firewall address list domains resolution frequency

elico · January 30, 2022, 4:53pm

I have used for quite some time domain names in the firewall address lists.
Lately I have started monitoring my devices with syslog and I am seeing that every second the RouterOS device is sending a DNS query for all the domains in the address lists.
I assumed that the device will do that a bit smarter ie only when the ttl of the record is reached it will run a dns query.
Has anyone else have seen this? Maybe anyone have seen any documentation regrading the behavior of the address lists dns resolution?

Sob · January 30, 2022, 5:32pm

It’s supposed to use TTL. What RouterOS version do you have?

ivicask · January 30, 2022, 5:57pm

I noticed the same(any versions ever), what TTL you talk about ?In this case timeout value is empty because i never want entry to expire and get removed from address list, there is no TTL setting.
I get over 1 Million DNS requests per day on around 5k DNS names in address lists, which is apsurde

Sob · January 30, 2022, 7:20pm

TTL of DNS record. So if I do:

/ip firewall address-list
add address=forum.mikrotik.com list=test

Then unless it was already cached somewhere, it gets resolved and will be valid for two hours (because that’s TTL returned by DNS server). And it will be only resolved again once it expires, so after two hours. That’s how it works here.

elico · January 31, 2022, 9:39am

I am using both 6.49.2 and 7.1.1.
However now I have captured the dns requests and responses on the DNS server to make sure what happens and…
It seems that indeed the TTL is being considered but, some domains have very weird ttl’s.
For example there is a bank domain which has two A records:
1 with 10 seconds TTL
2 with 0 seconds TTL

So it’s continuously running requests over and over again in an endless loop on this specific domain.
There are other domains which has 30 or 60 seconds TTL and these look fine.

Sorry for the fuss.

Sob · January 31, 2022, 11:47am

Yes, some use really short TTLs, you’ll have loads of queries for them. Additionally, unless you have dedicated resolver only for this, you’re getting cached records, and if their original TTL from authoritative server is X, you’ll get them with TTL anywhere between X and zero, depending on when they were requested by something else before.

msatter · January 31, 2022, 12:10pm

You can set minimal-TTL of a resolved domains… Oh no, you can’t do that with a Mikrotik.