Configure a Local DNS Resolver That Only Caches for a Short Period

domain-name-system bind djbdns

Solution 1:

Thank you all for your input and suggestions. They directed me to the following solution:

  • Install bind9.
  • Edit /etc/bind/named.conf.options so that the forwarders are blank (so the server doesn't use another caching server's cached records).
  • Set the max-cache-ttl and max-ncache-ttl options to 300 seconds. (reference)
  • Change listen-on-v6 { any; }; to listen-on-v6 { localhost; }; so the server isn't used by other systems. (reference)
  • Edit the system's /etc/resolv.conf to only include nameserver 127.0.0.1 so apps on the server use the new local server.

I restarted bind9 and verified it's working:

dev:~# dig serverfault.com

; <<>> DiG 9.5.1-P2 <<>> serverfault.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63591
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;serverfault.com.               IN      A

;; ANSWER SECTION:
serverfault.com.        300     IN      A       69.59.196.212

;; AUTHORITY SECTION:
serverfault.com.        300     IN      NS      ns21.domaincontrol.com.
serverfault.com.        300     IN      NS      ns22.domaincontrol.com.

;; Query time: 190 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 18 03:06:24 2009
;; MSG SIZE  rcvd: 101

TTLs are showing as 300 even though serverfault.com's record's published TTLs are 3600.

Solution 2:

Just make calls to "dig" use +trace alot...

Dig will act just like a DNS server an go do full recursion, no cashing, no need to know NS servers ahead of time and if there is a delegation issue you will find that too.

If its a Windows program you can download Bind from here https://www.isc.org/download/ and it contains a dig.exe, Linux there is usually a BIND tools or maybe Named tools package available that will contain dig.

Installing a whole DNS server just to do lookups... insane!

$ dig www.google.com +trace +nodnssec -4

; <<>> DiG 9.11.9 <<>> www.google.com +trace +nodnssec -4
;; global options: +cmd
...

...

google.com.             172800  IN      NS      ns4.google.com.
;; Received 291 bytes from 192.48.79.30#53(j.gtld-servers.net) in 22 ms

www.google.com.         300     IN      A       172.217.10.228
;; Received 59 bytes from 216.239.32.10#53(ns1.google.com) in 30 ms

Related

rsync over active ssh connection
logrotate status files extremely large
What is this in nginx log? "\x01\x01..."
Apache Dynamic Virtual Hosts with multiple domains
How does Cloudflare Firwall rules order work?
Apache HTTPS redirect to Tomcat web folder
SELinux setup for MongoDB
How to install "Minimal Ubuntu" onto virtual machine
Script without put ran as administrator leaves no file [closed]
Need new GLIBC on Centos 6 to use PyTorch on GPUs
Trying to auto-register a Nagios NSCA client
Adjust frequency of Windows Time sync