Cache maintenace is alreayd quite a complex part of any recursor. IMO
adding cache syncing would introduce way too much complexity te be
worth the trouble to solve what in essense is a questionable firewall
rule design.
Maybe dnsdist with a packet cache in front of two recursors might
be worth considering.
-Otto
On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:
> Hi Otto,
>
> Thank you for the clarification. Yes, I'm aware that the source may change,
> but TTL exists for that. So I don't think this is a valid reason to not sync
> cache. As the current situation is worse:
>
> Resolver A caches IP address 1.1.1.1 and resolver B caches IP address
> 2.2.2.2. Subsequently a user types to navigate to the site, but the firewall
> happened to resolve the domain via the other resolver. This ends up causing
> intermittent issues as it ends up being pot luck whether a user happens to
> use the same resolver that the firewall used.
>
> A cache sync would at least cause the same behaviour for all users. And using
> a single resolver is too risky.
>
> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek <o...@drijf.net> wrote:
> >Hello,
> >
> >cachs syncing is not something we have and even with it (or using a
> >single resolver) there is an issue that records can change:
> >the scenario:
> >
> > - a client asks the record, record gets cached
> > - client A asks and gets cached value,
> > - publisher of records changes the record
> > - record expires from cache
> > - client B (firewall) asks and record resolves to different value.
> >
> >
> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users
> >wrote:
> >
> >> Just ran into an issue with recursive DNS servers where the two
> >servers have cached a different A record for mirror.centos.org.
> >>
> >> This is a problem as the firewalls permit access to the FQDN, which
> >presumes that both the client and the firewall end up with the same A
> >record for the domain.
> >>
> >> I'm intending to swap these recursors out with PowerDNS servers, but
> >am wondering if there's a way to keep the record cache in sync between
> >multiple recursors.
> >>
> >> --
> >> Best regards,
> >> Djerk Geurts
> >> m: +44-7535-674620
> >>
> >> Maizymoo Ltd
> >> VAT No: GB192 1529 07
> >> Registration Number: 6638104 (registered in England and Wales)
> >
> >> _______________________________________________
> >> Pdns-users mailing list
> >> Pdns-users@mailman.powerdns.com
> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
