DNS cache is not caching - TTL 7200 but still seeing repeated requests
We set the connectors on our connector appliance to have larger TTL's, 7200 seconds, but we still see requests for the same URL within minutes of each other.
Here is a DNS request log. I've circled the times. The internal IP is our Connector Appliance.
Is ArcSight connector simply not caching DNS requests despite setting the TTL? Even leaving it at the default of 3600 should not show so many requests within minutes of each other.
Is this a scenario where DNSMasq or Bind might be appropriate?
Re: DNS cache is not caching - TTL 7200 but still seeing repeated requests
If you have a device, like we do, that identify and silently drop dns request to known C&C for example, and that your smarts are not allowed to bypass that check, you will run into loops like you described.
The printscreen you provided seem to indicate it could be the case but I am assuming.
A smart can't cache SERVFAIL request, nor car any dns caching service for that matter.
If it apply to you, then dnsmasq (too limited - dont use IMHO) or bind (much better) will not be of any use as they wont be able to cache the SERVFAIL and will have to hit the DNS again every time the smart asks for theses addresses.
That being said, we are also experimenting with all the smarts options we could find because we are wondering if the smart has a (working) negative cache for NXDOMAIN reply or not. Documentation is not very clear about this one.