[Dnsmasq-discuss] TTL in nested wild card CNAME

Geert Stappers stappers at stappers.nl
Tue Mar 17 06:13:40 GMT 2020

On Mon, Mar 16, 2020 at 08:31:17PM -0500, Sasha Litvak wrote:
> I couldn't find a specific answer anywhere so hopefully someone has a
> clue on this list
> We are using dnsmasq on our servers as a caching dns solution.
> Most of our domains are resolved by a wildcard record like this
> $TTL 3600       ; 1 hour
>                         A
> $ORIGIN example.net.
> *                       CNAME   excontainers
> excontainers    CNAME   exservice.service.consul
> dnsmasq handles resolution of .consul domain directly but the DNS
> server itself also forwards .consul to consul servers.
> I added min-ttl 5s to decrease the number of queries to consul
> So when I do dig foo.example.net  @ I get
> foo.example.net. 3600 IN CNAME excontainers.example.net.
> excontainers.example.net. 3600 IN CNAME exservice.service.consul.
> exservice.service.consul. 5 IN A
> Now we often need to migrate subdomains by pointing them to a
> different consul cluster.  So our script uses nsupdate and creates a
> dynamic DNS record resulting in this reply
> foo.example.net. 60 IN CNAME  exservice2.service.consul.
>  exservice2.service.consul. 5 IN A
> So we have a record that is more explicit and it takes precedence over
> wild card.   On servers with little traffic, domain switch happens
> within a few seconds, but on the main busy server with 100s of queries
> a second, it takes an hour for dnsmasq to change its cache.  We see
> dnsmasq sending requests to the DNS server getting correct new records
> but still sending the old cached records to a client.
> When we are going back from distinct to default wild card (removing
> distinct record in DNS) cache change happens almost immediately (a
> couple of seconds) regardless of how busy the server is.
> Sorry for the long description but I would like to find out a reason
> why during switching from wild card to more explicit record dnsmasq
> cache update takes such a long time.

$ host -t ns org
org name server d0.org.afilias-nst.org.
org name server b2.org.afilias-nst.org.
org name server a0.org.afilias-nst.info.
org name server a2.org.afilias-nst.info.
org name server b0.org.afilias-nst.org.
org name server c0.org.afilias-nst.info.
$ host -t ns consul
Host consul not found: 3(NXDOMAIN)

More information about the Dnsmasq-discuss mailing list