[Techtalk] Question about DNS
Raven, corporate courtesan
raven at oneeyedcrow.net
Thu Dec 6 15:23:01 EST 2001
Heya --
Quoth jennyw (Thu, Dec 06, 2001 at 10:27:57AM -0800):
> In ORA's DNS and BIND it says that negative caching was introduced in BIND
> 8, but that this is hardcoded at 10 minutes. I'm getting negative responses
> for >1 week. It's possible they're using some weird variant, but why would
> they do such a thing?
Well, they may be using Bind 9, or Meta-IP, or djbdns. There
are other nameservers out there. Djbdns (its tinydns component) uses
the SOA TTL for negative answers. So does Bind 9, apparantly. So it
would be 11 hours, not 10 minutes, if they were using either one of
these servers. I don't remember off the top of my head what Meta-IP
does.
For the bored: the RFC on negative caching can be found at
http://www.nominum.com/resources/standards/bind-rfc/rfc2308
The lack of availability to your new addresses is puzzling,
though. I'll keep digging. Can those domains access your machines by
IP but not by name? (I just want to make sure it's not a routing
problem somehow.)
> Another confusing thing is that the TTL for the domain is set to be 38400
> seconds (less than 11 hours). Why should anything take longer than a day to
> update?
Has it always been set that way? If you had your cache timeouts
set to a month, and then you changed them to 11 hours, then you'd still
have to wait the full month to make sure that all entries previously
cached had expired.
Also, do you have PTR records in there for those hosts? Weird
things can sometimes happen if you don't have DNS going both ways. Some
programs will check that the IP resolves to the name as a security
feature... but that shouldn't matter for basic resolution.
Cheers,
Raven
"Try explaining to a home user that his or her machine has been used in
a DDoS attack. The response I received by one home PC owner was: "Cool!""
-- Rob Thomas, on NANOG
More information about the Techtalk
mailing list