Override Default Minimum TTL for DNS Caching
The NAT and policy modules use Fully Qualified Domain Names (FQDNs) from the address book for source or destination address criteria, instead of IP addresses. Upon configuration commit, these FQDNs resolve and cache results for the Time-To-Live (TTL) duration. When the TTL expires, the firewall sends query to the DNS server again.
SRX Series Firewall uses a 16-second minimum TTL for cached IP addresses. Domains with low DNS TTLs and multiple addresses are cached for 16 seconds if the TTL is under 16 seconds. This can cause IPs to be used after expiration, leading to packet drops.
Starting in Junos OS Release 25.2R1, you can override the default minimum TTL value for FQDNs in the address book. This configuration ensures DNS responses with TTL values lower or higher than 16 seconds are cached for their actual duration. This configuration overrides the default minimum TTL value of 16 seconds for FQDNs within the address book.
DNS Cache TTL Override
The DNS cache TTL override configuration enables you to fine-tune DNS cache behavior
through the min-ttl-override parameter. You can override the
default minimum TTL value, ensuring that DNS responses with shorter TTL values are
cached for their actual duration. If the TTL is less than 16 seconds, the IP address
is cached for the TTL duration; if it is exactly 16 seconds, it is cached for 16
seconds; and if greater than 16 seconds, it is cached for the specified TTL
duration.
Without specific configurations, the system defaults to a caching duration of 16 seconds for TTLs less than or equal to 16 seconds, and the TTL duration for values greater than 16 seconds.
This capability allows you to cache DNS responses for their actual TTL value, even if it is lower than the default minimum. By allowing DNS responses to be cached accurately, you prevent the use of outdated addresses. This feature is particularly beneficial in environments where IP addresses change frequently, offering more accurate DNS resolution.
The system preserves default behavior for backward compatibility unless configured otherwise to ensure stability.
DNS Query Interval
Additionally, you can configure the dns-query-interval parameter
that allows you to control the frequency of DNS queries based on received TTL
values. By setting a specific interval, you ensure that DNS queries are sent at
appropriate times, balancing the need for fresh DNS information with the load on
DNS servers.
The DNS query interval configuration is used to forcibly send a DNS query after the configured duration, if the received TTL is more than the configured interval. Otherwise we send a DNS query after the expiry of the received TTL duration itself.
Example: If you configure the dns-query-interval value to be
3600 seconds and the received TTL is 4800 seconds, the system caches the entry
for 3600 seconds and DNS query is sent after 3600 seconds maintaining up-to-date
information without overloading the servers.
If you do not configure the dns-query-interval, DNS query
interval is set to 84600 seconds which is equal to maximum TTL duration.
Configuration Samples
Use the following statements within the address book configuration context to override the minimum TTL for a given FQDN:
[edit] user@host# set security address-book <address-book name> address <address-name> dns-name <FQDN> min-ttl-override user@host# set security address-book <address-book name> address <address-name> dns-name <FQDN> dns-query-interval <value>
Example:
[edit] user@host# set security address-book global address address-1 dns-name abc.com min-ttl-override user@host# set security address-book global address address-1 dns-name abc.com dns-query-interval 60
The above configuration ensures that DNS responses for "abc.com" with TTL values lower than 16 seconds are cached for their actual TTL duration, maintaining up-to-date IP address information.
This configuration is optional. If you do not configure
min-ttl-override, the existing behavior continues.
You can monitoring the status of the configuration using the show
security dns-cache command. In this example, if the received TTL is
10 seconds, the command displays following output:
user@host> show security dns-cache
DNS Name: google.com
Address Family: IPv4, TTL: 1, Query Interval: 10, Override minimum TTL: Active
IP Address: 192.168.72.206
DNS entry number: 1
The command output provides details such as the DNS name, address family, TTL, and whether the override is active or inactive. Use this command to verify that the configuration is applied correctly and to monitor the performance implications, ensuring that the system remains stable and optimized.