Search This Blog

Jul 5, 2018

Negative cache TTL on Windows-based DNS

Think about this scenario:

- client uses Windows DNS for name resolution
- client has a record on an external DNS server, let's say a.external.com
- Windows DNS forwards queries of *.external.com to its respective authoritative DNS
- a.external.com has a TTL of 1 min
- a.external.com is removed then re-created with a new IP in 2 min time range (this is common for a cluster or load balancer setup)
- After the record is re-created, client pings it right away and expect to see new IP returned
- Actual result is "host name not found in DNS"

This is because how Windows DNS handles negative cache. Within that 2 min outage window, if anyone queried the name, Windows DNS gets a negative result from upstream (external) DNS. This negative result is cached ( naturally called negative caching), with a TTL as described below:

  • Windows client resolver has a universal negative cache time (default 5 min) that can be changed in registry
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DNSCache\Parameters\NegativeCacheTime
  • Windows DNS server sets the TTL of negative result cache from SOA of hosting zone (update: lesser of TTL for SOA record itself, or the zone Minimum Default TTL). In this particular case, TTL from external.com zone SOA. However when SOA TTL is too short (<1min) or too long (>15min), Windows will cap TTL to be 1min and 15 min respectively(Coming from MaxNegativeTTL, can be viewed by powershell cmdlet get-dnsservercache).

See my other 2 posts on TTL/negative cache