Odd behavior with caching-only DNS servers

Smith, William E. (Bill), Jr. Bill.Smith at jhuapl.edu
Thu Feb 9 17:36:08 UTC 2006

At my company, we have our DMZ hosts setup to use 3 caching-only DNS
servers dedicated to the DMZ environment.  The servers are running BIND
9.3.2 on Solaris 9.  The issue that I'm seeing / that is perplexing me
thus far is this.  If I add a host on our primary DNS server (via the
QIP IP Management interface), I can resolve the host by name or IP
immediately from these caching only servers.  However, when a host is
deleted and/or updated on the primary, the odd behavior begins.  Namely,
while a lookup on any of our authoritative results fails (as expected),
I am still able to lookup the host info (by name or IP) on these
caching-only servers.  The only way I've been able to get this outdated
info purged is by stopping / restarting the name server, flushing the
cache, or simply waiting for the TTL to expire (per the default TTL
setting in place).  Aside from this issue, another involves involves a
host who originally had one IP but was moved to another.  A lookup by IP
on some of these caching-only servers returns the expected result but a
hostname lookup returns the old IP address.  This issue is more
prevalent on one of the 3 servers than the other 2 but an issue
What's further frustrating is that our internal servers are configured
to forward queries outside our domain to a set of 3 caching-only servers
(separate from the DMZ servers), where the queries in the aforementioned
scenarios work as expected (i.e. query failing or returning updated

In terms of the BIND configuration, they are more or less identical sans
ACL's restricting who can/can't query them.  I've been working this
issue for a bit now but nothing obvious is sticking out at me.  I can
easily resolve things by making the default TTL lower but that is really
not the answer.

Any insight, suggestions, etc would be appreciated.

- Bill

More information about the bind-users mailing list