[Dnsmasq-discuss] TTL in nested wild card CNAME
stappers at stappers.nl
Tue Mar 17 06:13:40 GMT 2020
On Mon, Mar 16, 2020 at 08:31:17PM -0500, Sasha Litvak wrote:
> I couldn't find a specific answer anywhere so hopefully someone has a
> clue on this list
> We are using dnsmasq on our servers as a caching dns solution.
> Most of our domains are resolved by a wildcard record like this
> $TTL 3600 ; 1 hour
> A 10.10.10.23
> $ORIGIN example.net.
> * CNAME excontainers
> excontainers CNAME exservice.service.consul
> dnsmasq handles resolution of .consul domain directly but the DNS
> server itself also forwards .consul to consul servers.
> I added min-ttl 5s to decrease the number of queries to consul
> So when I do dig foo.example.net @127.0.0.1 I get
> foo.example.net. 3600 IN CNAME excontainers.example.net.
> excontainers.example.net. 3600 IN CNAME exservice.service.consul.
> exservice.service.consul. 5 IN A 10.0.48.13
> Now we often need to migrate subdomains by pointing them to a
> different consul cluster. So our script uses nsupdate and creates a
> dynamic DNS record resulting in this reply
> foo.example.net. 60 IN CNAME exservice2.service.consul.
> exservice2.service.consul. 5 IN A 10.0.48.35
> So we have a record that is more explicit and it takes precedence over
> wild card. On servers with little traffic, domain switch happens
> within a few seconds, but on the main busy server with 100s of queries
> a second, it takes an hour for dnsmasq to change its cache. We see
> dnsmasq sending requests to the DNS server getting correct new records
> but still sending the old cached records to a client.
> When we are going back from distinct to default wild card (removing
> distinct record in DNS) cache change happens almost immediately (a
> couple of seconds) regardless of how busy the server is.
> Sorry for the long description but I would like to find out a reason
> why during switching from wild card to more explicit record dnsmasq
> cache update takes such a long time.
$ host -t ns org
org name server d0.org.afilias-nst.org.
org name server b2.org.afilias-nst.org.
org name server a0.org.afilias-nst.info.
org name server a2.org.afilias-nst.info.
org name server b0.org.afilias-nst.org.
org name server c0.org.afilias-nst.info.
$ host -t ns consul
Host consul not found: 3(NXDOMAIN)
More information about the Dnsmasq-discuss