4

I'm on a Windows 10 machine and trying desperately to see when the last DNS flush took place. I know you can look at the TTL in a displaydns but is there no event that shows when the system last did a flush? Now we're not on server but on plain Windows 10.

For more background, we have set the maxCacheTtl in the registry and want to see if it's truly doing the flush at the prescribed intervals (10800 seconds).

Also, the TTL in ipconfig /displaydns seems to be counting down much faster than the prescribed TTL set.

Any hints out there?

1 Answer 1

5

is there no event that shows when the system last did a flush?

There is no such thing as "doing the DNS flush at the prescribed interval". The only time the DNS cache is flushed completely is when someone manually does a /flushdns.

During normal operation, each DNS record expires individually – each has its own TTL that is defined by the operator of the respective domain and starts counting down when the record is queried from its authoritative server. (For example, two records with a 1h TTL queried 30 minutes apart will also be flushed 30 minutes apart.)

(You can use nslookup -d example.com. to see the TTL included with a particular record; the DNS cache always starts counting down from this TTL and not from any arbitrary value.)

Also, the ttl in ipconfig /displaydns seems to be counting down much faster than the prescribed ttl set.

The registry key you mention only prescribes a maximum TTL for the Windows built-in cache, not a minimum one – meaning that a received TTL of e.g. 24h would be reduced to 3h, but a TTL of 5min would remain 5 minutes.

(Also, the TTL keeps counting down when the record goes through intermediate caches; e.g. if your upstream DNS server has received and cached a record with a TTL of 3600 seconds, your computer might receive it already counted-down to 1999 seconds.)


so when I set the ttl to 10800 that just means it's a maximum to 10800 not that it'll happen at 10800. But doesn't that mean it will automatically happen at 10800 if it hasn't already?

Most likely the setting only limits the TTL of newly stored entries, not of existing ones, because there is no actual "at 10800" time. As I understand it, each cache entry has its expiry time calculated the moment it is stored. That is, instead of "google.com (TTL 9999)", your cache really holds "google.com (valid until 21:58:44)".

due the the way the flush works, does that then mean there is no global flush command that gets enacted.

There is indeed no global flush command. (Moreover, all of this is not happening through any 'commands' either way – it's all just internal logic within the cache service.)

I mean if that counter gets to 10800 does it not do 'something' thus get recorded in events?

No, it doesn't.

For one, there's no real counter that gets to 10800. Although cache entries are described as having a TTL that "counts down" figuratively, the real implementation is unlikely to have individual timers that count up or down – it is more efficient to only do the expiry check when a cache entry is about to be used instead of doing it proactively.

That is, when a domain name is queried from the cache and found to have already been expired, the service quietly removes it and behaves as if it didn't have anything cached. This is both more efficient (as nothing needs to be "counted down" each second) and more accurate than a flush timer, as it guarantees that an entry will disappear from view the moment it's supposed to.

The service may still have some kind of global 'garbage collect' timer, to occasionally release the memory of entries that have already expired, but it should have no visible effect whatsoever – it is not what makes expired entries disappear; it only cleans out already 'disappeared' entries – so it is neither logged nor timed.

(That is to say: It's a completely different situation from e.g. AD or WINS 'scavenging' or tombstone cleanup, which are explicitly scheduled and logged because they operate on database entries that have already been made persistent, have an influence on replication, etc.)

Finally, not all 'somethings' get recorded in event logs. Recording an event is a deliberate action by the service, not something that simply happens on its own, so the service's internal logic can just do things without recording them, especially when it doesn't touch any database but only manages its own in-memory arrays.

4
  • Ah, thank you so much for that explanation. so when I set the ttl to 10800 that just means it's a maximum to 10800 not that it'll happen at 10800. But doesn't that mean it will automatically happen at 10800 if it hasn't already? also, my original question was how to check when it was last flushed. due the the way the flush works, does that then mean there is no global flush command that gets enacted. I mean if that counter gets to 10800 does it not do 'something' thus get recorded in events?
    – GenShira
    Commented Jun 25 at 16:48
  • The point I was trying to make is that your original question is kind of un-answerable – 'last flush' cannot be checked because the process is not based on any kind of periodic flush. The TTL of a cache entry is evaluated whenever that entry gets queried from cache, and if it's found expired then it gets dropped. So even though the cache service might have a "garbage collect" timer to purge already-expired records, it's immaterial to its function – entries will disappear immediately after their set TTL, whether there is such a timer or not. Commented Jun 25 at 17:23
  • Which means there are no events logged for global garbage-collect because it has no visible effect (it would only release memory of entries that are already "gone"), and there are no events for individual record expiry because of the sheer amount of them that could be produced (and, generally, complete irrelevance of such events – it's just a cache, after all). Moreover, it all happens not through a 'command' of any kind, but through internal logic of the DNS cache service. Commented Jun 25 at 17:26
  • Got it. Thank you very much.
    – GenShira
    Commented Jun 25 at 17:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .