DNS TTL handling on macOS

Question

Created Aug ’21

Replies 2

Boosts 1

Views 2.6k

Participants 3

Hi, We are dealing in our product with an issue due to a mismatch about how the DNS TTL is handled in the backend compared with how the DNS TTL is handled in Mac device:

The issue is due to different TTL values of the DNS entry saved on the Mac device and backend. For the failure case (access to some web pages is not working on Safari), the Mac device holds a DNS entry for more than 5 minutes, but the backend keeps the entry for around one minute. It results in some missbehavior in the backend for the particular FQDN once the DNS entry on the backend expires.

Backend holds a DNS entry as per the TTL value specified in the A record. The Mac device appears to have a different logic, i.e., it considers the TTL value of the CNAME record instead of the A record.

Is it possible to confirm how the TTL is handled on macOS? is macOS caching the Cname TTL if the resource is accessed via a name and caches A record TTL if an A record is accessed? Thanks

Boost

Answer 1

davidredekop OP

Feb ’22

We are observing similar behaviour. In our Zero Trust Connectivity environment, outbound access is only allowed to destinations resolved by allowed FQDN queries. Those allowed connections are closed upon DNS TTL expiry. The connection is immediately re-allowed upon re-query of the FQDN, but the problem with macOS/iOS+Safari is that the TTLs are ignored.

The behaviour we're observing much past TTL expiry is that the process attempts the cached entry first, while at the same time re-querying DNS, and when it gets a RSET (TCP reset packet) to the destination, the cache is expunged. The result is that when "Page cannot be displayed" occurs, a refresh is required, which is not a good Safari (or other Apple app that uses the same cache) user experience.

The less-than-ideal solution is Chrome or Chromium-based browsers. They handle their own DNS appropriately, so those browsers are required until this is resolved.

0

Answer 2

massiang OP

Oct ’22

I am observing a similar behaviour using python socket.gethostbyname() on mac and on an AWS Lambda function. On Mac the resolved address is cached for 15 seconds. AWS Lambda respects the record TTL and caches the address for 2-4 seconds.

Apparently mDNSresponder respect the TTL but has a minimum time of 15sec

1