[Dnsmasq-discuss] TTL in nested wild card CNAME

Sasha Litvak alexander.v.litvak at gmail.com
Tue Mar 17 01:31:17 GMT 2020

I couldn't find a specific answer anywhere so hopefully someone has a
clue on this list

We are using dnsmasq on our servers as a caching dns solution.

Most of our domains are resolved by a wildcard record like this

$TTL 3600       ; 1 hour
$ORIGIN example.net.
*                       CNAME   excontainers
excontainers    CNAME   exservice.service.consul

dnsmasq handles resolution of .consul domain directly but the DNS
server itself also forwards .consul to consul servers.

I added min-ttl 5s to decrease the number of queries to consul

So when I do dig foo.example.net  @ I get

foo.example.net. 3600 IN CNAME excontainers.example.net.
excontainers.example.net. 3600 IN CNAME exservice.service.consul.
exservice.service.consul. 5 IN A

Now we often need to migrate subdomains by pointing them to a
different consul cluster.  So our script uses nsupdate and creates a
dynamic DNS record resulting in this reply

foo.example.net. 60 IN CNAME  exservice2.service.consul.
 exservice2.service.consul. 5 IN A

So we have a record that is more explicit and it takes precedence over
wild card.   On servers with little traffic, domain switch happens
within a few seconds, but on the main busy server with 100s of queries
a second, it takes an hour for dnsmasq to change its cache.  We see
dnsmasq sending requests to the DNS server getting correct new records
but still sending the old cached records to a client.

When we are going back from distinct to default wild card (removing
distinct record in DNS) cache change happens almost immediately (a
couple of seconds) regardless of how busy the server is.

Sorry for the long description but I would like to find out a reason
why during switching from wild card to more explicit record dnsmasq
cache update takes such a long time.

More information about the Dnsmasq-discuss mailing list