0

I asked this question on how to see the Linux DNS cache. It looks like it's possible but it doesn't show TTL, unlike those for Firefox, Chrome, and Windows.

On windows, this looks like

PS C:\> ipconfig /displaydns

Windows IP Configuration


    chrome.cloudflare-dns.com
    ----------------------------------------
    Record Name . . . . . : chrome.cloudflare-dns.com
    Record Type . . . . . : 1
    Time To Live  . . . . : 54
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 104.18.27.211


        vortex.data.microsoft.com
    ----------------------------------------
    Record Name . . . . . : vortex.data.microsoft.com
    Record Type . . . . . : 5
    Time To Live  . . . . : 6
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    CNAME Record  . . . . : asimov.vortex.data.trafficmanager.net

...

On linux, it's possible to dump the cache and look at it with journalctl:

rj@vps:~$ time=$(date "+%F %T")
rj@vps:~$ systemctl kill -s USR1 systemd-resolved
rj@vps:~$ journalctl -b -0 --since "$time" -u systemd-resolved | grep " IN "
Oct 10 22:28:38 myserver systemd-resolved[3255524]:         cloudflare.com IN A 104.16.133.229
Oct 10 22:28:38 myserver systemd-resolved[3255524]:         cloudflare.com IN A 104.16.132.229

Question

How do you get the TTL of a record in the DNS cache on Linux using systemd?

Edit:

Based on user1686's answer, this script will return TTL and 0 if it's at 0 or not in cache:

get-ttl () {
    site="$1"
    time=$(date "+%F %T")
    systemctl kill -s USR1 systemd-resolved
    dns_cache=$(journalctl -b -0 --since "$time" -u systemd-resolved \
        | grep " IN ")
    site_cache="$(echo $dns_cache | grep $site)"
    if [ "$site_cache" ]
        then dig +noall +answer $site A | awk '{ print $2 }'
        else echo 0
    fi
}

You can then use this to find TTL in cache and out of cache:

$ get-ttl motel6.com
3349
$ get-ttl motels.com
0
Ross Jacobs
  • 169
  • 1
  • 10

1 Answers1

1

Make a DNS query against the caching resolver:

dig +noall +answer cloudflare.com A @127.0.0.53

The remaining cache TTL in seconds will be shown as the 2nd field (between name and class). Optionally add +ttlunits to have it formatted.

(Note that you shouldn't need to specify the @127.0.0.53, as it should be the only entry in your resolv.conf when using systemd-resolved; I have included it for demonstration purposes only.)

Whenever a DNS server returns an answer from cache (regardless of it being systemd-resolved or dnsmasq or your router or 8.8.8.8) the answer's TTL field will always indicate the remaining time to live in the server's cache, to ensure that downstream resolvers won't keep the entry cached longer than the original limit. Only authoritative answers may include the full TTL.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • I'll mark this as the answer, but dig modifies the DNS cache by adding an entry if it's not there, which is a "destructive" lookup. `ipconfig /displaydns` does not have this trait when showing TTL. – Ross Jacobs Oct 11 '21 at 17:40