Last updated: 
4 months 1 week ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Simple ways to improve your DNS resilience and security: #3 TTL and expire timers

Wednesday, June 25, 2014 - 14:15

So you've designed your redundant architecture and ensured that your data is being replicated across it? All set? Not quite. Within your DNS configuration there are two timers that we frequently see misconfigured -  TTL values and the SOA expire value.

Frequently we see these left at default a default of one day (86400 seconds). Whilst these may suit many organisations it's worth taking a closer look to make sure that they match your expectation for your DNS services.

The TTL value restricts how long a DNS resolver can cache a DNS record before it has to request it again from the authoritative name server. A larger TTL value will mean that end users will get more responsive name resolution, reduce load on the nameserver and provide a partial degree of protection should your nameserver be down. Balanced against this, a shorter TTL allows changes to DNS records to propagate through to caching resolvers more quickly, allowing you to move services to new IP addresses without long delays. This comes at the expense of increased queries against the nameserver and potential delays for clients as they continuously refetch the same records.

For many organisations a shorter TTL than one day is likely to be more appropriate. The issues of load and delays in resolution can be dealt with by building a smarter infrastructure, especially if you can distribute DNS nameservers globally. A short TTL will allow you to quickly move services to other providers and infrastructure should they be subject to a denial of service attack.

The expire value in the SOA record termines how long secondary nameservers will consider their replicated zone data to be valid. Should the nameserver not be able to contact the primary server for more than this period then it will no longer return data for this zone. When setting this value you should take into account a generous estimate of the amount of time it'd take you to rebuild your primary nameserver from the ground up, hardware and all. A few days is probably not nearly long enough and a few weeks is probably the minimum sensible value. RIPE recommends 1000 hours, or just over 40 days.

With some forethought, you can be sure that your DNS infrastructure is actually behaving as expected in the face of adverse events. There's nothing worse than finding out that when your primary DNS server failed at the weekend, the secondary server slipped off the end of the expire timer.