Slashdot Mirror

← Back to Stories (view on slashdot.org)

Providers Ignoring DNS TTL?

Posted by Cliff on from the stale-results dept.

cluge asks: "It seems that several large providers give their users DNS servers that simply ignore DNS time to live (TTL). Over the past decade I've seen this from time to time. Recently it seems to be a pandemic, affecting very large cable/broadband and dial up networks. Performing a few tests against our broadband cable provider has shown that only one of the three provided DNS servers picked up a change in seven days or less. After turning in a trouble ticket with that provider - two of the three provided DNS servers were responding correct - while the third was still providing bad information more than two weeks after that specific change. What DNS caches ignore TTL by default? Is there a valid technical reason to ignore TTL?" "This struck me as odd, and I decided to run a few tests using my own domain. Lowering the TTL to twenty four hours, and making changes and then checking to see when a change was picked up. I queried twelve outside DNS servers/caches that I had access to (Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!). Checks performed against these outside DNS servers indicate that it may take as much as four to five weeks before a DNS change is picked up! Most DNS servers picked up the change within 48 hours. A small number did not (three out of twelve - that's a quarter of them!)

This merits more study, and prompts a few questions. So, before I begin with a more serious broad study, I'd like to get some feedback on the problem as I've seen it. I know the tin foil hat crowd will see the failure to propagate DNS correctly as censorship, and the OS/bind/djb/whatever zealots will simply see this as an argument for their particular religion.

Based on the responses I get, I will then setup and test a couple of domains with different DNS servers for 6 weeks and report back the findings. [volunteers welcome!]"

19 of 445 comments (clear)

  1. TTL's by dlhm · · Score: 5, Funny

    Of course there is a reason, To save bandwidth, and to provide the 3rd world internet service we have come to expect here in the USA.

    --
    Ad eundum quo nemo ante iit!
  2. DNS practices by LynXmaN · · Score: 5, Informative

    Usually on big providers overriding the TTL of the zone is a usual practice for sure, I do that myself in the ISP I'm working for (it's middle sized).

    But I don't think they're setting a TTL longer than 24 hours, that would be kind of insane, isn't? At least from my own experience when I did a big DNS servers change (changed all the serials) the delay was less than 24 hours for almost all of them.

    --
    May the source be with you!
  3. Re:Faulty system by wiredlogic · · Score: 5, Insightful

    DNS isn't about "the web". It's much bigger than that.

    --
    I am becoming gerund, destroyer of verbs.
  4. You can use TTL to keep customers from leaving! by Anonymous Coward · · Score: 5, Funny

    I remember once I had the TTL set on a bunch of domains to over a year. I found out its a great way to retain customers, because their domains will not work anywhere else.

  5. If you want to help then by cluge · · Score: 5, Informative

    Send a plain text email to
    dns-subscribe@angrypeoplerule.com

    This is a moderated list, and is only for letting people who are interested know when the study will begin, how to participate and the final results.

    --
    "Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
  6. Re:For non geeks by Anonymous Coward · · Score: 5, Informative

    They're referring to DNS TTL, not IP TTL.

  7. Re:Dumb question by Alioth · · Score: 5, Informative
    Use the 'dig' and 'host' commands.

    For example

    dig @your-isps-nameserver.net -t A www.example.com

    For example:
    $ dig @192.168.0.1 -t A www.slashdot.org

    ; <<>> DiG 9.2.4 <<>> @192.168.0.1 -t A www.slashdot.org
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54561
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.slashdot.org. IN A

    ;; ANSWER SECTION:
    www.slashdot.org. 7184 IN A 66.35.250.151

    ;; AUTHORITY SECTION:
    slashdot.org. 7184 IN NS ns2.vasoftware.com.
    slashdot.org. 7184 IN NS ns3.vasoftware.com.
    slashdot.org. 7184 IN NS ns1.osdn.com.
    slashdot.org. 7184 IN NS ns1.vasoftware.com.
    slashdot.org. 7184 IN NS ns2.osdn.com.

    ;; Query time: 3 msec
    ;; SERVER: 192.168.0.1#53(192.168.0.1)
    ;; WHEN: Tue Apr 19 11:38:58 2005
    ;; MSG SIZE rcvd: 159
    Note the TTL of 7184 seconds (this is how long the nameserver at 192.168.0.1 will continue to use the cached record for before fetching it again from slashdot.org's authoratative nameservers).
    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  8. What's the point of not updating anyway... by GSloop · · Score: 5, Interesting

    DNS queries are figgin tiny...
    So, what's it really save you, even if you're a massive ISP to not obey the TTL's?

    The only thing it's going to save you is from having to go out to the root servers and pull it again when the TTL expires. And, I speculate that this really is a very, *very* small amount of traffic compared to the other traffic to those servers.

    I'd expect the highest bandwidth/resource users, by a very large margin, to be standard "in-TTL" answers to DNS clients.

    So, these cranks, for lack of a better term, simply bork the systems they manage for no appreciable gain from doing so. Reducing spam by 0.0001% would have vastly more impact on the servers they maintain than ignoring TTL's.

    Has anyone done any measurement stats on DNS queries. How much of the total traffic is DNS. I can't imagine it's even 0.5% of an average ISP.

    Cheers,
    Greg

  9. I know AOL used to be an offender, likely still is by muckdog · · Score: 5, Interesting

    Saving bandwidth is the only reason. It still a pain in the ass though. I found out the hard way when I though I was moving a website to a different IP address for the first time. I normally set the TTL to 7 days. So 7 day before the planned move I set the TTL to 1 hour. We switched the IP address and everthing was fine using ISP that followed DNS rules. AOL still had the address cached though. We didn't find out about teh problem with AOL right away. Our additude at the time was well screw the AOL users, there's no one importing using AOL anyways. I think it took a month before AOL finally updated to the right IP address. This definately makes it hard to do dns moves. At least with smtp you can add the mx record of the new server in advanced.

  10. reboot? by grazzy · · Score: 5, Informative

    (Thanks to my friends and relatives with dial ups and DSL who put up with me and my requests to reboot their machine daily!).

    ipconfig /flushdns

  11. Re:Dumb question by Dtyst · · Score: 5, Informative

    There are many online DNS tools DNS report being one of the best and DNS stuff being very powerful but harder to use. I also like Dig it Man! for simple DNS checks. Also many large internet providers usually have allkinds of online network tools available online on their webpages.

  12. ELOGICFAULT by Anonymous Coward · · Score: 5, Insightful

    If it's all about trust, then you don't want to extend the TTL, you want to *shorten* it. That way if you're hit with a cache-poisioning attack, you get the correct record *faster*, instead of holding on to crap for weeks.

    Besides, this behavior blows up all sorts of geographical load balancing, datacenter failover, etc. type solutions (google for a F5 3DNS device sometime).

    Bad stuff, mucking about with the TTL that someone has assigned to a record. It's not arbitrary information. To those fucking with TTLs, how about we arbitrarily alter the numbers in your paycheck? Oh? What's that? That doesn't seem like a good idea? Gee. Go Fig. HANDS OFF MY TTL, ASSHAT.

    -AC

  13. Article is right on the money by wo1verin3 · · Score: 5, Informative

    Our company made a DNS change for a download server accessed by customers, over a month passed and multiple tickets opened with several large ISPS (Road Runner being the biggest) with no action taken. We finally had to setup a new server name for customers to be able to access the download server...

    In all there were 3 large US isps that were major offenders...

  14. Re:Bypass their DNS by petermgreen · · Score: 5, Informative

    the root servers aren't recursive resolvers so you aren't really pulling from them in any meaningfull sense. you are just hitting them very occasionally when you use a new tld. Most of your data comes direct to your resolver from the authoritive nameservers. also the root nameservers are things that ABSOLOUTELY MUST STAY UP and measures would be taken to spread the load further if needed (this has already been done with bgp anycast for k-root).

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  15. Re:I know AOL used to be an offender, likely still by ScentCone · · Score: 5, Insightful

    Our additude at the time was well screw the AOL users, there's no one importing using AOL anyways

    I'd be curious who's the audience for the site(s) you're talking about. I'm pretty uncomfortable calling tens of millions of users unimportant, especially when it comes to e-commerce. Different "additude", I guess. Or attitude, even.

    I maintain an ancient AOL account specifically so I can see things the way that some of my customers' customers see them. But it has one other advantage: if I've just made DNS changes to domain I care about, I set up a temporary new A record (like X.whatever.com) and then surf to it through AOL's proxies. This seems to get their name servers to notice that the SOA record is new, and it flushes out the rest of their cache. This seems to work on all sorts of servers, most of the time.

    --
    Don't disappoint your bird dog. Go to the range.
  16. Ignoring TTLs not necessarily intentional by shirpa_kewl · · Score: 5, Insightful

    I work at a hugeISP and we sometimes receive tickets accusing us of ignoring TTLs. However, it has always boiled down to one of three things.

    1. Change in the hosting of a domain to new DNS servers without properly removing the domain from the old hosting DNS servers.

    When this happens, a DNS server caching a domain's info will continue to check the old servers until the old server stops answering.

    2. A change in the TTL of a domain to a lesser value.

    If you change the TTL of a domain from 7 days to 1 hour, DNS servers currently caching that domain's information will hold onto it for 7 days before discovering the new TTL.

    3. A bug in BIND 8 that prevents it from pulling updated information from the primary DNS server for a domain.

    We see this rarely, but it requires a restart of an affected DNS server. We have not diagnosed the specific cause yet since we're moving servers to BIND 9.

  17. Re:DNS practices --- CHANGE THE !@#$%^& serial by jafiwam · · Score: 5, Informative

    Grandparent is full of shit or doesn't understand what this thread is about.

    Serials are primarily for the two servers do get the same data (primary/secondary), so when the secondary is done waiting it goes to look at the serial on the primary and grabs the new zone transfer if the serial is higher.

    TTL on an A record is just a recomendation (a specific setting that over-rides the default TTL for the zone up near the SOA).

    IF a server has cached an A record with a TTL of 6000 seconds (just under 2 hours) it should hold and server data for only a maximum of 6000 seconds, and after that time dump the data and go get new data from the authoritative name servers.

    If you do a DIG against them, they'll tell you how much time is left on a cached record.

    Serial doesnt come into the "when to drop cached data" transaction at all.

    Sure, not incrementing the serial can cause all sorts of problems. But that's not what the article is on about.

    AOL et. al are ignoring specific A record TTL and putting their OWN TTL on cached information that over-rides mine. (I know this because the tool I use makes it so I CANT forget to incriment the serial, and I still run into TTL problems. What about that smartypants?) So when I set a domain from default to 3600 seconds a day before an MX record (email server) change and they ignore it, email migration from one server to another stays messed up for days rather than the hour my TTL would do. A good admin doesnt abuse TTL (like yahoo apparently does...) and sets it back up higher when finished moving stuff, most of the time I am prefectly happy with the nice long standard cache time. But sometimes you NEED a low TTL.

    I got the O'Reilly Grasshopper book right here in front of me and none of the TTL sections mentions SOA needing increment for TTL caching. If someone wants to point out a page number that says I am wrong I'd be happy to shut up. But self-righteous indignation better be fact checked... seriously.

  18. Scientific article about this by eram · · Score: 5, Informative

    There was an article called On the Responsiveness of DNS-based Network Control presented at the Internet Measurement Conference" last year. It is based on data from the Akamai content distribution network and shows that some DNS servers and even more client applications do not honor DNS TTL information.

  19. Re:Bypass their DNS by geniusj · · Score: 5, Informative

    To be even more specific, here is how a typical lookup happens (assuming NO cached data):

    Specifics per implementation might be off, but either way it ends in the same result:

    Recursive -> Root Server: "ANY? www.google.com"
    Root Server -> Recursive: "com NS a.gtld-servers.net ....."
    Recursive -> a.gtld-servers.net: "ANY? www.google.com"
    a.gtld-servers.net -> Recursive: "google.com NS ns1.google.com ...."
    Recursive -> ns1.google.com: "ANY? www.google.com"
    ns1.google.com -> Recursive: "www.google.com A 1.2.3.4 ... google.com NS ns1.google.com"

    As you can see, the root server only provides information for the top level domains. Those being com, org, us, uk, au, etc.

    It's commonly thought that they handle things like 'google.com' which isn't true. google.com, in thise case, would be known by {a,b,c,d,etc}.gtld-servers.net. Each TLD has its own nameservers, obviously. But com and net use those.

    As for the TTL issue. I do offer Dynamic DNS which has a default TTL of 180 seconds, however I have not run into this personally. Or myself and my users just haven't noticed it.

    Regards,
    -JD-