[dnsdist] Cache, chrome and dns tunneling

Remi Gacogne remi.gacogne at powerdns.com
Mon May 7 15:19:21 UTC 2018

Hi Nico, Daniel,

On 05/07/2018 04:29 PM, Nico wrote:
> As Daniel Stirnimann mentioned, I also think the issue is about negative
> caching TTL.

Thanks a lot for reporting this!

dnsdist uses the minimum TTL of the records contained in the response
when adding an entry to the cache, capped by the maximum TTL setting.
For a negative answer like these, the TTL of the SOA record will be
used, and as you noticed it's 86400 s, which is a whole day.

I guess we need a negative TTL setting in the dnsdist's packet cache.
It's a bit tricky for NODATA answers but since we already do some kind
of parsing to get the TTLs, we should be able to detect NODATA answers
conforming to rfc2308.

Does someone want to open a feature request? :)

Kind regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20180507/8bbfc6fd/attachment-0001.sig>

More information about the dnsdist mailing list