Wandering Thoughts archives


Why negative DNS caching is necessary

DNS software in general has two forms of caching, which I've seen called 'positive' and 'negative'. Positive entries hold actual answers obtained from authoritative servers (theoretically, see Dan Kaminsky's DNS attack), while negative entries mark entries that (theoretically) don't exist. Positive entries are cached for their TTL value; negative entries don't have a TTL themselves, but more or less inherit a TTL from the zone's SOA record.

(The details are complicated.)

Negative caching matters because it creates yet another block on rapidly updating your zone. Even if you control all of the primary and secondary nameservers and can update them on command, you may need to wait the negative cache TTL duration before you can be sure that everyone can see a newly created DNS name. (This is most likely to happen if somehow the name has accidentally been published before you've created it, so that people have started doing queries for it.)

One might reasonably ask why negative caching is important. The short answer is 'domain search paths'; many systems (okay, at least many Unix systems) can be configured so that they look up simple hostnames in more than one DNS domain. The existence of search paths means that you can make a lot of queries for names that don't exist, as you look up the hostname in each of your search domains until you finally find the one it's in (or you fall off the end and do a rooted DNS query).

(Negative caching is also important when you're using a DNS blocklist, because hopefully most of your queries are for things that aren't listed.)

sysadmin/WhyNegativeDNSCaching written at 00:50:22; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.