I use DNS cache on v4.1 on RB1000 and it works pretty well most of the time.
Unfortunately it also caches negative responses and it gives them 24h TTL. This is bad in case of temporary problems of a DNS domain or a DNS server. The domain is then inaccessible until the negative response expires or DNS cache is manually flushed (this can be automated by scripts but then it defeats the purpose of caching…)
I’d opt for configurable TTL, but I can live with hardcoded value of 5 minutes.
Thanks.
I think that it is possible to configure cache-max-ttl for DNS cache entries in /ip dns.
Thanks for your answer, I was aware of that setting, but it alone is not enough. It limits TTL of ALL records. From what I see at the moment, the average TTL of DNS records is about 6 hours. If I set cache-max-ttl to 5 minutes, I’ll be almost defeating the purpose of caching. It will also increase DNS traffic. For good explanation please see RFC 2308, section 2.2.1, subsection “5 - Caching Negative Answers”. They say TTL should be the minimum read from SOA record, but global cache-negative-max-ttl is still compliant 
Please consider this.
Thanks.
yes, negative cache ttl should be taken from the dns zones SOA itself, not some arbitrary number.
Our DNS cache should add negative records, when SOA is received.
Are you sure that SOA is not equal to 5 minutes (SOA parameter is specified by the owner of the DNS name).
I tested it - I pinged the following names:
ping www.not-existing-site.not-existing-tld
ping www.not-existing-site.com
ping www.not-existing.google.com
The first two got 24hr TTL, the last one got 5 mins TTL, which I presume is from Google’s SOA.
I have problems with the first two - they should have much shorter TTL because the site may have had intermittent connectivity problems, but thanks to long TTL they are not available until tomorrow…
Thanks.
if you have set any DNS domain in DHCP or otherwise, or just to be sure, append DOT at the end to test it reliably.
ping www.not-existing-site.not-existing-tld.
ping www.not-existing-site.com.
ping www.not-existing.google.com.
Thanks.
This is a very old topic, but the problem still persist. I just ran into the same thing here http://forum.mikrotik.com/t/split-dns-setup-problem/158332/22
A workaround would be to write and schedule script that changes the ttl of negative cache records from >1m to 1m. This would only affect the negative cache records, nothing else.
But in general, an option for negative cache max ttl under /ip/dns would be preferrable. Was there a feature request submitted for this? Should we submit one?
Tried for years to convince Mikrotik of this. In the end, I am running now a separate DNS resolver to do this for the router.
Juniper do have a setting for negative caching TTL. Would be nice to have such a setting, because during DNS tests, without that, the only solution is to flush the cache each time we want to remove a negative cached entry
I suggest every upstream DNS zone thas reasonable minimum TTL:
dig www.not-existing.google.com
google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 738736615 900 900 1800 60
dig www.not-existing-site.com
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1742534562 1800 900 604800 900
dig www.not-existing-site.not-existing-tld
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025032002 1800 900 604800 86400
Top level domain population is effectively static so 1 day caching is reasonable there but only there.