Follow

Q&A: Mitigating DNS(glue) records in global DNS propagation

Question

How long am I satisfied with users going to capricious endpoints before DNS cache refreshes or expires?  

Environment

  • Silverline
    • Managed or unmanaged proxy services 
      • WAF or WAF Express 
      • DDoS
  • Proxy/Proxies

Answer

The question that comes mind is TIME TO MITIGATE. 

Critical records, you should always keep the TTL low. A good range would be anywhere from 30 seconds most service providers set a common hard limit and limitation of 30 seconds and 60 seconds. Also note most Recursive DNS servers, whether open recursive or local resolvers, typically do not acknowledge a TTL of 30 seconds or less.

You would want to also update zone records SOA TTL - The interval at which the SOA record itself is refreshed to guarantee the update is seen.

  • You also want a low TTL if you have any F5 Silverline (managed WAF, WAF Express, or DDoS) solutions
  • F5 Cloud Services (DNS-based Global Server Load Balancing GSLB).  Cloud Services allows you to create policy rules that change what endpoints are returned based on a user’s location.

Records that commonly maintain excessive time-to-live values.

  • CNAME record – In many cases, a CNAME record will never be modified (ex. pointing www.example.com to example.com’s A record).  If your CNAME record could potentially change (such as if you are using a CDN), you will want to have a lower TTL use their recommended values. 
  • MX Record – MX records rarely, if ever, change, especially if you are using an email provider with a good track record or you have lots of redundancy when self-hosting. You can usually set this to a 12 hour or 1 day TTL. If you want to ensure faster propagation times in the event of an emergency, a 10 to 30 minutes TTL is a good compromise.
  • TXT Records – Most commonly used for SPF or DKIM records. Usually safe to set in the 12 to the 24-hour range since they rarely change.

Worthy examples:

% dig @pdns150.f5.com www.f5.com +answer

<...snip>
www.f5.com. 30 IN CNAME dwbfwz8xncgmg.cloudfront.net.
<....snip>

Shown in the example above www.f5.com authoritative nameserver answers question of the query to CNAME dwbfwz8xncgmg.cloudfront.net and notes a TTL of 30s, which is cached on the resolver until the TTL expires, or users no submit questions for FQDN (www.f5.com) to that particular resolver.

In this example below the TTL on an answer to the question of dwbfwz8xncgmg.cloudfront.net will see the TTL set to 10 seconds. 

% dig dwbfwz8xncgmg.cloudfront.net

; <<>> DiG 9.10.6 <<>> dwbfwz8xncgmg.cloudfront.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58520
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dwbfwz8xncgmg.cloudfront.net. IN A

;; ANSWER SECTION:
dwbfwz8xncgmg.cloudfront.net. 7 IN A 99.86.33.52
dwbfwz8xncgmg.cloudfront.net. 7 IN A 99.86.33.53
dwbfwz8xncgmg.cloudfront.net. 7 IN A 99.86.33.9
dwbfwz8xncgmg.cloudfront.net. 7 IN A 99.86.33.5

;; AUTHORITY SECTION:
dwbfwz8xncgmg.cloudfront.net. 600 IN NS ns-683.awsdns-21.net.
dwbfwz8xncgmg.cloudfront.net. 600 IN NS ns-1645.awsdns-13.co.uk.
dwbfwz8xncgmg.cloudfront.net. 600 IN NS ns-111.awsdns-13.com.
dwbfwz8xncgmg.cloudfront.net. 600 IN NS ns-1438.awsdns-51.org.

;; ADDITIONAL SECTION:
ns-111.awsdns-13.com. 169545 IN A 205.251.192.111
ns-683.awsdns-21.net. 153659 IN A 205.251.194.171

;; Query time: 19 msec
;; SERVER: 10.255.255.1#53(10.255.255.1)
;; WHEN: Sun Jul 05 20:17:29 PDT 2020
;; MSG SIZE rcvd: 290

When one queries dwbfwz8xncgmg.cloudfront.net you will note additional hosts that will respond for web application answer for www.f5.com all have a TTL of 30s. The CNAME answers for the "A" record question with a TTL of 10s for load distribution. 

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request