[Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz Fredrik_Ringertz at livewire-connections.com
Wed May 5 09:26:53 BST 2010


Hi Simon,

Thanks again for all your help! I believe my patch seems to be working fine now after some more testing.

I have attached it here in case anyone else would be interested in it. It will add a new configurable option (can be set in both command line or dnsmasq.conf) called "max-ttl". The TTL (in seconds) specified after it will be a maximum ttl which will be handed out to a client.

For example, if max-ttl is set to 150 and a client looks up google.com which has a TTL of 300, then dnsmasq will add google.com to its cache with a TTL of 300 still, however it will tell its clients that the TTL is 150.
If the returned TTL for google.com happened to be 60, then 60 would be given to the clients since it is lower then the configured max-ttl value.

This is handy if for example like me you want your clients to have a low ttl to avoid longer caching, but you don't want to override the actual TTL value (to avoid flooding the upstream DNS servers).


Any feedback on the patch is highly appreciated as I am going to apply it in a working environment soon and my C++ knowledge is basic at best :)

I haven't been able to add the max-ttl option to the French and Spanish man page but otherwise I think it is all in there :)


Best Regards

Fredrik

-----Original Message-----
From: Simon Kelley [mailto:simon at thekelleys.org.uk] 
Sent: 21 April 2010 20:58
To: Fredrik Ringertz
Cc: dnsmasq-discuss at lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz wrote:
> Hi Simon,
> 
> Thank you for clarifying that! If a packet is signed, is it ever
> cached by dnsmasq? I would assume not because it would contain a
> timestamp of some sort?

Data from the packet could be cached, but no reply from the dnsmasq
cache is ever signed, this is just about allowing signed packets from
upstream.

> 
> I have to admit that I haven't dealt a lot with signatures before in
> DNS, am I correct in thinking they are only used when a client wants
> to initiate a dynamic update? Or can it be used in standard lookups?
> I only have 10-15 or so clients behind my dnsmasq server and none of
> them are in need of anything more then normal record lookups.

It's highly unlikely that you'll see any signed packets, but to do this
right and allow dnsmasq to act as a transparent proxy for any query,
it's necessary to avoid touching signed packets.

Cheers,

Simon.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-2.52-max_ttl.patch
Type: application/octet-stream
Size: 7664 bytes
Desc: dnsmasq-2.52-max_ttl.patch
Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20100505/49974376/attachment.obj 


More information about the Dnsmasq-discuss mailing list