Main page
01.12.2014

TTL values in DNS

ISNIC's requirements for a TTL value (Time To Live) of 86400 sec. for NS records is suprising for many technical personnel and even irritates some. Most are not used to such strict requirements and some do not even understand what the TTL value is or how to change it. They therefore conclude that this is an unneccessary requirement. The reality is that there are very good and valid reasons for this requirement as recent examples show:

1. TTL values of DNS resource records tell resolvers how long they should cache records they receive. This stops them from sending queries to authoritative nameservers repeatedly for the same record. Most records in DNS are rarely changed, so a low TTL causes unneccessary traffic and load on the authoritative nameservers. The only downside to a high TTL is that changes to records have to be planned in advanced and the TTL lowered before the change, and raised again after the change. ISNIC allows for this, as our systems send warnings to contacts for 8 weeks after a technical fault is found, before the domain is put on hold. This gives administrators a reasonable time to fix errors that are found.

2. A new kind of DDoS (Distributes Denial of Service) attack has been observed recently, which has been called "DNS Slow Drip Attack". In DDoS attacks many computers are used to flood a victims service with requests, until it is unable to respond, effectively knocking the service off line. DNS is specially vulnerable to these kind of attacks because of it's open nature and use of UDP packets. The UDP protocol makes it trivial to spoof addresses which makes it very difficult to filter attacking packets from legitimate uses.

3. The Slow Drip Attack works like this: An attacker creates a flood of requests for random records under the domain that is to be attacked. If e.g. "domain.is" is under attack they would query for aaaa.domain.is, aaaba.domain.is etc. The requests are always random and almost never for the same value twice. These queries can be sent through open resolvers, such as Google Public DNS. Since these records do not exist, the nameserver responds with NXDOMAIN. It does this as fast and for as long as it can, but the torrent of requests only grows until the server is no longer able to respond fast enough and becomes unresponsive to all queries. This effectively knocks out every service under the victims domain. If the attack is large enough it can also affect the service of the TLD under which the victims domain is (see dafa888.wf attack).

4. If the TTL value for the NS records of a victims domain is low (dafa888.wf has a TTL of 600 sec.) it means that the TLD nameservers see a large part of the traffic from the attackers. If the TTL is 86400 sec, like ISNIC's requirements dictate, each resolver will only ask for the NS records of the victims domain once every 24 hours. With a TTL of 600, they will query for the NS records once every ten minutes. A high TTL will in these cases stop an attack like this from affecting every domain under the TLD, as was the case with dafa888.wf.

Unfortunetly a high TTL value does not help the victim in this case, since the queries are all for records that are not in the victims zone (See Negative Cache), but it does minimize the size of the attack and stops colleteral damage. So, while ISNIC's requirements for a rather high TTL values are sometimes vilified unjustly, they are very valid and have proven it's technical and security values many times.