentionally setting the TTL insanely low to force clients to re-request often...Akamai uses the response they give as a way of doing path optimization to clients. It's ugly, but it kinda works.)

Re:24 hours ?

[logicnazi]

Well that sounds like a good explanation for why major ISPs might ignore the TTL. That's alot of wasted lookups and server load. For a large ISP we can expect that someone is going to most Akamai cites every minute so that is at least one lookup per minute per Akamai DNS record.

If other people do this as well ISPs might not have much of a choice but to ignore TTL and maybe there isn't any easy way to force the machine to use a minimum TTL but respect TTL above that limit.

DNS practices

[LynXmaN]

Usually on big providers overriding the TTL of the zone is a usual practice for sure, I do that myself in the ISP I'm working for (it's middle sized).

But I don't think they're setting a TTL longer than 24 hours, that would be kind of insane, isn't? At least from my own experience when I did a big DNS servers change (changed all the serials) the delay was less than 24 hours for almost all of them.

Re:DNS practices

[toddbu]

Usually on big providers overriding the TTL of the zone is a usual practice for sure, I do that myself in the ISP I'm working for (it's middle sized). The problem with someone else deciding on TTL for my zone (whether they're big or small) is that they'll probably get it wrong. How do you know the "right" value to pick for me when you don't know why I picked the value in the first place? Granted, some people pick low TTL "just because", but in our case we round-robin servers and if one goes down then we want to be able to take it out of the loop in a timely fashion. We're ok with a 15 minute TTL, but not with a day.

Part of the problem with short TTL is that there is no really good mechanism in the Internet today for failing over a cluster of web servers short of buying expensive routing hardware. If you want to run a web server with a backup then having a short TTL is probably the best option around. What we need is a better DNS failover strategy and then many short-lived TTLs will probably go away. The current solution is crummy anyway. When Internap died here in Seattle and we were down for 45 minutes (along with LiveJournal), a high priced router/load balancer wouldn't have done us a bit of good.

Re:DNS practices

[Name+Anonymous]

However, some people when they are about to do major updates on the domain information will a day or two before the change is going to happen temporarily lower the TTL where needed. And after the change is done and checked to be correct, they will raise the TTL back to its normal value.

Therefore overriding TTL can break things for your customer.

I can see raising any TTL of less than an hour to an hour, I can't see raising it to 24 hours or more. This would limit what breaks for your customers.

Re:DNS practices

[Glendale2x]

Usually on big providers overriding the TTL of the zone is a usual practice for sure, I do that myself in the ISP I'm working for (it's middle sized).

Why?

nscd

[epiphani]

nscd does not obey TTL by default. It uses gethostbyname(), which does not return TTL.

We use nscd quite a bit, as im sure many other providers do. We only cache positives for 30 minutes, so we dont end up ignoring it for too long.

Re:nscd

[photon317]

Yeah but nscd just caches for your local server box, it doesn't re-serve the cached results to your remote clients. He's describing actual dns cache/forward servers ignoring TTL and handing outdated/bad data to client machines.

Re:Faulty system

[wiredlogic]

DNS isn't about "the web". It's much bigger than that.

maybe a consequence of the cache poisoning attacks

[ehanuise]

There have been DNS security concerns lately, specifically the 'cache poisoning' vulnerabilities reported by cert, sans et al.
Maybe some ISPs have altered their DNS servers to provide better protection, and in the process caused the 'ttl' problem ? (improbable imo, but who knows...)
It'd be interesting to know if this is recent or if it's already an old problem.
Knowing if it appeared suddenly or progressively would help as well.

Too bad there isn't such a thing as the wayback machine for dns and other services...

You can use TTL to keep customers from leaving!

I remember once I had the TTL set on a bunch of domains to over a year. I found out its a great way to retain customers, because their domains will not work anywhere else.

Re:You can use TTL to keep customers from leaving!

[markv242]

Parent is the answer to why some providers ignore TTL, to prevent nutjobs like this from breaking the Internet.

Re:You can use TTL to keep customers from leaving!

[Mysticode]

Fine, set an upper limit on the TTL but don't ignore the TTL if it is lower than your limit.

old TTL?

[l33td00d42]

it sounds possible the OP lowered the TTL on entries expecting that to have a retroactive effect on servers with the entries already cached. can we get confirmation that this is not what is happening?

If you want to help then

[cluge]

Send a plain text email to
dns-subscribe@angrypeoplerule.com

This is a moderated list, and is only for letting people who are interested know when the study will begin, how to participate and the final results.

Re:If you want to help then

[schon]

I'd like to know your methodology

Subscribe to the list and find out.

So you're developing the methodology for something you've already done?

a troll, or just an ignoramus.

Mu. If you ask people for help, then insult them when they respond with legitimate concerns, you're going to have a tough time getting recruits. My statement was based entirely on the text you wrote, which was liberally peppered with statements that show you do not have a strong grasp of DNS concepts. Specifically:

You appeared to include details of your methodology, but included irrelevant details, and (as evidenced by your reply) omitted important ones. You have not yet even mentioned dig - whether you know what it is, or how to use it to troubleshoot DNS problems.

Testing wasn't carried out until a MONTH after I changed the TTL to be sure it had propagated correctly.

An example of important omitted information. Other things you omitted: Did you check the TTL (on the recursive server) before and after you made the change? Did you ensure that the recursive server was obtaining the new TTL, by checking the SOA? Did you determine if the recursive server was caching the SOA (technically you're not supposed to, but many DNS servers send a TTL with SOA replies, and it's possible that the implementation on your recursive server was caching the SOA.) Did you check the returned TTL via sequential, timed queries to see if it was changing properly?

there are other methods, this is by far the simplest for the non technical

It's also the one that provides the least amount of data, and is the least reliable. A windows batch file (created by you) with a clicky-clicky icon is only marginally more difficult, and would provide better, more reliable data.

Re:If you want to help then

[Fizzl]

Oh shut up already.

If you don't want to volunteer, Fine.
If you think that the poster doesn't know how to plan the test; go make your own test. ...With black jack, and hookers.

He specifically said the test methodology will be improved on suggestions on the mailing list. How about contributing there instead of making an uppity jackass of yourself here.

(Would like to post my rant AC, but I don't want you think the GP is responsible for this reply)

Re:Faulty system

[AndroidCat]

Quick! Someone tell that to NetSol before they route all .com/.net typos to their server again.

Re:For non geeks

They're referring to DNS TTL, not IP TTL.

old data

[b1t+r0t]

I've had problems before, but it turned out that it was usually my stupid secondary server which somehow didn't take the slave update (see below), and randomly that would be the one that gets queried and cached.

And then there's the times when I just plain forgot to bump the serial number field. Works great on my master server after I restart it, but nothing else (especially my secondary) notices the change.

Efficiency reasons ?

[TwentyTwo]

Perhaps this measure is meant to save some ressources on IPS's DNS servers if they have to query a lot of foreign DNS with low (and possibly overestimated) TTLs ?
I don't really know in-depth DNS mechanisms, but maybe ISPs are keeping a minimum TTL according to the average time between two updates of a given DNS entry ?

What's the point of not updating anyway...

[GSloop]

DNS queries are figgin tiny...
So, what's it really save you, even if you're a massive ISP to not obey the TTL's?

The only thing it's going to save you is from having to go out to the root servers and pull it again when the TTL expires. And, I speculate that this really is a very, *very* small amount of traffic compared to the other traffic to those servers.

I'd expect the highest bandwidth/resource users, by a very large margin, to be standard "in-TTL" answers to DNS clients.

So, these cranks, for lack of a better term, simply bork the systems they manage for no appreciable gain from doing so. Reducing spam by 0.0001% would have vastly more impact on the servers they maintain than ignoring TTL's.

Has anyone done any measurement stats on DNS queries. How much of the total traffic is DNS. I can't imagine it's even 0.5% of an average ISP.

Cheers,
Greg

Re:What's the point of not updating anyway...

[MadRocketScientist]

Has anyone done any measurement stats on DNS queries

According to my DNS hosting company's FAQ:

"...or 200MB of usage is used (1 million DNS queries)"

Re:What's the point of not updating anyway...

[GSloop]

I just captured some DNS traffic. This isn't a recurrsive root DNS search, but just a client request.

The Request for www.cnn.com was 71 bytes.
The reply was 312 bytes.

I think EasyDNS's estimation of traffic required to fulfill a DNS query is massively over estimated. I can't see one taking even 1K bytes, much less the 2K bytes they're "estimating."

Re:What's the point of not updating anyway...

[Cecil]

200 MB / 1 million queries = roughly 200 bytes per query.

It's an underestimate, if anything.

Re:For non geeks

[eyegor]

From this site: Time To Live, the number of seconds remaining on a cached record before it is purged. For authoritative records the TTL is fixed at a specific length. If a record is cached, the server providing the record will provide the time remaining on the TTL rather then the original length it was given.

I know AOL used to be an offender, likely still is

[muckdog]

Saving bandwidth is the only reason. It still a pain in the ass though. I found out the hard way when I though I was moving a website to a different IP address for the first time. I normally set the TTL to 7 days. So 7 day before the planned move I set the TTL to 1 hour. We switched the IP address and everthing was fine using ISP that followed DNS rules. AOL still had the address cached though. We didn't find out about teh problem with AOL right away. Our additude at the time was well screw the AOL users, there's no one importing using AOL anyways. I think it took a month before AOL finally updated to the right IP address. This definately makes it hard to do dns moves. At least with smtp you can add the mx record of the new server in advanced.

So close...

[Derek+Pomery]

Pity you didn't paste the appropriate part of the wikipedia article.
"TTLs also occur in the Domain Name System (DNS), where they are set by an authoritative nameserver for a particular Resource Record. When a Caching (recursive) nameserver queries the authoritative nameserver for a Resource Record, it will cache that record for the time specified by the TTL."

http://en.wikipedia.org/wiki/Time_to_live

reboot?

[grazzy]

(Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!).

ipconfig /flushdns

Re:It's a strange pandemic...

[justforaday]

I would counter your argument, but it's too much effort...

BW

[whackco]

Because its the 'save $0.05 a million times' attitude for alot of them. The CTO recognizes that by saving that little tiny bit of bandwidth he can save a fraction of a penny, accumulated over a period of time.

The other problem is lazy or incompetant sysadmins...

Re:Yes there is

[Kupek]

Caching, at all levels of computing, gives enormous performance gains. In the DNS world, without caching, everyone would hit top level domains which would introduce a serious bottleneck to what should be a distributed system.

Spammer zombies too

[AndroidCat]

Some spammers setup DNS for web sites so that it's continually rotating through a number of different IPs, probably a number of them zombied PCs with web servers. The real stuff like transactions gets passed to other servers, but these disposable boxes act as lightning rods: A spam run won't be wasted if a few of them get complaints and taken down.

Test case

[Other]

I'm a bit curious about this test case. It says the TTL was changed TO 24 hours and then checked to see how long it took for results to propogate. What was the TTL set to for these entries before the change? If it was set to 2 weeks and was just queried before the change occured, there is no reason for the server to recheck just because it was changed to 24 hours.

The TTL should stay the same for a while and then try simply making a change without modifying any other configuration to avoid any other problems with this test.

Why would you reboot?

[Karma+Farmer]

Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!

If you're rebooting client machines to check DNS records, then I'm forced to view your entire study with caution.

Re:Why would you reboot?

[terraformer]

Ever had your mom try to type ipconfig /flushdns in a dos prompt???
I'd imagine rebooting was easier.

Re:Why would you reboot?

[SuiteSisterMary]

"Ok, grandma, open the start menu, now select run. Ok, now type c-m-d. No, grandma, m. MMMMM. M as in Mike. Ok. No, grandma, D. DEEEEE. Not g. D. Ok, now did a big black box open up? No? Oh, you're on Windows 95/98, you'll need to reboot."

comcast

[gelwood]

Last week, two nights in a row, Comcast's DNS was down NATION(USA) WIDE.

How to check your DNS

[jkujath]

I queried twelve outside DNS servers/caches that I had access to (Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!).

Why did you need to contact your friends/relatives to check whether or not your domain gets propagated?
Couldn't you just query DNS servers directly using nslookup and/or dig?
Querying them directly would eliminate you from wondering if the machine you are checking from has the DNS cached and you wouln't need to flush it (why would you need your friends/relatives to reboot their machines?). Not to mention the amount of time you would spend in having to coordinate this type of testing.
Even if you don't want to use nslookup and/or dig from your Windows/Linux/Mac/whatever, there are tools available via the web that can help as well.
This certainly is not a list of all the tools, or even the best ones... they're just ones that I have used in the past:

dig Web-based "dig" tool
nslookup Web-based "nslookup" tool
DNS Report Checks for DNS errors and provides nicely formatted information on a given domain
DNS Stuff Various web-based DNS tools

Re:How to check your DNS

[iainl]

I'm just guessing here, but the ISPs are probably keeping their DNS servers on their client's side of the wider net, and only accept queries from their own users to avoid being DOSed.

direcway.com SUCKS

[Mustang+Matt]

I submitted a story similar to this one about a month ago regarding my experiences with direcway.com.

One of my customers was behind their network and we moved his email to our server. They couldn't access their domain name of course since it didn't exist on the server direcway's dns pointed to.

So I called them. Huge mistake. I spent hours on the phone escalating through foreign phone monkies until I made it to someone in management. Her attitude was that I was in the wrong regardless of what I had to say. Finally she lowered her defense just long enough to see that I was right but told me there was nothing they could do and that I wasn't allowed to talk to the people that run the DNS servers.

So I wrote a nasty little letter to corporate. 4 days later it was fixed. Not sure if the letter helped or not.

People abusing it on the other end...

[Evro]

I've heard from a few people that many people are setting their TTL to like 5 minutes; due to this the ISPs are ignoring the TTL.

Re:People abusing it on the other end...

[sabat]

Setting a low TTL is not abuse; it's good administration. You need a short TTL in case of outages or other emergency actions. The bandwidth is negligible, even if thousands of sites do this. The ISPs are run by idiots.

Re:People abusing it on the other end...

[fm6]

The bandwidth is negligible, even if thousands of sites do this.

But there are millions of sites out there. Still negligible?

If DNS bandwidth were a non-issue, you wouldn't even be able to set TTL -- it would just be hardwired to a small value. But it is. Don't lapse into spammer logic: "I'm only wasting a tiny amount of resources, so it doesn't matter." But it does matter, because lots of other people are thinking the same thing.

Bypass their DNS

[kherr]

I solved the problem by routing around the providers' poor DNS servers by pointing my home LAN to my own DNS server on my colo box. I run a DNS server in my house which then identifies my colo DNS server(s) with the forwarders option. Instead of relying on who-knows-what from the ISPs I use my own DNS server that I set up and am responsible for.

I know it's not a solution for everyone, but it does let me avoid stupidity. And having my own, reliable DNS server sure came in handy recently since Comcast has been having bad DNS problems the last couple of weeks.

Re:Bypass their DNS

[calibanDNS]

I'm also running my own DNS server after seeing my ISP's DNS Servers go down almost daily for a couple of months. This is a fine solution for me and my small network, but doesn't address the problem of ISPs not configuring their DNS servers properly.

Even if you run your own DNS, your server still has to pull its data from some root server, and if that server isn't reliable, then your server isn't reliable either. You could avoid this by pulling from THE root DNS servers, but if everyone did that it would put undue strain on the root servers.

Re:Bypass their DNS

[tchuladdiass]

I've always run my own dns server on my home network, but lately I've noticed several dns servers refusing connection from my cable modem ip. Apparently they are a bunch of service providers that blacklist direct connections from dynamic ip address, probably in responce to ddos attacks. So, in order to have reliable dns I will need to configure my server to forward to my isp's dns server whenever it fails to make a direct connection itself.

Re:Bypass their DNS

[petermgreen]

the root servers aren't recursive resolvers so you aren't really pulling from them in any meaningfull sense. you are just hitting them very occasionally when you use a new tld. Most of your data comes direct to your resolver from the authoritive nameservers. also the root nameservers are things that ABSOLOUTELY MUST STAY UP and measures would be taken to spread the load further if needed (this has already been done with bgp anycast for k-root).

Re:Bypass their DNS

[slavemowgli]

It's generally a good idea to not rely on your ISP's DNS servers too much. Personally, I just use an OpenNIC server, with one of my ISP's servers as a fallback - that way, I don't get any of the occasional timeouts, failures of new records to propagate properly and all that. Really, ISPs should focus on providing the connection, nothing more. I don't use my ISP's mail servers for email, and I don't use their nntp servers for Usenet; why should I use their name servers for DNS requests?

Re:Bypass their DNS

[fm6]

A nice hack, but kind of beside the point. Outdated DNS information is pretty unimportant to most web users. How many people routinely access sites that routinely change their IP numbers? Who it matters to is web providers, who are effectively offline if their site names don't resolve properly. A savvy user can work around this kind of problem (if nothing else, by entering the IP number). But only a tiny fraction of users are that savvy.

Re:Bypass their DNS

[Transcendent]

You could avoid this by pulling from THE root DNS servers, but if everyone did that it would put undue strain on the root servers

That's not how DNS works.

The root servers simply point you into the direction of the authorative DNS server for a given domain name. That is why you have to register who is going to be the DNS server for any given domain so the root servers can point people to it. Your own DNS then caches the response from the DNS server (not the root) locally, only updating it after the TTL is expired (which isn't always happening with the provider's DNS, hence the problem).

The root servers are reliable... they have to be. Sure there have been DoS attacks and the like on them before, but they only need to update themselves for new domain name server registrations (which last I heard is every 5 minutes? So that's a much better "ttl").

Re:Bypass their DNS

[Cat_Byte]

Some IPs have multiple sites and have to resolve by url rather than IP. It probably isn't all of them giving you this problem but it may be part of it.

Re:Bypass their DNS

[2old2rockNroll]

You're not banking in the clear on http: are you? On an unpatched Win box? With IE?

Of course not. That's what telnet's for.

Re:Bypass their DNS

[geniusj]

To be even more specific, here is how a typical lookup happens (assuming NO cached data):

Specifics per implementation might be off, but either way it ends in the same result:

Recursive -> Root Server: "ANY? www.google.com"
Root Server -> Recursive: "com NS a.gtld-servers.net ....."
Recursive -> a.gtld-servers.net: "ANY? www.google.com"
a.gtld-servers.net -> Recursive: "google.com NS ns1.google.com ...."
Recursive -> ns1.google.com: "ANY? www.google.com"
ns1.google.com -> Recursive: "www.google.com A 1.2.3.4 ... google.com NS ns1.google.com"

As you can see, the root server only provides information for the top level domains. Those being com, org, us, uk, au, etc.

It's commonly thought that they handle things like 'google.com' which isn't true. google.com, in thise case, would be known by {a,b,c,d,etc}.gtld-servers.net. Each TLD has its own nameservers, obviously. But com and net use those.

As for the TTL issue. I do offer Dynamic DNS which has a default TTL of 180 seconds, however I have not run into this personally. Or myself and my users just haven't noticed it.

Regards,
-JD-

Re:Bypass their DNS

[Cramer]

This, more often than not, is just stupid. DDoS or not, an authoritative name server cannot arbitrarily block ranges of addresses, or classes of users (dialup, cablemodem, etc.) If someone asks you about a domain for which you are authoritative, you MUST answer it. That's the price you've agreed to for running a name server. This is exactly like a Denny's resturant refusing to seat French people... "We've had problems with them in the past." Just because you've had problems with some French people doesn't mean they're all bad.

We've put up with this sort of subversion for email (SMTP) out of necessity -- there just isn't any other way to deal with dumbass users with unpatched windows boxes sending 95% of the world's spam. Subverting DNS like this should be punishable by death. Face it people, any service can be targeted.

Re:Bypass their DNS

[racermd]

Ok, I haven't seen a reply to your post, so I think I'll chime in for DNS n00bs.

Setting up a proper DNS server isn't too hard (as indicated by the number of posters that have done just that). However, it does take a bit of knowledge about how DNS really works. To that end I suggest you read some books about Networking, and DNS in particular.

I've found the O'Reilly books to be fairly easy to read while providing a great starting point for those that have a broad, basic understanding of how networks (and computers) operate. Specifically, I'd recommend DNS and BIND. This assumes that you have some LAN experience, this is a great place to start. It does tend to focus a bit on BIND (Berkley Internet Name Domain), but most DNS servers are based on it's general feature-set and configuration, anyway.

By itself, this book won't allow you to set up your own DNS server. However, it will help you get that core understanding of HOW DNS actually works and what you can get it to do for you. You'll have a choice of software on a number of differnet platforms, but the general operation will pretty much be the same across them all.

And there are plenty of other books and publications on DNS, so don't limit yourself if O'Reilly doesn't do it for you.

This probably wasn't the answer you were looking for, but it really is what you needed.

Re:Bypass their DNS

[Michael+Hunt]

DNS server A records will only be provided in the 'additional' section of the response (so-called 'glue' records) if the zone in which they live is delegated to themselves.

That is to say, if i query a.gtld-servers.net for www.bob.com IN A, and bob.com is delegated to ns1.bob.com and ns2.bob.com, the registry will know the IP addresses of bob.com's two nameservers and return them in the 'additional' section (otherwise nobody would ever be able to find anything under bob.com, including ns1 and ns2.bob.com).

If bob.com is delegated to ns1.foo.com and ns2.foo.com, but foo.com is delegated somewhere else, then ns1/ns2.foo.com's A records WILL NOT be returned as glue, and your resolver will have to recursively query for those, as well.

It's amazing that DNS works at all.

ELOGICFAULT

If it's all about trust, then you don't want to extend the TTL, you want to *shorten* it. That way if you're hit with a cache-poisioning attack, you get the correct record *faster*, instead of holding on to crap for weeks.

Besides, this behavior blows up all sorts of geographical load balancing, datacenter failover, etc. type solutions (google for a F5 3DNS device sometime).

Bad stuff, mucking about with the TTL that someone has assigned to a record. It's not arbitrary information. To those fucking with TTLs, how about we arbitrarily alter the numbers in your paycheck? Oh? What's that? That doesn't seem like a good idea? Gee. Go Fig. HANDS OFF MY TTL, ASSHAT.

-AC

Re:ELOGICFAULT

[zrk]

There are enough places (ISPs, like AOL), where TTL is completely ignored.

Case in point. A former high-traffic client (in the million hits per day range) did an 'inverse outsource' and reclaimed their site and corresponding domains. To prep for the move, the client migrated their DNS service to their new servers and changed the NS records with NetSol, several weeks in advance. They dropped their TTL down to two hours around that time. Early on the day of the cutover, changed the DNS records to point to the new location/IP range. That should've been enough, yes?

Well, they got a lot of complaints on the first few days that the site wasn't working. We ended up having to put create some URL redirection, ising the new IPs, on their old servers, and it took over two weeks for the traffic to die down. It took that long for some companies to flush their cache completely.

Companies are breaking the 'rules' and there's really not much you can do about it.

Re:Faulty system

[MightyMartian]

Screwing around with DNS TTLs has a larger effect than the web. Quite commonly when we're doing a major change, particularly with mail servers, we set our TTL low a few days in advance. If some idiot running a DNS sets it up so that my TTL is ignored, then guess what, whoever is using that DNS is suddenly not going to be able to get mail to my server.

It's irresponsible tampering, it's that simple.

Re:For non geeks

[Neil]

Actually, the "TTL" in an IP header is different from the "TTL" in a DNS response (though in both cases the acronym means "time to live" and is intended as a limit on how long data hangs around).

IP header TTL is basically a hop-count, to stop IP packets going round in circles indefinately in the event of routing loops in the network.

Typically, when you look up a name like "www.example.com" your workstation consults a caching DNS server (on the local LAN, or offered by your ISP, or something). This DNS server goes off and talks to the root name servers, which refer it to the "com" name servers, which in turn refer it to the "example.com" name servers, from where it gets an IP address to go with the name. A couple of seconds later you ask for another page from "www.example.com". Your workstation asks the local DNS server for the information again, but the DNS server doesn't go and figure out the answer from scratch - it remembers the answer that it provided last time, and just repeats it. Time-To-Live is an "expiry date" that the authoritative name servers (like the "example.com" name servers) can put on their answers, so that the caching name servers know how long the answer is good for without them rechecking with an authoratative source.

You did what?

[SamMichaels]

Um...

ipconfig /flushdns
ipconfig /registerdns

But wouldn't an easier way be just using dig to directly query the name servers?

Re:You did what?

[sabat]

None of that will help Grandma with her browser. The major ISPs are running cache-ing DNS servers that don't flush their entries when they're told to. That's the problem.

Article is right on the money

[wo1verin3]

Our company made a DNS change for a download server accessed by customers, over a month passed and multiple tickets opened with several large ISPS (Road Runner being the biggest) with no action taken. We finally had to setup a new server name for customers to be able to access the download server...

In all there were 3 large US isps that were major offenders...

We have had this issue for years ..

[GNUALMAFUERTE]

Here in Argentina. We don't have bandwidth problems, bandwidth should be cheap considering the kind of conections that we have. But, all the bandwidth belongs to a few, that are not so interested in letting others grow, so they resell it at really high prices. So, since bandwidth _is_ a problem, many ISPs have Proxys, transparent Proxys, etc. The most dirty thing they are doing now is transparent proxys that never cleans their caches, content seems to never expire, etc. The other is DNSs that updates it's records all at once, every X days, not taking TTLs into account. I worked for about 2 years as a sysadmin for a hosting company, and this was a nightmare. Once, a customer's website was defaced, we cleaned up, restores a backup for him, but many people was still seeing the old website ... for more than a WEEK.
A solution to this problem would be a law, that would create a set of standard services that a comunications company may give, with well defined names and categorys, and it should be MANDATORY for companys to market their services using this names, in their comercials too. So, for example, we would have categorys such as "Full Duplex Simetric DSL Conection", or "ADSL, With Proxy, Blocked Ports".

save money - set your ttl to 2147483647

this greatly reduces network traffic, as your records will be cached for over 68 years. if caching worked as described in the rfcs, you could probably even forget about keeping your domain registered after a few years, most folks would still come to you even if someone else bought your domain. of course ipv6 is coming any day now and that will probably ruin my evil plan.

TTL Ignorance

[zoontf]

Just to be on the record, a number of local ISPs here in Vermont don't update DNS records for 2-3 weeks. Sovernet, our big local provider, is among them. Very frustrating.

Re:Faulty system

It's irresponsible tampering, it's that simple.

Its completely within the spec, and as a fundemental principle I can do whatever I want with my server. So get with the program and understand there are other ways of dealing with the issue. Two weeks before the change, set the new IP address of the mail server as a lower priority (higher number) server, so if the info is cached, it will fall back to the new number when the old one fails. When you make the change, you can purge the old address entirely.

This is DNS maintenance 101, and should not surprise anyone who works on DNS.

Re:For non geeks

[Shopko]

Actually that's for TCP's time to live. For DNS TTL, here's the scenario: (and yes this is simplified; there is more that actually happens, but it's not important for this discussion)

Background
----------
Domain Name Servers (DNS) are usually configured in a heirarchy, such that each server has a parent. This fact will be important below.

Every domain (i.e. slashdot.org) has one or more "authoritative" name servers. These name servers know what web host slashdot.org is hosted on and how to get there.

Other DNS's on the Internet do not know how to get to slashdot.org, because they are not "authoritative" for that particular domain. So they send a request out to their parent asking how to get to slashdot.org. Eventually, one of the parents will know the address of slashdot.org's authoritative name server, and will return this address.

How This Relates To TTL
-----------------------
Here is what happens once the address of the authoritative name server is returned:

A = The name server trying to figure out how to get to slashdot.org
B = The authoritative name server for slashdot.org

A asks B how to get to slashdot.org
B responds to A with an address (66.35.250.150)
A asks B how long this address is valid
B responds to A with a TTL (e.g. 24 hours)

So now name server A will not have to ask for slashdot.org's address again for 24 hours, since it was told by the authoritative name server that it can keep the address for 24 hours.

This "keeping of addresses" is called caching, and name servers that do this are called caching name servers.

I hope this helps. :-)

My two cents on the issue

[7zark7]

I run a DNS server for around 470 domains. I have this problem with our telco/dsl provider(Large Canadian Monopoly).
What i found is if the TTL is set to less than 3 hours it is automaticly reset to 3 weeks.
As a result I have set all of out TTLs to at least the 3 hour minimum.

Re:Faulty system

[jdreed1024]

DNS isn't about "the web". It's much bigger than that.

That's right, it's how Bill Gates tracks your e-mails to give you that Walt Disney World vacation when you send it to enough of your friends.

Re:DNS practices --- CHANGE THE !@#$%^& serial

[gru3hunt3r]

Waaa.. Waaa.. somebody ignored my TTL.

Listen -- We are SOA for around 11,000 domains. Both myself and the other uber-admins get tickets like this "escalated" when some clueless newbie wet behind the ears freaking junior admin DOESN'T RTFM and doesn't realize that if the serial #'s don't change then TTL is ignored.

We interface with nearly every major ISP -- I assure you, their name servers are configured just fine --- It's yours that is broke.

For those of you who just aren't DNS afficiandos -- so how retarded is this? Well here is another story ideas for slashdot that is along the same lines:

OMG! Two major RG vendors (NetGear and Dlink) don't follow RFC798 (TCP). See when I block port 80 on my firewall, the web stops working -- Imagine the whole web stops working by blocking just one little port. This is a huge problem! It needs to be addressed!

How about this little doosey:
I've just uncovered a SCO/Microsoft conspiracy. They've apparently teamed up because after reinstalling Windows XP onto another partition XP disabled my Linux partition -- the boot menu doesn't come up anymore. Clearly Microsoft is doing this to help SCO protect their intellectual property! Quick tell Groklaw!!!!

If you don't get either of the two above -- I can't help you. (seriously -- WTF are you reading slashdot for??)

I swear .. they let anybody read slashdot these days!

Spam, spam, spam

[krray]

I've recently "disconnected" my .COM version of my home domain (solely using the .US version now). As I get -0- spam to the .US address' (so far :) it is very apparent that a LOT of DNS servers [world wide] simply ignore TTL. A couple of weeks before the "switch" I set the TTL very low (60 seconds) -- I can easily handle the DNS traffic across my DNS servers (peppered here and there :).

I would expect, now almost two months later, to be getting -0- traffic to the .COM domain as I set _everything_ to IP address 127.0.0.1 (just to screw with the spammers high-jacked computers). Yet the spam [attempts] still come in. Every minute.

Technically -- even running your own DNS servers there is nothing you can do if you move/add/delete something and others out there decide not to honor it. Everybody loses.

We see ignoring DNS as well

[neilticktin]

Yep -- we're seeing similar kinds of things. Recently, in preparation to migrating to some new servers we lowered our TTLs on the web server entries. Yesterday, we switched them over, and found that it wouldn't switch the traffic over within the TTL specs. Very frustrating to be sure, and we came to the same conclusion ... many (most?) Internet providers are ignoring DNS TTL. Thanks, Neil Ticktin Publisher, MacTech Magazine

Re:I know AOL used to be an offender, likely still

[ScentCone]

Our additude at the time was well screw the AOL users, there's no one importing using AOL anyways

I'd be curious who's the audience for the site(s) you're talking about. I'm pretty uncomfortable calling tens of millions of users unimportant, especially when it comes to e-commerce. Different "additude", I guess. Or attitude, even.

I maintain an ancient AOL account specifically so I can see things the way that some of my customers' customers see them. But it has one other advantage: if I've just made DNS changes to domain I care about, I set up a temporary new A record (like X.whatever.com) and then surf to it through AOL's proxies. This seems to get their name servers to notice that the SOA record is new, and it flushes out the rest of their cache. This seems to work on all sorts of servers, most of the time.

Re:Submitter is Correct, it's happening

[Buran]

I'm on Charter and I'm not so sure it's filtered... I've switched to backup DNS servers before. Just as a test, I removed Charter's servers from my list (I have like 8 more servers behind their two as fallbacks), applied the change (I use Mac OS X 10.3) and then went to example.net. My machine successfully looked up the domain and went to the associated website.

What's the easiest way to check to see if your machine does indeed fetch records from another server? dig?

AOL used to do this (and probably still does)

[lythander]

Simple. Response time and bandwidth.

Caching provides a response much more quickly (albeit not always right), and for a large scale ISP, DNS lookups consume not-insignificant amounts of bandwidth. This used to cost much more than it does today, and I'll bet much of this continues out of intertia.

Not just the DNS servers... Java is brain dead

[Moe+Yerca]

Here's a little tidbit that most people don't realize...

The Sun JVM implementation implements it's own DNS caching for any name resolution done by the networking APIs. By default the TTL for cached entries is... FOREVER. Not only that, but they will cache NEGATIVE LOOKUPS, so that if your resolution fails the first time it will fail forever.

The only solution is to restart your app (duh) or set the TTL as a system property on JVM startup.

I personally spent a few minutes staring at the monitor in shock when I first found this behavior by debugging a problem all the way down to the Java API source. Boggles the mind. Everyone else I've read who've 'discovered' this little known problem have had similar reactions.

This is unrelated to the TTL issue discussed in the article, but I try to take every opportunity possible to scream 'WTF Sun!?!?'

Re:Faulty system

[logicnazi]

My understanding is that many mail delivery programs do their own recursive resolve and often ignore cached entries. At least when I have updated MX records they have seemed to propogate almost instantly. I presumed this was because sendmail and the like insist on reading the MX from servers authoritative for that domain but perhaps I'm mistaken.

Anyone care to clarify how DNS cache works with MX records?

Re:DNS practices --- CHANGE THE !@#$%^& serial

[oneiros27]

I feel your pain -- I've done my share of idiot tech support questions that should never have been sent to me.

But I have seen once when we had changed the serial, we had lowered the TTL for the week preceeding, and yet there were DNS servers out there that just refused to update. (AOL being one of them).

After we hit two weeks, and the IP still hadn't propagated, I did some digging -- somehow, 4 of the root name servers were forwarding queries to two development DNS servers that someone had set up, which weren't being maintained and getting updates. So yes, it was not the fault of the remote DNS servers that weren't taking the updates ... but we have no clue how the outside world found out about the development DNS servers. (or why the hell they weren't firewalled off, but that's another story).

But it's not always just a matter of changing the serial.... other things can go wrong with DNS.

Re:DNS practices --- CHANGE THE !@#$%^& serial

[wayne]

Listen -- We are SOA for around 11,000 domains. Both myself and the other uber-admins get tickets like this "escalated" when some clueless newbie wet behind the ears freaking junior admin DOESN'T RTFM and doesn't realize that if the serial #'s don't change then TTL is ignored.

Ok, can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL? The nTTL, yes, but not the TTL. Yeah, if they don't change the serial number, their secondary name servers will take a long time to expire (could be weeks), but again, this doesn't have anything to do with your claim that if the serial number doesn't change, then the TTL is ignored.

Have I just been trolled?

Re:DNS practices --- CHANGE THE !@#$%^& serial

[dzarn]

So rather than bitching about how stupid everyone is, why not take the time to explain why it is done this way? Take 5 minutes out of your busy escalated-ticket day, and tell us why it works the way it does - at least make an effort, rather than complaining about how much better you are than the rest of the world.

Where to begin...

[cbreaker]

Okay first of all this guy doesn't really seem to have much depth of knowledge.

Asking friends to REBOOT? Why not just ipconfig /flushdns? And For The Love Of God, DNS DOES NOT PROPAGATE. It's a referral system that caches.

I also have a really hard time taking someone seriously that, in the opening question, mentions something like "well, zealots will argue, and tin foil hats will bitch" or whatever. Yea, he's really unbiased..

TTL affects the time you should cache the records, at least he seems to get this. So, he can't think of one reason why a large ISP might want to ignore TTL's?

I'll name a couple and leave it to this guy to fill in the rest:

A) Because a lot of really terrible DNS admins set the value way too low and leave it there?

B) Because ISP's might have a need to keep their cache database activity to a resonable level?

GO on with your study! The results will probably prove to be very uninteresting.

New TTL won't take effect until old TTL runs out

[VGPowerlord]

I haven't seen this mentioned in any of the comments I've read so far, but changing the TTL on your server will not have any immediate effect on other companies servers.

In fact, servers that are obeying TTL won't see the new record until the old record's TTL expires.

The querent doesn't say whether or not there was any wait for the old TTL to expire. They don't even mention what the old TTL was!

Ignoring TTLs not necessarily intentional

[shirpa_kewl]

I work at a hugeISP and we sometimes receive tickets accusing us of ignoring TTLs. However, it has always boiled down to one of three things.

1. Change in the hosting of a domain to new DNS servers without properly removing the domain from the old hosting DNS servers.

When this happens, a DNS server caching a domain's info will continue to check the old servers until the old server stops answering.

2. A change in the TTL of a domain to a lesser value.

If you change the TTL of a domain from 7 days to 1 hour, DNS servers currently caching that domain's information will hold onto it for 7 days before discovering the new TTL.

3. A bug in BIND 8 that prevents it from pulling updated information from the primary DNS server for a domain.

We see this rarely, but it requires a restart of an affected DNS server. We have not diagnosed the specific cause yet since we're moving servers to BIND 9.

quick fix

[ap0]

My dad uses Comcast and he kept calling me to "make the Internet work" during their recent DNS outages. I just SSH'd in to his router and added a Verizon DNS server (4.2.2.1) to his DHCP info, and his Internet worked right away. His neighbors were complaining they couldn't use the 'Net but he was surfing away just fine.

Re:DNS practices --- CHANGE THE !@#$%^& serial

[jafiwam]

Grandparent is full of shit or doesn't understand what this thread is about.

Serials are primarily for the two servers do get the same data (primary/secondary), so when the secondary is done waiting it goes to look at the serial on the primary and grabs the new zone transfer if the serial is higher.

TTL on an A record is just a recomendation (a specific setting that over-rides the default TTL for the zone up near the SOA).

IF a server has cached an A record with a TTL of 6000 seconds (just under 2 hours) it should hold and server data for only a maximum of 6000 seconds, and after that time dump the data and go get new data from the authoritative name servers.

If you do a DIG against them, they'll tell you how much time is left on a cached record.

Serial doesnt come into the "when to drop cached data" transaction at all.

Sure, not incrementing the serial can cause all sorts of problems. But that's not what the article is on about.

AOL et. al are ignoring specific A record TTL and putting their OWN TTL on cached information that over-rides mine. (I know this because the tool I use makes it so I CANT forget to incriment the serial, and I still run into TTL problems. What about that smartypants?) So when I set a domain from default to 3600 seconds a day before an MX record (email server) change and they ignore it, email migration from one server to another stays messed up for days rather than the hour my TTL would do. A good admin doesnt abuse TTL (like yahoo apparently does...) and sets it back up higher when finished moving stuff, most of the time I am prefectly happy with the nice long standard cache time. But sometimes you NEED a low TTL.

I got the O'Reilly Grasshopper book right here in front of me and none of the TTL sections mentions SOA needing increment for TTL caching. If someone wants to point out a page number that says I am wrong I'd be happy to shut up. But self-righteous indignation better be fact checked... seriously.

Scientific article about this

[eram]

There was an article called On the Responsiveness of DNS-based Network Control presented at the Internet Measurement Conference" last year. It is based on data from the Akamai content distribution network and shows that some DNS servers and even more client applications do not honor DNS TTL information.

Nothing new here

[metamatic]

I hate to bear bad news, but there's nothing new here. Back in the 90s I observed similar situations--that no matter what the TTL, and even if you were careful to increment your version IDs, there were plenty of DNS servers that wouldn't notice DNS changes for weeks.

Hence whenever someone tells me that they're going to move their web hosting, I always advise them to allow for a couple of weeks of overlap, so that they don't lose a ton of traffic. Often they ignore my advice, because of course they have set their TTL low so their changes will take effect immediately, or so they think.

And then they wonder why they're getting hundreds of e-mails from people telling them that the site is down. And I forward them a copy of the e-mail I sent them beforehand warning them of the problem.

My gut feeling is that screaming about other people's DNS servers refusing to observe your TTLs is going to get you about as far as screaming about other people's SMTP servers refusing to deliver your spam. It's their server, they can do what they like. For instance, any TTL under 24 hours will be ignored by my caching DNS server. (RFCs say TTLs should be at least a day, more like 1-2 weeks.)

Did the OP allow old TTL to expire before testing?

[Gnavpot]

Lowering the TTL to twenty four hours, and making changes and then checking to see when a change was picked up.

To my knowledge, downstream caching nameservers will not check for changes in TTL before the latest cached TTL expires. Consequently, if the TTL is set to one year, then changed to 24h, the changed TTL will go on unnoticed for up to a year.

So I would like to know if the OP did allow the old TTL to expire after changing it, before he carried out the test. If not, the results of the test may be misleading.

AOL: wayback machine for DNS

[CustomDesigned]

Several months ago, we made the mistake of testing a new webmail server using AOL, but forgetting to actually add the DNS record first :-). The negative result is *still* cached at AOL. Bummer for users trying to use the webmail.

On the plus side, I've used AOL to find out what the IP of names *used* to be while researching problems. Kind of handy that way.

A French lesson.

[UseTheSource]

Actually, the word du does mean "of the". It's the equivalent of de and le together. It's le jour because it's masculine.

Re:DNS practices --- CHANGE THE !@#$%^& serial

[sstidman]

That isn't what I meant (you all should know that?!?!?), what I meant was that if you don't bump the TTL then your own nameserver if you do a SIGHUP won't show the changes and you can set the TTL to whatever you want and it won't do a bit of good.

I don't know why you assume everyone should know what you meant. The rest of your hateful post made you look uninformed so folks probably generally presumed you were just a newbie admin with an inflated ego.

And why would they bump the TTL on their nameserver, anyway? Could you possibly mean that they should bump the serial number? I think you keep confusing record caching with zone transfers to secondary servers.


Also while we're on the subject of TTL's I that our nameserver is actually setup to increase TTL's less than 24 hours to 24 hours. I believe thats in an RFC or best practices guide I read somewhere.

I presume you know nothing about global load balancing. Global load balancers, which are really just fancy DNS servers, work by varying the A records returned from queries. The GLBs monitor the servers (or more likely load balancer farms) and if one goes down the GLB will no longer resolve to that IP address. For that to work, the TTL must be set to a very short time. If an ISP ignores the TTL, it will cause problems for any of their customers who access the domain with the short TTLs. Many large sites with multiple data centers make use of GLBs to balance traffic accross their data centers. You should not ignore TTLs or you may find that folks who rely on your DNS servers will occasionally be unable to access various sites. Since GLBs also tend to direct traffic toward less busy data centers, you will find that ignoring TTLs will also result in slower access for your clients to their favorite web sites. And if that's in a best practices guide, you might consider throwing that guide away.


I do know that TTL is a recommendation, thats all.

And I suppose stopping when the guard rail drops at a train track is technically just a recommendation, too. People have good reasons for lowering TTLs even if you don't seem to think so. Ignoring them can cause real problems.


I don't know why you need to interject the condescending, hateful speech in your posts. I would have blown it off with your apology, but then you included that unnecessary "you all should know that?!?!?)" crack in your latest post. You act like a genius and then make mistake after mistake in your technical statements, making you look like a buffoon. Why don't you relax and humble yourself a bit. Your ego is too inflated.