[Dnsmasq-discuss] TTL in nested wild card CNAME
Sasha Litvak
alexander.v.litvak at gmail.com
Tue Mar 17 14:12:58 GMT 2020
Geert,
Just in case, .consul is not a registered domain name. It is assigned
with Hashicorp consul service discovery product and is internal to us.
Whence forwarders.
On Tue, Mar 17, 2020, 9:08 AM Sasha Litvak <alexander.v.litvak at gmail.com>
wrote:
> Geert,
>
> What is the meaning of this?
>
> On Tue, Mar 17, 2020, 1:48 AM Geert Stappers <stappers at stappers.nl> wrote:
>
>> On Mon, Mar 16, 2020 at 08:31:17PM -0500, Sasha Litvak wrote:
>> > I couldn't find a specific answer anywhere so hopefully someone has a
>> > clue on this list
>> >
>> > We are using dnsmasq on our servers as a caching dns solution.
>> >
>> > Most of our domains are resolved by a wildcard record like this
>> >
>> > $TTL 3600 ; 1 hour
>> > A 10.10.10.23
>> > $ORIGIN example.net.
>> > * CNAME excontainers
>> > excontainers CNAME exservice.service.consul
>> >
>> > dnsmasq handles resolution of .consul domain directly but the DNS
>> > server itself also forwards .consul to consul servers.
>> >
>> > I added min-ttl 5s to decrease the number of queries to consul
>> >
>> > So when I do dig foo.example.net @127.0.0.1 I get
>> >
>> > foo.example.net. 3600 IN CNAME excontainers.example.net.
>> > excontainers.example.net. 3600 IN CNAME exservice.service.consul.
>> > exservice.service.consul. 5 IN A 10.0.48.13
>> >
>> > Now we often need to migrate subdomains by pointing them to a
>> > different consul cluster. So our script uses nsupdate and creates a
>> > dynamic DNS record resulting in this reply
>> >
>> > foo.example.net. 60 IN CNAME exservice2.service.consul.
>> > exservice2.service.consul. 5 IN A 10.0.48.35
>> >
>> > So we have a record that is more explicit and it takes precedence over
>> > wild card. On servers with little traffic, domain switch happens
>> > within a few seconds, but on the main busy server with 100s of queries
>> > a second, it takes an hour for dnsmasq to change its cache. We see
>> > dnsmasq sending requests to the DNS server getting correct new records
>> > but still sending the old cached records to a client.
>> >
>> > When we are going back from distinct to default wild card (removing
>> > distinct record in DNS) cache change happens almost immediately (a
>> > couple of seconds) regardless of how busy the server is.
>> >
>> > Sorry for the long description but I would like to find out a reason
>> > why during switching from wild card to more explicit record dnsmasq
>> > cache update takes such a long time.
>>
>> $ host -t ns org
>> org name server d0.org.afilias-nst.org.
>> org name server b2.org.afilias-nst.org.
>> org name server a0.org.afilias-nst.info.
>> org name server a2.org.afilias-nst.info.
>> org name server b0.org.afilias-nst.org.
>> org name server c0.org.afilias-nst.info.
>> $ host -t ns consul
>> Host consul not found: 3(NXDOMAIN)
>> $
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200317/6859c15a/attachment.html>
More information about the Dnsmasq-discuss
mailing list