Maintained by: NLnet Labs

NXDOMAIN cache

Dave Warren
Sun Oct 25 08:59:23 CET 2015


On 2015-10-24 22:55, Alexandre J. Correa (Onda) via Unbound-users wrote:
> Hello,
>
> My first e-mail comes with some questions.. :)
>
> 1- Unbound can cache NXDOMAIN responses ?
> 2- Unbound can change/force the TTL of NXDOMAIN as i define ??
>
>
> the purpose of force/change TTL of NXDOMAIN is for a project to fight 
> SPAM ak. SPFBL[1].
> Because of the project´s success here (Brazil), i need to increase the 
> cache of NXDOMAIN on mirror servers to lower cpu usage...
>
>
> afaik, TTL of NXDOMAIN came from SOA records, but in my tests, unbound 
> cache responses for only 4 seconds ..
>
> if i flood with 20 queries like:
>
> # dig @localhost 1.0.0.127.dnsbl.spfbl.net
>
> the first query goes to 'central' server -- OK, expected (cache is empty)
> the others 19 queries came from cache -- OK, expected
>
> waiting 10 seconds, and flood again..
>
> the first query goes to 'central' server -- NOT OK, expected come from 
> local cache ...
>
>
> How i can force the TTL of NXDOMAIN using unbound ??

What is the negative result TTL if you use this command:

dig 1.0.0.127.dnsbl.spfbl.net +trace +nodnssec

The server matrix.spfbl.net. doesn't respond from here, but using 
Spamhaus, the tail of the +trace command would show this:

dig 1.0.0.127.xbl.spamhaus.org +trace +nodnssec

xbl.spamhaus.org.       150     IN      SOA     need.to.know.only. 
hostmaster.spamhaus.org. 1510250741 3600 600 432000 150
;; Received 108 bytes from 217.149.192.170#53(a.ns.spamhaus.org) in 161 ms

This tells us that the response can only be cached for 150 seconds.

Unbound has a "cache-max-negative-ttl", but no minimum is listed at 
https://unbound.net/documentation/unbound.conf.html

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren