[dns-operations] EC2 resolver changing TTL on DNS answers?

Giovane C. M. Moura giovane.moura at sidn.nl
Tue Nov 28 13:32:10 UTC 2017


Anyone from Amazon here? Just came across this: resolvers at EC2
(Northern California) seem to change the TTL of DNS records.

Just curious about why this is happening.

To reproduce:

1. Querying from my laptop:

giovane at laptop:~$ dig ns nl

nl.                     172800  IN      NS      ns1.dns.nl.
nl.                     172800  IN      NS      ns-nl.nic.fr.
nl.                     172800  IN      NS      ns2.dns.nl.
nl.                     172800  IN      NS      sns-pb.isc.org.
nl.                     172800  IN      NS      ns3.dns.nl.
nl.                     172800  IN      NS      nl1.dnsnode.net.
nl.                     172800  IN      NS      ns5.dns.nl.
nl.                     172800  IN      NS      ns4.dns.nl.

In this query, every NS has a TTL on 172800, as in the root zone[1].
That's how it should be.

2. Querying from Amazon EC2 (Northern California):

[ec2-user at ip-172-31-6-139 ~]$ dig ns nl

nl.                     60      IN      NS      ns5.dns.nl.
nl.                     60      IN      NS      ns-nl.nic.fr.
nl.                     60      IN      NS      sns-pb.isc.org.
nl.                     60      IN      NS      nl1.dnsnode.net.
nl.                     60      IN      NS      ns1.dns.nl.
nl.                     60      IN      NS      ns2.dns.nl.
nl.                     60      IN      NS      ns3.dns.nl.
nl.                     60      IN      NS      ns4.dns.nl.

So the TLL using the local resolver from EC2 ( has its TTL
reduced to 60s, instead of what is in [1]. You can run the same query
for any TLD, or even amazon.com.

Just curious why. Thanks,


[1] https://www.internic.net/domain/root.zone

More information about the dns-operations mailing list