DNS Resolution fails due to Negative Caching
Article ID: CTX550272
Updated On:
Description
Steps to reproduce this issue:
1. Administrator added an authoritative name server A on Netscaler to resolve StoreFront LB's VIP.
2. Becasue name server A didn't have address record for Storefront LB fqdn, so DNS resolution failed.
3. Then administrator changed to another authoritative name server B (have address records), but DNS resolution still failed with error "Unknown host". If tried to add an address record manually, Netscaler GUI prompted error "Error a proxy record cannot be assigned to the domain".
4. After a while, DNS resolution succeed with no other operations.
The concern is why DNS resolution failed when Netscaler was configured with a correct name server.
Resolution
Run the following commands in CLI to flush negative DNS cache.
flush dns proxyRecords -negRecType NXDOMAIN ---> Flush negative DNS response cache
flush dns proxyRecords ---> flush all dns cache
0 2973034 1 1 0 dns_cur_neg_entries Wed Apr 26 06:03:16 2023
1 3022117 0 -1 0 dns_cur_neg_entries Wed Apr 26 07:04:08 2023
2 84141 1 1 0 dns_cur_neg_entries Wed Apr 26 07:15:13 2023
3 2222764 7 6 0 dns_cur_neg_entries Wed Apr 26 09:50:58 2023
Index rtime totalcount-val delta rate/sec symbol-name&device-no&time
0 2973034 576 576 82 dns_cur_negcachesize Wed Apr 26 06:03:16 2023
1 3022117 0 -576 -82 dns_cur_negcachesize Wed Apr 26 07:04:08 2023
2 84141 576 576 82 dns_cur_negcachesize Wed Apr 26 07:15:13 2023
3 2222764 4032 3456 492 dns_cur_negcachesize Wed Apr 26 09:50:58 2023
If you capture nstrace on Netscaler when issue occurs, you will see Netcalser (127.0.0.2) returns "No such name" negative response.
When running command "show dns stats", you will also see "Negative cache size" increases.
flush dns proxyRecords -negRecType NXDOMAIN ---> Flush negative DNS response cache
flush dns proxyRecords ---> flush all dns cache
Problem Cause
- In the first beginning, Netscaler got "No Such Name" negative DNS response from name server A as there was no address record for Storefront LB fqdn in this name server.
- Because negative caching is enabled in default DNS profile (dns-default-profile) that is used by name server, Netscaler cached "No Such Name" negative DNS response.
- Before negative DNS cache was flushed, DNS resolution failed even if change to a correct name server.
- When checking newnslog, the following 2 counters "dns_cur_neg_entries" and "dns_cur_negcachesize" were increased during that time, it means Netscaler cache negative DNS response.
0 2973034 1 1 0 dns_cur_neg_entries Wed Apr 26 06:03:16 2023
1 3022117 0 -1 0 dns_cur_neg_entries Wed Apr 26 07:04:08 2023
2 84141 1 1 0 dns_cur_neg_entries Wed Apr 26 07:15:13 2023
3 2222764 7 6 0 dns_cur_neg_entries Wed Apr 26 09:50:58 2023
Index rtime totalcount-val delta rate/sec symbol-name&device-no&time
0 2973034 576 576 82 dns_cur_negcachesize Wed Apr 26 06:03:16 2023
1 3022117 0 -576 -82 dns_cur_negcachesize Wed Apr 26 07:04:08 2023
2 84141 576 576 82 dns_cur_negcachesize Wed Apr 26 07:15:13 2023
3 2222764 4032 3456 492 dns_cur_negcachesize Wed Apr 26 09:50:58 2023
If you capture nstrace on Netscaler when issue occurs, you will see Netcalser (127.0.0.2) returns "No such name" negative response.
When running command "show dns stats", you will also see "Negative cache size" increases.
Additional Information
Was this article helpful?
Yes
No
Powered by
