NXDOMAIN cache
Dave Warren
davew at hireahit.com
Sun Oct 25 07:59:23 UTC 2015
On 2015-10-24 22:55, Alexandre J. Correa (Onda) via Unbound-users wrote:
> Hello,
>
> My first e-mail comes with some questions.. :)
>
> 1- Unbound can cache NXDOMAIN responses ?
> 2- Unbound can change/force the TTL of NXDOMAIN as i define ??
>
>
> the purpose of force/change TTL of NXDOMAIN is for a project to fight
> SPAM ak. SPFBL[1].
> Because of the project´s success here (Brazil), i need to increase the
> cache of NXDOMAIN on mirror servers to lower cpu usage...
>
>
> afaik, TTL of NXDOMAIN came from SOA records, but in my tests, unbound
> cache responses for only 4 seconds ..
>
> if i flood with 20 queries like:
>
> # dig @localhost 1.0.0.127.dnsbl.spfbl.net
>
> the first query goes to 'central' server -- OK, expected (cache is empty)
> the others 19 queries came from cache -- OK, expected
>
> waiting 10 seconds, and flood again..
>
> the first query goes to 'central' server -- NOT OK, expected come from
> local cache ...
>
>
> How i can force the TTL of NXDOMAIN using unbound ??
What is the negative result TTL if you use this command:
dig 1.0.0.127.dnsbl.spfbl.net +trace +nodnssec
The server matrix.spfbl.net. doesn't respond from here, but using
Spamhaus, the tail of the +trace command would show this:
dig 1.0.0.127.xbl.spamhaus.org +trace +nodnssec
xbl.spamhaus.org. 150 IN SOA need.to.know.only.
hostmaster.spamhaus.org. 1510250741 3600 600 432000 150
;; Received 108 bytes from 217.149.192.170#53(a.ns.spamhaus.org) in 161 ms
This tells us that the response can only be cached for 150 seconds.
Unbound has a "cache-max-negative-ttl", but no minimum is listed at
https://unbound.net/documentation/unbound.conf.html
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the Unbound-users
mailing list