Search This Blog
Showing posts with label TTL. Show all posts
Showing posts with label TTL. Show all posts

Apr 28, 2020

2 TTL related registry on Windows client OS

1. Maximum time a client will cache positive results regardless what TTL a record holds:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheEntryTtlLimit

Note: A record will be cache on client for the period specified in


  • record TTL or
  • above registry value, whichever is less. 


2. When register its own record, the TTL sent to DNS server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL


See Also


Tags: ,

Apr 2, 2020

DNS Zone intervals - mapping values in Windows GUI to nslookup result for SOA record

DNS TTL 
See above, click to see enlarge picture.

This is a screenshot of SOA record.

What the intervals are:


  • (Most important one) Minimum default TTL: Default TTL for all records in the zone that don't have their own TTL defined during creation. This parameter is also used as TTL of negative cache
  • TTL : TTL for the SOA record itself
  • Refresh - This is how often (in seconds) the slave name servers check with the primary name server to see if any changes have been made to the zone
  • Retry - This is the time (in seconds) a slave (secondary) DNS server waits before retrying a failed zone transfer
  • Expires  - Indicates when the zone data is no longer authoritative - time counted from the point when slave loses contact with master. Applies to Slaves or Secondary servers only. When this expires, slave will no longer respond to queries
Update #1: Regarding negative caching, it is lesser of  Minimum Default TTL, SOA TTL, and 15min (defined in MaxNegativeTTL,  can be viewed with powershell cmdlet get-dnsservercache)

Update #2: One can set different values on SOA TTL and Minimum Default TTL, but Windows will set both to same value, whichever is smaller. Tested on Windows 2016
Tags: , , ,

Jul 5, 2018

Negative cache TTL on Windows-based DNS

Think about this scenario:

- client uses Windows DNS for name resolution
- client has a record on an external DNS server, let's say a.external.com
- Windows DNS forwards queries of *.external.com to its respective authoritative DNS
- a.external.com has a TTL of 1 min
- a.external.com is removed then re-created with a new IP in 2 min time range (this is common for a cluster or load balancer setup)
- After the record is re-created, client pings it right away and expect to see new IP returned
- Actual result is "host name not found in DNS"

This is because how Windows DNS handles negative cache. Within that 2 min outage window, if anyone queried the name, Windows DNS gets a negative result from upstream (external) DNS. This negative result is cached ( naturally called negative caching), with a TTL as described below:

  • Windows client resolver has a universal negative cache time (default 5 min) that can be changed in registry
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DNSCache\Parameters\NegativeCacheTime
  • Windows DNS server sets the TTL of negative result cache from SOA of hosting zone (update: lesser of TTL for SOA record itself, or the zone Minimum Default TTL). In this particular case, TTL from external.com zone SOA. However when SOA TTL is too short (<1min) or too long (>15min), Windows will cap TTL to be 1min and 15 min respectively(Coming from MaxNegativeTTL, can be viewed by powershell cmdlet get-dnsservercache).

See my other 2 posts on TTL/negative cache

Tags: , ,
Subscribe to: Posts (Atom)