• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN DNS TTL

Scheduled Pinned Locked Moved OpenVPN
5 Posts 4 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Cornelp
    last edited by Oct 11, 2017, 3:14 PM

    So,
    We have approx. 10 remote sites. Each one connects remotely via OpenVPN to our DataCenter. We utilize 2 ISPs, and sometimes 1 ISP goes down. In OpenVPN, we ulitize the DNS Name for remote server instead of an IP. When one of our ISPs goes down, we change the DNS Entry in GoDaddy from one IP to our secondary ISP IP. GoDaddy TTL is set for 10 mins min.
    When PfSense tries to connect via the DNS Name, does PFSense have its own Internal TTL, or does it use the GoDaddy TTL that's set for that DNS Name?

    Thanks…

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Oct 11, 2017, 3:22 PM

      DNS results are cached, so until the cache times out, the new address won't be used.  The DNS i.e GoDaddy server can control how long the cache time is.  Perhaps restarting the pfSense DNS will clear the cache.  Of course, any client that has recently accessed the site will also have a cache to clear.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • C
        Cornelp
        last edited by Oct 11, 2017, 6:24 PM

        @JKnott:

        DNS results are cached, so until the cache times out, the new address won't be used.  The DNS i.e GoDaddy server can control how long the cache time is.  Perhaps restarting the pfSense DNS will clear the cache.  Of course, any client that has recently accessed the site will also have a cache to clear.

        So PfSense sets the time for this cache, or it takes whatever settings comes from GoDaddy and that's the cache that it sets itself?
        Thanks…

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by Oct 11, 2017, 7:01 PM Oct 11, 2017, 6:53 PM

          PfSense doesn't set anything on its own when TTLs are concerned, both the resolver (Unbound) and forwarder (dnsmasq) just follow the TTL values they get from the authoritative servers either directly or via a forwarder. For example if a record for your domain is set at 600 seconds TTL on the godaddy authoritative servers pfSense is guaranteed to refetch the record after 600 seconds has passed from the previous look up if the same record gets requested again.

          There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Oct 11, 2017, 7:34 PM Oct 11, 2017, 7:30 PM

            "There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec."

            While I agree with you its not good practice.. there is such a thing ;) Unbound advanced

            Minimum TTL for RRsets and Messages
            The Minimum Time to Live for RRsets and messages in the cache. The default is 0 seconds. If the minimum value kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is as the domain owner intended. High values can lead to trouble as the data in the cache might not match up with the actual data anymore.

            dnsmasq support the same sort of thing where you can overwrite a min ttl value with something long.. Say dns says TTL is 600, you could make your min TTL 3600, etc.

            But seems like what the OP is asking is how to use a smaller TTL than what is provided.  So the DNS server they are using "godday" has a min TTL of 10 min they can set.. They would like to set it to something shorter, say 60 seconds..

            Just host their public dns somewhere else is what I would suggest if you want a shorter ttl.  Or look to see what the min TTL value they can set in the godaddy dns manager.  It might just default to 10 min.. Possible they allow for shorter TTL..

            But you can always flush cache entries in unbound.. See all the flush command here
            https://unbound.net/documentation/unbound-control.html

            dnsmaq can do the same thing with just a simple restart.. I don't know if you can just send it a command to clear out specific records like you can with unbound..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received