Skip to main content
ede_pfau
SuperUser
ede_pfau
SuperUser
July 3, 2009
Question

Changing session-ttl for DNS (domain/53)

  • July 3, 2009
  • 6 replies
  • 4053 views
I see some hundred sessions from queries to the public nameservers in our DMZ. In order to reduce the number of idling sessions I would like to reduce the ttl for tcp/53, upd/53 from the default 600 s to, say, 100 s. From your experience, is there any adverse side effect for this setting? If the ttl would be too short, NS querys would have to be repeated, increasing the load on the name servers. But I cannot really see how a name query (session) would take more than 100 seconds. Please advise, folks. TIA, Ede

    6 replies

    romanr
    romanr
    New Member
    July 3, 2009
    Hi, there won' t be a problem with shorter dns sessions... but is there a way to change udp session ttl? As I remember it, you can only change tcp session ttl... I would look for the same thing for dns and snmp.... cheers.roman
    ede_pfau
    SuperUser
    ede_pfauAuthor
    SuperUser
    July 3, 2009
    right, TCP only. I will try it out and report if it DOESN' T work out as desired. Thanks, Ede
    abelio
    SuperUser
    abelio
    SuperUser
    July 3, 2009
    ORIGINAL: ede_pfau right, TCP only. I will try it out and report if it DOESN' T work out as desired.
    If you' re using standard DNS implementation, DNS queries are only over 53/UDP; TCP/53 is only for zone transfers, not for DNS queries. If you' ve a lot of dns queries, I would find more interesting why those dns clients are so ' dns chatty' , maybe (i say maybe) there' re some non ' legal' traffic around. regards
    ede_pfau
    SuperUser
    ede_pfauAuthor
    SuperUser
    July 3, 2009
    Hi, sorry long day, not reading properly... right session ttl will only affect zone transfers which are not relevant here. Basically, it is DNS queries from a public WLAN, and of course there is a lot going on which I suspect to be ' undesired' . All queries have destinations on the Internet, not the internal LAN. But if you think ' google maps' , one single click can start more than 20 sessions to the servers (http that is, not dns). Recently nearly 2100 sessions were udp/53 from 3600 sessions total. Anybody any ideas how to cope with these numbers? Ede
    romanr
    romanr
    New Member
    July 4, 2009
    Hi, If you are running public DNS Servers, then 2100 sessions are not really much... It will depend on what information they provide? A customer of mine has 2 public dns servers running in a dmz and the number of udp/53 sessions to these servers varies between 4K and 10K per server... with peaks even above that! And for dns servers this is still not really much... dns servers at ISPs may have 100 times more requests... I would have a look into the logs of the dns servers. If its BIND its easy to have a query log enabled and there you will see what requests come in, and what answers you server provides.... cheers.roman
    ede_pfau
    SuperUser
    ede_pfauAuthor
    SuperUser
    July 5, 2009
    Hi Roman, the DMZ nameservers hold about 15 names only, namely the servers in the DMZ which should be known to the public. I am not an expert for DNS but when these nameservers are asked for non-DMZ host names they have to refer the query to the providers' nameserver, and that is what I see in the session table - outgoing upd/53 sessions to nameservers on the Net. What worries me is the high percentage of these sessions in comparison to all firewall sessions. As far as I understood from this thread there is no way to limit the life span of udp sessions. I guess we' ll have to live with it. Thanks for the infos anyway. Ede
    emnoc
    emnoc
    New Member
    July 6, 2009
    Isn' t these name-server caching any learned information? Once the name has been lookup, it should be cache to the TTL set by the authoritive name-server for that zone.
    Terms & ConditionsAccessibility statement