[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Cache Issues
 Date:  Thu, 16 Dec 2004 17:37:11 -0500
On Thu, 16 Dec 2004 12:46:20 -0600, Michael L. Hardrick <mikeh at tnweb dot com> wrote:
> Greetings All,
> Is there a way to turn off the cache portion of Monowall's
> DNS server.  When we change records, on our external DNS
> server, the local hosts behind the firewall still see the
> old IP addresses and we must reboot the firewall and flush
> dns on the hosts to get them to see the changes.  I like
> the fact that Monowall does dns and will resolve hosts
> that we put in it's table, but rebooting the firewall to
> flush the cache is a pain.

This isn't an issue with dnsmasq (m0n0wall's DNS caching software),
but rather one with all DNS servers.  dnsmasq is just obeying the TTL
on your DNS records, as any DNS server will.  If you want those
changes to be immediate, set the TTL to 0 like is done for dyndns
records.  This has the adverse affect of greatly increasing queries on
your authoritative servers for your domain, but if you're changing
records all the time, that's your only option.

The only reason a reboot in m0n0wall will "fix" that is because it
loses its cache at reboot.  Otherwise it would pick up the cache and
keep using it until the TTL expired.

You'll see the same thing from anywhere else on the internet as well. 
If you have a 1 hour TTL, and change your record after someone starts
browsing your site or whatever, it'll be dead for the next hour until
their DNS server goes to the authoritative source for the domain.

LIke a "dig www.tnweb.com" will come back with the following, the
first time it's tried.
www.tnweb.com.          1H IN A         207.65....

That's an authoritative answer.  After 5 minutes it will come back with
www.tnweb.com.          55M IN A        207.65....

That was served from cache and it's not going to go back to the
authoritative source for another 55 minutes.