Negative Caching

Kevin Darcy kcd at
Thu Nov 3 18:30:21 UTC 2005

bo63 wrote:

>Newsgroups: free.comp.dns
>From: "bo63" <b... at> - Find messages by this author
>Date: 3 Nov 2005 06:44:44 -0800
>Local: Thurs, Nov 3 2005 8:44 am
>Subject: Negative Caching
>Reply | Reply to Author | Forward | Print | Individual Message | Show
>original | Remove | Report Abuse
>I was wondering if anyone else has had this problem and what they have
>done to fix it.
>My users get to the Internet via a proxy server.  When they request a
>site the proxy server asks my DNS server to resolve for the address.
>Every once-in-awhile my DNS does not get an answer back from the
>Internet, either via my external DNS (which is my ISP's DNS) or a Root
>server within a certain amount of time and my proxy server ends up with
>a negative cache.  One of the sites that we try to access has a TTL of
>60 seconds so basically my DNS is doing a lookup every minute.  Then my
>users cannot access the site for a minimum of 10 minutes.  This causes
>major problems for my company.  I read somewhere that there is an issue
>with Internet DNS taking long times to resolve but I never could find
>any work around.  Does anyone have any suggestions?
You can disable or tune "lame server" caching via the "lame-ttl" option, 
but it's very likely that lowering that value actually gives you worse 
performance overall.

If the root cause here is the unreliability and/or bad performance of 
your ISP's resolvers, then maybe a better strategy is to run your own 
iterative resolver, that wouldn't depend on your ISP's resolvers at all.

Another outside possibility is that the use of EDNS0 to receive UDP DNS 
packets greater than 512 bytes is causing some issues with your firewall 
(if you're going through a firewall, that is). If so, then a *temporary* 
solution may be to reduce the packet sizes via the edns-udp-size option. 
But the long-term solution would be to fix, upgrade or replace the 
broken firewall.

                                                               - Kevin

More information about the bind-users mailing list