On the fly TTL modification on a cache DNS server

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 7 03:34:30 UTC 2006

Francois Goudal wrote:
> Hello,
> I'm currently making a linux software for an avionics embedded router.
> The charge for each minute is about 10$ so I made some things for the 
> user to disable and block any outgoing connections.
> I would like, when it is blocked, every http connection to be redirected 
> to the internal webserver, to display a splashscreen.
> On currently existing softwares that provides splashscreens, it is much 
> easier cause the DNS resolution can be done because the connection is 
> permanent.
> Here, I will have to "hack" the DNS resolution for this redirection.
> Currently, bind is installed as a DNS cache server on the router.
> I would like it to serve also as a nameserver that will reply to every 
> request it gets without referring to another DNS server, always replying 
> the router's local IP address.
> Currently, I have made some successful tests about that but, my problem 
> is about TTLs.
> When for example internet is disabled and i want for example to access 
> google.com, it is resolved as (the router's address), so I 
> can see the splashscreen.
> Now if I activate the internet, I can't go to google.com cause it's not 
> resolved again (in the client cache, it's still
> I solved this problem, now, the TTL is quite small and it works.
> But :
> When internet is enabled, the bind just acts as a dns cache server so if 
> I get google.com, it is resolved as its real IP and put in the client's 
> cache (this TTL is provided by google's nameservers). So if I close the 
> connection, now the client still refers to google's real IP address so 
> the splashscreen doesn't appears as it should.
> I would like the bind cache to do an on the fly alteration of the DNS 
> answers, to set a very low TTL for the client's answers.
> Do you know a way to do that ?
Well, BIND 9 has a "max-cache-ttl" option, but it's not really 
appropriate to use that for what you're attempting to do, since it would 
cause the entries to actually *expire* from named's cache, as opposed to 
named caching normally yet "spoofing" TTL values. Premature expiration 
would then cause named to generate a lot of unnecessary traffic to 
Internet nameservers, which would be very anti-social.

If this problem is web-specific, I wouldn't be trying to solve it at the 
DNS level. There's all sorts of fun tricks you can play if you have some 
Linux smarts inline with the routing of HTTP connections. See 
http://www.ex-parrot.com/~pete/upside-down-ternet.html. A more tame 
variation is to just redirect the requests to an internal splashpage 
when appropriate.

                                       - Kevin

More information about the bind-users mailing list