Highlighted
Regular Contributor.. psantiamo Regular Contributor..
Regular Contributor..
291 views

DNS cache is not caching - TTL 7200 but still seeing repeated requests

We set the connectors on our connector appliance to have larger TTL's, 7200 seconds, but we still see requests for the same URL within minutes of each other.

Here is a DNS request log. I've circled the times. The internal IP is our Connector Appliance.

Is ArcSight connector simply not caching DNS requests despite setting the TTL? Even leaving it at the default of 3600 should not show so many requests within minutes of each other.

Is this a scenario where DNSMasq or Bind might be appropriate?

Labels (2)
0 Likes
1 Reply
Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

Re: DNS cache is not caching - TTL 7200 but still seeing repeated requests

Hi Patrick,

If you have a device, like we do, that identify and silently drop dns request to known C&C for example, and that your smarts are not allowed to bypass that check, you will run into loops like you described.

The printscreen you provided seem to indicate it could be the case but I am assuming.

A smart can't cache SERVFAIL request, nor car any dns caching service for that matter.

If it apply to you, then dnsmasq (too limited - dont use IMHO) or bind (much better) will not be of any use as they wont be able to cache the SERVFAIL and will have to hit the DNS again every time the smart asks for theses addresses.

That being said, we are also experimenting with all the smarts options we could find because we are wondering if the smart has a (working) negative cache for NXDOMAIN reply or not. Documentation is not very clear about this one.

Best regards,

Dany

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.