Category Archives: dns

Cache DNS server in SRX

Starting from 12.1X44-D10, an SRX box can also run as a cache only DNS server or dns proxy
if we are to adhere to what is called in the documentation. It has also view support i.e
you can direct DNS queries to specific DNS servers based on the source address.



In this topology, I have a web server whose local
address is  but externally it has address and I would like to
respond with local address to local clients
in this example to make my life easier
(I am not interested in DNS responses to
Internet in this post)




Continue reading

DNS uses UDP or TCP?

As you know DNS uses UDP primarily as its transport layer protocol to communicate but for zone transfers (opcode AXFR,IXFR) it also uses TCP. There is one more indeed! DNS messages are restricted to 512 bytes and according to RFC 1035 (one of my favorites by the way), longer messages are truncated and TC bit is set in the header. In order to see this in real life, I just set more than 700 A type resource records in my zone and sent a standard query via dig command:

the message above is immediate reaction of dig but I also captured what happens at packet level. Here is the DNS message I received from the authoritative server:

Authoritative server informs the resolver that message is going to be truncated and look what the resolver does in wireshark:

Message number 52 is the truncate message. As soon as it is received by the resolver, it switches to TCP. Isn’t it cool? 🙂 I think with the upcoming EDNS, there will be more cool stuff waiting for us.

Negative caching on DNS

Today I have increased the SOA minimum TTL value to increase my negative caching period but I have seen that no DNS server respect my change:) Here are two different results;

From Google server

From another cache server:

What does this really mean? I thought, there must be a limitation somewhere and I checked RFC 2308 (Negative Caching of DNS Queries) but I don’t see any limitation although BIND documentation at says maximum value allowed by RFC is 3 hours, I couldn’t see any text saying this 🙁 I will dig later when I have more time…