Dns resolution strange behavior?



  • Hi people.

    I got pfsense 2.0.1 nano with dns forwarder enable.

    I change my ISP in our company and we need to wait a couple of days for dns updates, well the strange thing was that, after a couple of days I test in my pfsense box our dns:

    ns1…, ns2..., ns2...

    And at the console pfsense it give me back the new IP good, but in some clients went I try to access our company web email with firefox or iexplore, those still point to the old IP, they have pfsense as dns/gw.

    I open the cmd and test with nslookup and the 3 queries give to me my new IP.

    My questions is, why the browsers still point to the old ip? they query my psense box.

    Right now they are working, but this questions is in my head.

    Thanks!!!


  • Rebel Alliance Global Moderator

    "I change my ISP in our company and we need to wait a couple of days for dns updates"

    Why do you think you needed to wait a couple of days?  What was the TTL of your record?  Did it take days for your registrar to point to your new dns?

    There seems to be this misconception that dns takes days to update, sorry but this is just not the case.  Records changed on a name server are instant.  Most registrar update roots in a few hours.  There is no reason your waiting days other than not understanding ttls, if you were going to change your name servers or records, then you should of lowered your ttls before doing such a thing and you would not have to worry about what is cached.

    Here is the thing, whatever name server your checking is prob caching, your local machine caches, and your browser even caches.  So you need to understand what your ttl for both your NS for your domain, and any records your serving, etc.  And then where they might be cached.

    Flush your cache, do a query directly to the owning server of your domain, etc.  What registrar are you with, I have never seen one take days to update.



  • There seems to be this misconception that dns takes days to update, sorry but this is just not the case.  Records changed on a name server are instant.  Most registrar update roots in a few hours.  There is no reason your waiting days other than not understanding ttls, if you were going to change your name servers or records, then you should of lowered your ttls before doing such a thing and you would not have to worry about what is cached.

    Well is the message u see went u change your settings with the company u are register.

    Right now everything is normal but is what I detect, I try flushing local and even pfsense.

    But thanks for your info!!!


  • Rebel Alliance Global Moderator

    Because they cater to USERS ;)  And depends on the company what they say in their help.

    "I try flushing local and even pfsense."

    And what about your browser, did you restart it?  flushing means nothing if you don't understand were your doing the query against.  If you have pfsense pointed to your ISP, which also caches - flushing your pfsense does nothing.

    But like I said you could always query the OWNING NS directly, then does not even matter if roots have been updated or not.  Its your domain, you know which NS are authoritative for your domain - don't you?



  • Of course I know what ns I have, I try different things in the client side, but right now is working.
      Thanks for your info guys!!!


  • Rebel Alliance Global Moderator

    "I try different things in the client side"

    Like a simple query to your authoritative NS for your domain?  This would put the correct record instantly!  Unless you had not changed it on the NS.

    Does not matter if your registrar pointed to your new NS or not yet.  If you know what your NS are for your domain, you can always query them directly from the client.  Be it with dig or nslookup.



  • Sounds like they need a systems administrator on site.


Locked