This article provides information about the significance of TTL property in DNS record.
All DNS records have a TTL property, specifying the maximum amount of time the other DNS servers and applications should cache the record. Setting a DNS record's TTL value to zero, means that applications and DNS servers should not cache the record. When a DNS record is stored in the cache of a DNS server, the record's TTL is continuously reduced as time go by and when the TTL finally reaches zero, the record is removed from the cache.
Similarly, in ScreenOS, the time for a record in DNS cache will be equal to the TTL property of a DNS record. When the TTL is reduced to zero, then the entry is removed from the cache. If it is not used by the firewall or any object, a new lookup will be performed the next time the device needs to access the object.
FIREWALL-> get dns host cache
DNS Server:
Primary : 10.10.10.23, Src Interface: ethernet2/4
Secondary: 10.10.10.3, Src Interface: ethernet2/4
Tertiary : 0.0.0.0, Src Interface: Null
DNS Cache (Static):
DNS Cache (Dynamic):
Host name: www.abc.com IP: 11.11.11.226 TTL= 42s
Host name: kh.google.com IP: 12.12.12.136 TTL= 42s
Host name: kh.google.com IP: 12.12.12.190 TTL= 42s
Host name: kh.google.com IP: 12.12.12.91 TTL= 42s
In the above example, for google.com, we have multiple entries returned from nslookup. Now, after 42 seconds the firewall will perform a DNS lookup for the same domain and will update the DNS cache table. In case the firewall does not require to access google.com, it will flush out the entry from the cache table. There can be two possibilities:
- When the firewall is configured with URL filtering and it needs to resolve google.com for self traffic. In this case, the firewall will always keep performing the DNS lookup as it will always require the DNS record for URL filtering.
- When we are using google.com as the destination address object in the policy. In order to perform the policy lookup, the firewall will use this object to resolve the IP from the domain. The firewall will keep the DNS lookup repeatedly.
The firewall can store up to
1024 entries in its DNS cache.