TTL when querying for any record with dig

This question comes from this topic. When I do this I get the remaining seconds until the A record expires in the queried nameserver:

dig stackexchange.com

However, if I do this I get the authorative TTLs values:

dig any stackexchange.com 

So, I don’t understand why when I do dig any stackexchange.com I get all TTL values as if I did an authorative question, when I actually made a recursive query.

1

2 Answers

To be short, Both of the queries you have mentioned in the question are non-authoritative query.

DNS records for a domain can be queried from a caching DNS server or from an authoritative DNS server. So when you want to query a caching DNS server you can either specify the DNS IP address or if not specified, the default DNS server that has been configured in /etc/resolv.conf will be taken.

Non authoritative query

$ dig stackexchange.com

or

$ dig stackexchange.com @8.8.8.8

In above both cases the query returns a non-authoritative reply because your ISP's DNS or Google's public DNS (8.8.8.8) are not authoritative for stackexchange.com domain. As you have queried an non-authoritative nameserver the TTL value it provides will decrease for each time you query it. Once the TTL value expires the caching nameserver will requery the authoritative DNS server.

Authoritative query

So to get an authoritative reply you need to query the record from an authoritative DNS server and which can be found with below method.

$ dig ns stackexchange.com ...
;; ANSWER SECTION:
stackexchange.com. 84894 IN NS cf-dns02.stackexchange.com.
stackexchange.com. 84894 IN NS cf-dns01.stackexchange.com. ...

The ANSWER SECTION provides the authoritative nameservers for the domain stackexchange.com and so if we need to get the authoritative reply then

$ dig stackexchange.com @cf-dns01.stackexchange.com.

While we query the authoritative DNS server the TTL values will not change because these Nameservers are the primary source of the information and they dont expire until its administrator changes it.

How ANY record works

ANY record is like a wild-card, you can use it to get all records that are cached/stored in a DNS server. For example I have queried stackexchange.com for ANY record and my default DNS server replies as below.

$ dig any stackexchange.com ....
;; ANSWER SECTION:
stackexchange.com. 86350 IN SOA cf-dns01.stackexchange.com. dns.cloudflare.com. 2017456480 10000 2400 604800 3600
stackexchange.com. 176 IN A 198.252.206.140
stackexchange.com. 84338 IN NS cf-dns01.stackexchange.com.
stackexchange.com. 84338 IN NS cf-dns02.stackexchange.com. ....

Here you can see that the reply contains only information about SOA, A and NS record. But there are actually more records for stackexchange.com which are not cached in my default DNS server as I havent queried for it.

Now I am querying for MX record to my default DNS server and the reply is as

$ dig MX stackexchange.com ....
;; ANSWER SECTION:
stackexchange.com. 300 IN MX 10 aspmx3.googlemail.com.
stackexchange.com. 300 IN MX 5 alt2.aspmx.l.google.com.
stackexchange.com. 300 IN MX 5 alt1.aspmx.l.google.com.
stackexchange.com. 300 IN MX 10 aspmx2.googlemail.com.
stackexchange.com. 300 IN MX 1 aspmx.l.google.com. ....

Now I again query for ANY record and now you can see that query for ANY has returned MX records too. And so ANY record will just provide records that are only cached on your default nameserver.

$ dig any stackexchange.com ....
;; ANSWER SECTION:
stackexchange.com. 298 IN MX 5 alt1.aspmx.l.google.com.
stackexchange.com. 298 IN MX 10 aspmx2.googlemail.com.
stackexchange.com. 86084 IN NS cf-dns01.stackexchange.com.
stackexchange.com. 298 IN MX 10 aspmx3.googlemail.com.
stackexchange.com. 298 IN MX 1 aspmx.l.google.com.
stackexchange.com. 298 IN MX 5 alt2.aspmx.l.google.com.
stackexchange.com. 86084 IN NS cf-dns02.stackexchange.com.
stackexchange.com. 243 IN A 198.252.206.140
stackexchange.com. 86343 IN SOA cf-dns01.stackexchange.com. dns.cloudflare.com. 2017456480 10000 2400 604800 3600 ....

And as you can see the TTL values are changing for non-authoritative replies.

0

You are not understanding the TTL field on DNS queries. The TTL is an indicator for the client how long it should cache the results before re-querying the nameserver again. Unless you update your DNS server with a different value for the TTL, the response will always be the same. It is very bad practice to re-query nameservers every-time you need to resolve a hostname to an IP.

12

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like