Re: dns cache beyond ttl - viasat / exede

[William Herrin <bill () herrin us>]

On Mon, Oct 7, 2019 at 9:08 AM Mike <mike-nanog () tiedyenetworks com> wrote:

>     My dns TTL's are all 300 seconds, and I have noticed that once I
> update the A records with the new addresses, most (but not all) web
> clients begin using the new address within 5 minutes or so. However,
> there is a persistent set of stragglers who continue accessing the
> site(s) on their old addresses for far in excess of this - up to a week
> in fact. And, what I have noted, all of these clients have something in
> common - they all appear to be satellite users of viasat/exede.  This is
> based on whois lookups of the ip addresses of the clients. Note, I am
> NOT expecting 'turn on a time' - just looking for clients to refresh
> within a reasonable time.

Hi Mike,

You may be looking at a web browser "feature" called "DNS pinning." This is
used to defeat the "DNS rebinding" attack on javascript that would allow a
web site to instruct a browser to scan the interior behind its user's
firewall by having an attacker rotate the IP addresses used for
Javascript's allowed server name.

Depending on the implementation, DNS pinned browsers may not recognize a
change to your IP address until the browser is stopped and restarted.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/