63
DEFINITIVE GUIDE TO DNS TIME TO LIVE
| Date post: | 14-Apr-2017 |
| Category: |
Technology |
| Upload: | varonis |
| View: | 251 times |
| Download: | 0 times |
DEFINITIVE GUIDE TO DNS TIME TO LIVE
THE BASICS
Why is DNS cached?
Why is DNS cached?
1 Time. DNS Requests are slow.
Why is DNS cached?
2 Stability. DNS Records don’t change often (typically years)
What’s a TTL?
What’s a TTL?
How long each step of the DNS resolution chain will cache a record.
What are typical TTL
times?
What are typical TTL?
“Very Short” “Short" “Long" “Insanity"
300s / 5min 3600s / 1h 86400s / 24h 604800s / 7d
How do DNS Lookups
Work?
How do lookups work?
All DNS clients ask:
How do lookups work?
1 Do we have this record cached?
Why is DNS cached?
2 If it is cached, is the TTL still valid?
How do lookups work?
If the answer to either is “no” the request moves up the chain and the questions are asked again.
Why DNS is about Network
Connections not Devices
Connections not Devices
Consider your home computer
Connections not Devices
Your connect via - high speed internet - tethered cell - a VPN on top of both
Connections not Devices
Those connections have: - different ISP DNS servers - different DNS cache policy
Connections not Devices
Entirely possible to have two different DNS resolution
results by switching connections
DNS TTL TROUBLE SHOOTING
How long does it take for DNS
to update?
How long until updated?
WORST CASE: TTL for record * number of resolution steps in chain
How long until updated?
BEST CASE: TTL has expired for all steps (no cache) so it’s immediate
How much does a DNS lookup cost?
DNS lookup cost
An uncached DNS request takes ~150ms
DNS lookup cost
A typical website makes 100s of requests
DNS lookup cost
Without caching EVERY REQUEST would add 150ms
to the page load time
DNS lookup cost
With caching, only the first request to each domain
takes additional time.
Why isn’t my DNS
updating?
Why isn’t DNS updating?
1 Application caches: For example, Internet Explorer ignores TTLs lower than 30 min
Why isn’t DNS updating?
2 Mobile ISPs seek to reduce traffic by boosting TTL times
Why isn’t DNS updating?
3 Complex internal networks with more DNS servers than you would think
Can you remotely force a client to
update their DNS?
Force client DNS update
NO
Force client DNS update
You can purge local DNS caches, but not on downstream clients
DNS BEST PRACTICES
WHAT’S BETTER: SHORT OR LONG TTLs?
Short or Long TTL?
Short: less than one hour(3600 seconds)
Short or Long TTL?
Short TTLs give you much greater flexibility in making
changes and working around the most common DNS
problems
How do you know when a client will update their DNS
record?
Estimate update time?
TTL is not a “freshness date”
Estimate update time?
DNS is like an org chart. !
Changes take time to propagate through the whole
organization.
What’s the best practice for
changing a DNS record?
Best Change Practice
1 Drop the TTL on the record to very low: (5 min/300 seconds)
Best Change Practice
2 Modify the actual record on the cutover date
Best Change Practice
3 Several days post switch, push the TTL back to something higher (1hr / 3600s)
Best Practice for adding a new DNS record?
Best Change Practice
1 Add the new record with low TTL.
Best Change Practice
2 After you’re sure everything works, raise the TTL.
What’s the most common TTL Setting?
Most Common TTL
Rather than guess, we wrote a program to check the top 500 websites.
Most Common TTL
Lowest TTL 1
Highest TTL 129,540
Domains Resolved: 485
Average TTL: 6,468
Median TTL: 300
TTL Results
Most Common TTL
The lowest values are from domains doing rapid DNS changes for load balancing.
Most Common TTL
If you need to defend TTL decision, point to the 300 second median value.
What are the DNS Platform
Tools?
Check DNS from Web
https://toolbox.googleapps.com/apps/dig/
How do I test for DNS TTL propagation?
WHAT TO DO NEXT
IF THIS WAS HELPFUL
START NOW
Please check out our free course on Web Security
Fundamentals. By the creator of HaveIBeenPwned.
