[Dnsmasq-discuss] TTL in nested wild card CNAME

Simon Kelley simon at thekelleys.org.uk
Wed Mar 18 09:25:33 GMT 2020 


On 18/03/2020 00:30, Sasha Litvak wrote:
> Simon,
> 
> Hosts in domain .consul are resolved by DNS servers forwarding requests
> to a consul clusters.  I also have hard coded direct consul server
> records for .consul in dnsmasq config.  Nothing in /etc/hosts . Consul
> returns records with  TTL 0 .  I perhaps wrongly thought it meant they
> are not cached.  That is why I added ttl-min 5s.

That's you problem then. Make the .consul records TTL 5 and the problem
will go away. In TTLs, 0 is "forever".

S.

> 
> On Tue, Mar 17, 2020, 10:46 AM Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> wrote:
> 
>     On 17/03/2020 01:31, Sasha Litvak wrote:
>     > I couldn't find a specific answer anywhere so hopefully someone has a
>     > clue on this list
>     >
>     > We are using dnsmasq on our servers as a caching dns solution.
>     >
>     > Most of our domains are resolved by a wildcard record like this
>     >
>     > $TTL 3600       ; 1 hour
>     >                         A       10.10.10.23
>     > $ORIGIN example.net <http://example.net>.
>     > *                       CNAME   excontainers
>     > excontainers    CNAME   exservice.service.consul
>     >
>     > dnsmasq handles resolution of .consul domain directly but the DNS
>     > server itself also forwards .consul to consul servers.
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 
>     Can you elaborate? How does dnsmasq handle the resolution of the .consul
>     domain? If you have something like
> 
>     10.0.48.13 exservice.service.consul
> 
>     in /etc/hosts
> 
>     then that defines, effectively, an immortal record for
>     exservice.service.consul, so a CNAME chain of two records, each with a
>     TTL of one hour, would result in that answer being returned for an hour.
> 
>     >
>     > I added min-ttl 5s to decrease the number of queries to consul
>     >
>     > So when I do dig foo.example.net <http://foo.example.net>     @127.0.0.1 <http://127.0.0.1> I get
>     >
>     > foo.example.net <http://foo.example.net>. 3600 IN CNAME
>     excontainers.example.net <http://excontainers.example.net>.
>     > excontainers.example.net <http://excontainers.example.net>. 3600
>     IN CNAME exservice.service.consul.
>     > exservice.service.consul. 5 IN A 10.0.48.13
> 
>     This might be misleading: is you do that query to dnsmasq with a clean
>     cache, it will forward the query upstream, and return the complete
>     result it gets, including the A record with a 5s TTL, but further
>     queries from the cache would return a 0 (infinite) TTL for the A record
>     of it's defined locally.
> 
>     The fix for this is to define the .consul A record using --host-record,
>     which allows you to specify the 5s TTL.
> 
> 
> 
>     >
>     > Now we often need to migrate subdomains by pointing them to a
>     > different consul cluster.  So our script uses nsupdate and creates a
>     > dynamic DNS record resulting in this reply
>     >
>     > foo.example.net <http://foo.example.net>. 60 IN CNAME 
>     exservice2.service.consul.
>     >  exservice2.service.consul. 5 IN A 10.0.48.35
>     >
>     > So we have a record that is more explicit and it takes precedence over
>     > wild card.   On servers with little traffic, domain switch happens
>     > within a few seconds, but on the main busy server with 100s of queries
>     > a second, it takes an hour for dnsmasq to change its cache.  We see
>     > dnsmasq sending requests to the DNS server getting correct new records
>     > but still sending the old cached records to a client.
>     >
>     > When we are going back from distinct to default wild card (removing
>     > distinct record in DNS) cache change happens almost immediately (a
>     > couple of seconds) regardless of how busy the server is.
>     >
>     > Sorry for the long description but I would like to find out a reason
>     > why during switching from wild card to more explicit record dnsmasq
>     > cache update takes such a long time.
>     >
> 
>     I'm guessing at exactly what's going on here: more details would be
>     useful, but if I guessed right, that's the solution.
> 
> 
>     Simon.
> 
> 
>     _______________________________________________
>     Dnsmasq-discuss mailing list
>     Dnsmasq-discuss at lists.thekelleys.org.uk
>     <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
>     http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list