[Dnsmasq-discuss] TTL in nested wild card CNAME

Sasha Litvak alexander.v.litvak at gmail.com
Tue Mar 17 14:12:58 GMT 2020


Geert,

Just in case,  .consul is not a registered domain name.  It is assigned
with Hashicorp consul service discovery product and is internal to us.
Whence forwarders.

On Tue, Mar 17, 2020, 9:08 AM Sasha Litvak <alexander.v.litvak at gmail.com>
wrote:

> Geert,
>
> What is the meaning of this?
>
> On Tue, Mar 17, 2020, 1:48 AM Geert Stappers <stappers at stappers.nl> wrote:
>
>> On Mon, Mar 16, 2020 at 08:31:17PM -0500, Sasha Litvak wrote:
>> > I couldn't find a specific answer anywhere so hopefully someone has a
>> > clue on this list
>> >
>> > We are using dnsmasq on our servers as a caching dns solution.
>> >
>> > Most of our domains are resolved by a wildcard record like this
>> >
>> > $TTL 3600       ; 1 hour
>> >                         A       10.10.10.23
>> > $ORIGIN example.net.
>> > *                       CNAME   excontainers
>> > excontainers    CNAME   exservice.service.consul
>> >
>> > dnsmasq handles resolution of .consul domain directly but the DNS
>> > server itself also forwards .consul to consul servers.
>> >
>> > I added min-ttl 5s to decrease the number of queries to consul
>> >
>> > So when I do dig foo.example.net  @127.0.0.1 I get
>> >
>> > foo.example.net. 3600 IN CNAME excontainers.example.net.
>> > excontainers.example.net. 3600 IN CNAME exservice.service.consul.
>> > exservice.service.consul. 5 IN A 10.0.48.13
>> >
>> > Now we often need to migrate subdomains by pointing them to a
>> > different consul cluster.  So our script uses nsupdate and creates a
>> > dynamic DNS record resulting in this reply
>> >
>> > foo.example.net. 60 IN CNAME  exservice2.service.consul.
>> >  exservice2.service.consul. 5 IN A 10.0.48.35
>> >
>> > So we have a record that is more explicit and it takes precedence over
>> > wild card.   On servers with little traffic, domain switch happens
>> > within a few seconds, but on the main busy server with 100s of queries
>> > a second, it takes an hour for dnsmasq to change its cache.  We see
>> > dnsmasq sending requests to the DNS server getting correct new records
>> > but still sending the old cached records to a client.
>> >
>> > When we are going back from distinct to default wild card (removing
>> > distinct record in DNS) cache change happens almost immediately (a
>> > couple of seconds) regardless of how busy the server is.
>> >
>> > Sorry for the long description but I would like to find out a reason
>> > why during switching from wild card to more explicit record dnsmasq
>> > cache update takes such a long time.
>>
>> $ host -t ns org
>> org name server d0.org.afilias-nst.org.
>> org name server b2.org.afilias-nst.org.
>> org name server a0.org.afilias-nst.info.
>> org name server a2.org.afilias-nst.info.
>> org name server b0.org.afilias-nst.org.
>> org name server c0.org.afilias-nst.info.
>> $ host -t ns consul
>> Host consul not found: 3(NXDOMAIN)
>> $
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200317/6859c15a/attachment.html>


More information about the Dnsmasq-discuss mailing list