Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Significance of TTL property in DNS record

0

0

Article ID: KB21532 KB Last Updated: 29 Aug 2011Version: 1.0
Summary:
This article provides information about the significance of TTL property in DNS record.

Symptoms:
Environment:
  • What is the expected time a DNS record will remain in the DNS cache entry.
  • How many entries can be stored in the DNS cache.
Solution:
All DNS records have a TTL property, specifying the maximum amount of time the other DNS servers and applications should cache the record. Setting a DNS record's TTL value to zero, means that applications and DNS servers should not cache the record. When a DNS record is stored in the cache of a DNS server, the record's TTL is continuously reduced as time go by and when the TTL finally reaches zero, the record is removed from the cache.

Similarly, in ScreenOS, the time for a record in DNS cache will be equal to the TTL property of a DNS record. When the TTL is reduced to zero, then the entry is removed from the cache. If it is not used by the firewall or any object, a new lookup will be performed the next time the device needs to access the object.
FIREWALL-> get dns host cache
DNS Server:
Primary : 10.10.10.23, Src Interface: ethernet2/4
Secondary: 10.10.10.3, Src Interface: ethernet2/4
Tertiary : 0.0.0.0, Src Interface: Null
DNS Cache (Static):
DNS Cache (Dynamic):
Host name: www.abc.com IP: 11.11.11.226 TTL= 42s
Host name: kh.google.com IP: 12.12.12.136 TTL= 42s
Host name: kh.google.com IP: 12.12.12.190 TTL= 42s
Host name: kh.google.com IP: 12.12.12.91 TTL= 42s


In the above example, for google.com, we have multiple entries returned from nslookup. Now, after 42 seconds the firewall will perform a DNS lookup for the same domain and will update the DNS cache table. In case the firewall does not require to access google.com, it will flush out the entry from the cache table. There can be two possibilities:
  1. When the firewall is configured with URL filtering and it needs to resolve google.com for self traffic. In this case, the firewall will always keep performing the DNS lookup as it will always require the DNS record for URL filtering.

  2. When we are using google.com as the destination address object in the policy. In order to perform the policy lookup, the firewall will use this object to resolve the IP from the domain. The firewall will keep the DNS lookup repeatedly.

The firewall can store up to 1024 entries in its DNS cache.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search