Post

Replies

Boosts

Views

Activity

Reply to DNS TTL handling on macOS
We are observing similar behaviour. In our Zero Trust Connectivity environment, outbound access is only allowed to destinations resolved by allowed FQDN queries. Those allowed connections are closed upon DNS TTL expiry. The connection is immediately re-allowed upon re-query of the FQDN, but the problem with macOS/iOS+Safari is that the TTLs are ignored. The behaviour we're observing much past TTL expiry is that the process attempts the cached entry first, while at the same time re-querying DNS, and when it gets a RSET (TCP reset packet) to the destination, the cache is expunged. The result is that when "Page cannot be displayed" occurs, a refresh is required, which is not a good Safari (or other Apple app that uses the same cache) user experience. The less-than-ideal solution is Chrome or Chromium-based browsers. They handle their own DNS appropriately, so those browsers are required until this is resolved.
Feb ’22