[dnsdist] force backend lookup for specific query name

[Lucas Rolff]

Hi guys,

I use dnsdist as a protection layer in front of my DNS servers, where I use the packet cache in dnsdist and allow things to be cached up to 5 minutes:
pc = newPacketCache(500000, {maxTTL=300, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=true, maxNegativeTTL=30})

This works perfectly fine, and I have a decent cache hit ratio with normal traffic patterns, and obviously a lot higher during high QPS.

Now, the issue is, I have things like Lets Encrypt which does DNS validation by doing a TXT query to _acme-challenge.<domain> and expects a certain value. However, the value might have been cached previously, meaning it returns the incorrect value for the domain, and thus the validation fail.

Is there any “easy” way to basically disable the packetcache for specific query names (ideally wildcarding the domain part of it), so it always causes a query to the backend/upstream servers?

For all queries a 5 min TTL is perfectly fine, but for _acme-challenge TXT lookups, I want this to be either not cached at all, or the cache time to be something like 5 seconds instead.

Best Regards,
Lucas Rolff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210625/a2b853da/attachment.htm>