Question
A cached DNS A record in a full resolver expires after the TTL has elapsed. A timer for TTL starts when the full resolve gets an answer from an authoritative name server.
So, how about stub resolvers? How about a full resolver that gets an answer from an upstream full resolver? If a full resolver returns the TTL value of the authoritative answer, a stub resolver will access an old server after the TTL of the authoritative answer (e.g. server relocation).
Result
- Full resolvers return TTL lower than the one in authoritative answer, according to the elapsed time from when the full resolver got an authoritative answer.
- Some full resolvers start TTL count irrelevantly to the TTL of the authoritative answer, but it's relatively small (60-300 seconds).
Examples
For example, the TTL of www.tut.ac.jp
on ns1.tut.ac.jp
(authoritative name server) is 43200.
satob@K690XN:/tmp$ dig www.tut.ac.jp a @ns1.tut.ac.jp ; <<>> DiG 9.16.48-Ubuntu <<>> www.tut.ac.jp a @ns1.tut.ac.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45864 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 945070fcdf30040054d73dfd66097241d24c3e11ae55afa3 (good) ;; QUESTION SECTION: ;www.tut.ac.jp. IN A ;; ANSWER SECTION: www.tut.ac.jp. 43200 IN A 52.156.43.168 ;; AUTHORITY SECTION: tut.ac.jp. 43200 IN NS dns-x.sinet.ad.jp. tut.ac.jp. 43200 IN NS ns0a.tut.ac.jp. tut.ac.jp. 43200 IN NS ns1.tut.ac.jp. ;; ADDITIONAL SECTION: ns1.tut.ac.jp. 43200 IN A 133.15.20.16 ns0a.tut.ac.jp. 43200 IN A 52.156.46.44 ;; Query time: 10 msec ;; SERVER: 133.15.20.16#53(133.15.20.16) ;; WHEN: Sun Mar 31 23:25:05 JST 2024 ;; MSG SIZE rcvd: 184
But when you get an answer from a full resolver, the value of TTL is lower than 43200. (Note that 192.168.233.1 is my full resolver)
satob@K690XN:/tmp$ dig www.tut.ac.jp @192.168.233.1 ; <<>> DiG 9.16.48-Ubuntu <<>> www.tut.ac.jp @192.168.233.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22876 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.tut.ac.jp. IN A ;; ANSWER SECTION: www.tut.ac.jp. 42992 IN A 52.156.43.168 ;; Query time: 0 msec ;; SERVER: 192.168.233.1#53(192.168.233.1) ;; WHEN: Sun Mar 31 23:26:07 JST 2024 ;; MSG SIZE rcvd: 58
Some full resolvers, for example, Google Public DNS (8.8.8.8), start TTL count from a smaller value (half of the original TTL?)
[cloudshell-user@ip-xx-xx-xx-xx ~]$ dig www.tut.ac.jp a @8.8.8.8 ; <<>> DiG 9.16.48-RH <<>> www.tut.ac.jp a @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42917 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.tut.ac.jp. IN A ;; ANSWER SECTION: www.tut.ac.jp. 21600 IN A 52.156.43.168 ;; Query time: 159 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Mar 31 10:22:49 UTC 2024 ;; MSG SIZE rcvd: 58
AWS's full resolver used in CloudShell (10.0.0.2) returns TTL 300 for most of the queries.
[cloudshell-user@ip-xx-xx-xx-xx ~]$ dig www.tut.ac.jp ; <<>> DiG 9.16.48-RH <<>> www.tut.ac.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44459 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.tut.ac.jp. IN A ;; ANSWER SECTION: www.tut.ac.jp. 300 IN A 52.156.43.168 ;; Query time: 129 msec ;; SERVER: 10.0.0.2#53(10.0.0.2) ;; WHEN: Sun Mar 31 10:21:22 UTC 2024 ;; MSG SIZE rcvd: 58
Query for some domains served by CDN returns TTL 0. For example, a query for www.ipa.go.jp
returns TTL 0.
satob@K690XN:/tmp$ dig www.ipa.go.jp ; <<>> DiG 9.16.48-Ubuntu <<>> www.ipa.go.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19943 ;; flags: qr rd ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.ipa.go.jp. IN A ;; ANSWER SECTION: www.ipa.go.jp. 0 IN CNAME d2aiu9f88m0xez.cloudfront.net. d2aiu9f88m0xez.cloudfront.net. 0 IN A 13.33.174.6 d2aiu9f88m0xez.cloudfront.net. 0 IN A 13.33.174.90 d2aiu9f88m0xez.cloudfront.net. 0 IN A 13.33.174.89 d2aiu9f88m0xez.cloudfront.net. 0 IN A 13.33.174.31 ns-130.awsdns-16.com. 0 IN A 205.251.192.130 ns-1012.awsdns-62.net. 0 IN A 205.251.195.244 ns-1045.awsdns-02.org. 0 IN A 205.251.196.21 ns-1632.awsdns-12.co.uk. 0 IN A 205.251.198.96 ;; Query time: 0 msec ;; SERVER: 172.30.176.1#53(172.30.176.1) ;; WHEN: Mon Apr 01 00:05:29 JST 2024 ;; MSG SIZE rcvd: 329
In the authoritative server, TTL is set to 60. So it looks like some of the resolvers upstream from me rewrite TTL.
satob@K690XN:/tmp$ dig d2aiu9f88m0xez.cloudfront.net a @ns-1012.awsdns-62.net ; <<>> DiG 9.16.48-Ubuntu <<>> d2aiu9f88m0xez.cloudfront.net a @ns-1012.awsdns-62.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8904 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;d2aiu9f88m0xez.cloudfront.net. IN A ;; ANSWER SECTION: d2aiu9f88m0xez.cloudfront.net. 60 IN A 13.33.174.6 d2aiu9f88m0xez.cloudfront.net. 60 IN A 13.33.174.90 d2aiu9f88m0xez.cloudfront.net. 60 IN A 13.33.174.89 d2aiu9f88m0xez.cloudfront.net. 60 IN A 13.33.174.31 ;; AUTHORITY SECTION: d2aiu9f88m0xez.cloudfront.net. 172800 IN NS ns-1012.awsdns-62.net. d2aiu9f88m0xez.cloudfront.net. 172800 IN NS ns-1045.awsdns-02.org. d2aiu9f88m0xez.cloudfront.net. 172800 IN NS ns-130.awsdns-16.com. d2aiu9f88m0xez.cloudfront.net. 172800 IN NS ns-1632.awsdns-12.co.uk. ;; Query time: 59 msec ;; SERVER: 205.251.195.244#53(205.251.195.244) ;; WHEN: Mon Apr 01 00:08:22 JST 2024 ;; MSG SIZE rcvd: 260 satob@K690XN:/tmp$ dig d2aiu9f88m0xez.cloudfront.net a @ns-1012.awsdns-62.net