search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.25k stars 418 forks source link

Cached entry lose ip address after expire #72

Closed malix0 closed 5 years ago

malix0 commented 5 years ago

Hi,

as you can see from attached image, the chached entry lost ip address. I don't know exactly when it happens but randomly my browser (this is the address of our internal proxy) gave me page not found error, then I need to delete the cached entry. I suspect this happens when the record expires and the PC is not connected to the network, but I'm not shure.

immagine

ShreyasZare commented 5 years ago

Thanks for the feedback. What you are seeing here is cached entry for failure record (negative caching). That is the DNS server found that "proxy.eng.it" domain does not exists and it has cached this result so that the DNS server does not need to check with the "eng.it" name servers frequently.

You can check that the domain is indeed non existent with this tool: https://dnsclient.net/#Recursive%20Query%20(recursive-resolver)/proxy.eng.it/A/UDP

The authoritative server returns SOA record in response for that query with "Minimum": 86400. This minimum value is in seconds and is used to cache the failure record (negative caching).

If this is your internal DNS server then you need to create a stub zone in Technitium DNS Server so that the internal server is queried for that domain name. Check the help topics for conditional forwarding to create this stub zone.

malix0 commented 5 years ago

Hi,

thank you for your prompt reply. I forget to mention that I configured my internal DNS ip as Forwarders in Settings. I confirm that the cached record lose ip addres when it expire and the PC is not connected to the network. I tested it sending PC to sleep 2 minutes before the record expired and turned it on after it was expired, and then the ip address was lost. If PC is connected to network the record expire ad the ip is renewed, otherwise when the PC is diconnected and the cached entry expire, the ip is lost and it will never renew until it is deleted from cache.

ShreyasZare commented 5 years ago

Thanks for the details. Do you have your internal DNS set as the only forwarder or do you have another forwarder too configured with the internal one?

I would suggest you to try using the built in DNS Client tool to directly query your internal server in between to see if there is any inconsistency.

You can also test this with some other domain name not hosted on the internal DNS and see if you can find same pattern.

If the DNS server receives NameError in response then it will overwrite any valid IP address in cache with negative cache entry with 24hr expiry as per the SOA minimum value and it wont refresh the cache till the negative entry expires. This is the only way you could lose IP address since the record you showed in screenshot with empty "rData" only occurs for negative cache entries.

Also, all the cached entries are kept for 7 days even after they expire for serve-stale feature. This feature will use expired cache entries to respond to queries in case the server is unable to connect with authoritative name servers or forwarders due to any reason.

malix0 commented 5 years ago

I have another forwarder 8.8.8.8, otherwise when I'm outside the local network I can't resolve internet domains. I will try your suggestion and let you know

ShreyasZare commented 5 years ago

Well, that is the issue with forwarder configuration. When the DNS Server queries 8.8.8.8, it gets a response that says the domain is non existent and so the cache is entry is overwritten with negative cache.

Just set the forwarder to 8.8.8.8 and for the DNS server to be able to resolve internal domain names, you need to create stub zones for conditional forwarding in the DNS server like I had mentioned earlier.

malix0 commented 5 years ago

Hi, I try to resolve proxy.eng.it using the built in DNS Client tool from 3 servers: "This Server", "Recursive Query" and "Google (8.8.8.8)", the results are shown below

"This Server" { "Metadata": { "NameServer": "masfidanw:53 (127.0.0.1:53)", "Protocol": "Udp", "DatagramSize": "46 bytes", "RoundTripTime": "1 ms" }, "Header": { "Identifier": 54329, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 0 }, "Question": [ { "Name": "proxy.eng.it", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "proxy.eng.it", "Type": "A", "Class": "IN", "TTL": "461 (7 mins 41 sec)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "192.168.10.1" } } ], "Authority": [], "Additional": [] }

"Recursive Query" { "Metadata": { "NameServer": "dns2.fastweb.it:53 (213.140.2.21:53)", "Protocol": "Udp", "DatagramSize": "81 bytes", "RoundTripTime": "33,05 ms" }, "Header": { "Identifier": 8438, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": true, "Truncation": false, "RecursionDesired": false, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NameError", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 1, "ARCOUNT": 0 }, "Question": [ { "Name": "proxy.eng.it", "Type": "A", "Class": "IN" } ], "Answer": [], "Authority": [ { "Name": "eng.it", "Type": "SOA", "Class": "IN", "TTL": "3600 (1 hour)", "RDLENGTH": "39 bytes", "RDATA": { "MasterNameServer": "dns.eng.it", "ResponsiblePerson": "postmaster.eng.it", "Serial": 2019072600, "Refresh": 3600, "Retry": 1800, "Expire": 2419200, "Minimum": 86400 } } ], "Additional": [] }

"Google (8.8.8.8)" { "Metadata": { "NameServer": "dns.google:53 (8.8.8.8:53)", "Protocol": "Udp", "DatagramSize": "81 bytes", "RoundTripTime": "21,77 ms" }, "Header": { "Identifier": 38006, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NameError", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 1, "ARCOUNT": 0 }, "Question": [ { "Name": "proxy.eng.it", "Type": "A", "Class": "IN" } ], "Answer": [], "Authority": [ { "Name": "eng.it", "Type": "SOA", "Class": "IN", "TTL": "1666 (27 mins 46 sec)", "RDLENGTH": "39 bytes", "RDATA": { "MasterNameServer": "dns.eng.it", "ResponsiblePerson": "postmaster.eng.it", "Serial": 2019072600, "Refresh": 3600, "Retry": 1800, "Expire": 2419200, "Minimum": 86400 } } ], "Additional": [] }

ShreyasZare commented 5 years ago

Thanks for the details. The issue is just caused just by having your internal DNS set as forwarder with Google DNS. Removing the internal DNS from forwarders list will fix it.

malix0 commented 5 years ago

I tried to remove the local DNS from the forwarders, but in this way I can't resolve the internal addresses anymore

ShreyasZare commented 5 years ago

I tried to remove the local DNS from the forwarders, but in this way I can't resolve the internal addresses anymore

You need to use conditional forwarding feature to resolve internal domain names. You cannot use forwarder setting to do it. See this link to know how to do conditional forwarding: https://technitium.com/dns/help.html#conditional-forwarding

ShreyasZare commented 5 years ago

@malix0 were you able to get it configured correctly?

ShreyasZare commented 5 years ago

closing this issue since its misconfiguration.