OpenVPN DNS TTL

Cornelp · Oct 11, 2017, 3:14 PM

So,
We have approx. 10 remote sites. Each one connects remotely via OpenVPN to our DataCenter. We utilize 2 ISPs, and sometimes 1 ISP goes down. In OpenVPN, we ulitize the DNS Name for remote server instead of an IP. When one of our ISPs goes down, we change the DNS Entry in GoDaddy from one IP to our secondary ISP IP. GoDaddy TTL is set for 10 mins min.
When PfSense tries to connect via the DNS Name, does PFSense have its own Internal TTL, or does it use the GoDaddy TTL that's set for that DNS Name?

Thanks…

JKnott · Oct 11, 2017, 3:22 PM

DNS results are cached, so until the cache times out, the new address won't be used. The DNS i.e GoDaddy server can control how long the cache time is. Perhaps restarting the pfSense DNS will clear the cache. Of course, any client that has recently accessed the site will also have a cache to clear.

Cornelp · Oct 11, 2017, 6:24 PM

@JKnott:

DNS results are cached, so until the cache times out, the new address won't be used. The DNS i.e GoDaddy server can control how long the cache time is. Perhaps restarting the pfSense DNS will clear the cache. Of course, any client that has recently accessed the site will also have a cache to clear.

So PfSense sets the time for this cache, or it takes whatever settings comes from GoDaddy and that's the cache that it sets itself?
Thanks…

kpa · Oct 11, 2017, 7:01 PM

PfSense doesn't set anything on its own when TTLs are concerned, both the resolver (Unbound) and forwarder (dnsmasq) just follow the TTL values they get from the authoritative servers either directly or via a forwarder. For example if a record for your domain is set at 600 seconds TTL on the godaddy authoritative servers pfSense is guaranteed to refetch the record after 600 seconds has passed from the previous look up if the same record gets requested again.

There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec.

johnpoz · Oct 11, 2017, 7:34 PM

"There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec."

While I agree with you its not good practice.. there is such a thing ;) Unbound advanced

Minimum TTL for RRsets and Messages
The Minimum Time to Live for RRsets and messages in the cache. The default is 0 seconds. If the minimum value kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is as the domain owner intended. High values can lead to trouble as the data in the cache might not match up with the actual data anymore.

dnsmasq support the same sort of thing where you can overwrite a min ttl value with something long.. Say dns says TTL is 600, you could make your min TTL 3600, etc.

But seems like what the OP is asking is how to use a smaller TTL than what is provided. So the DNS server they are using "godday" has a min TTL of 10 min they can set.. They would like to set it to something shorter, say 60 seconds..

Just host their public dns somewhere else is what I would suggest if you want a shorter ttl. Or look to see what the min TTL value they can set in the godaddy dns manager. It might just default to 10 min.. Possible they allow for shorter TTL..

But you can always flush cache entries in unbound.. See all the flush command here
https://unbound.net/documentation/unbound-control.html

dnsmaq can do the same thing with just a simple restart.. I don't know if you can just send it a command to clear out specific records like you can with unbound..