[dns-operations] EC2 resolver changing TTL on DNS answers?

Peterson, Alec alecpete at amazon.com
Tue Nov 28 15:21:36 UTC 2017 

Hi Giovane,

I’m with Amazon, and this is intentional behavior.  Based on feedback we’ve heard from our customers, it’s especially painful for them to mis-configure a DNS record and have that result cached in a layer they have no control over (ie, the resolver infrastructure within EC2).  We do recognize that this has a side-effect of increasing the load on all authoritative servers.

Alec

> On Nov 28, 2017, at 5:32 AM, Giovane C. M. Moura <giovane.moura at sidn.nl> wrote:
> 
> Hi,
> 
> Anyone from Amazon here? Just came across this: resolvers at EC2
> (Northern California) seem to change the TTL of DNS records.
> 
> Just curious about why this is happening.
> 
> To reproduce:
> 
> 1. Querying from my laptop:
> 
> giovane at laptop:~$ dig ns nl
> 
> nl.                     172800  IN      NS      ns1.dns.nl.
> nl.                     172800  IN      NS      ns-nl.nic.fr.
> nl.                     172800  IN      NS      ns2.dns.nl.
> nl.                     172800  IN      NS      sns-pb.isc.org.
> nl.                     172800  IN      NS      ns3.dns.nl.
> nl.                     172800  IN      NS      nl1.dnsnode.net.
> nl.                     172800  IN      NS      ns5.dns.nl.
> nl.                     172800  IN      NS      ns4.dns.nl.
> 
> In this query, every NS has a TTL on 172800, as in the root zone[1].
> That's how it should be.
> 
> 2. Querying from Amazon EC2 (Northern California):
> 
> [ec2-user at ip-172-31-6-139 ~]$ dig ns nl
> 
> nl.                     60      IN      NS      ns5.dns.nl.
> nl.                     60      IN      NS      ns-nl.nic.fr.
> nl.                     60      IN      NS      sns-pb.isc.org.
> nl.                     60      IN      NS      nl1.dnsnode.net.
> nl.                     60      IN      NS      ns1.dns.nl.
> nl.                     60      IN      NS      ns2.dns.nl.
> nl.                     60      IN      NS      ns3.dns.nl.
> nl.                     60      IN      NS      ns4.dns.nl.
> 
> 
> So the TLL using the local resolver from EC2 (172.31.0.2) has its TTL
> reduced to 60s, instead of what is in [1]. You can run the same query
> for any TLD, or even amazon.com.
> 
> 
> Just curious why. Thanks,
> 
> /giovane
> 
> [1] https://www.internic.net/domain/root.zone
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list