DNS TTL controls failover speed
A low TTL propagates changes quickly but increases query load. Lower the TTL before planned cutovers, then restore the TTL afterward.
5.2 DNS
DHCP assigns addresses, but devices still need to translate hostnames into those addresses. DNS handles this task.
DNS — Domain Name System
Section titled “DNS — Domain Name System”DNS (Domain Name System) is a distributed, hierarchical, cached database that maps hostnames to IP addresses. Understanding the caching behavior explains why DNS changes take time to propagate and why stale records cause connectivity issues.
The Resolution Chain
Section titled “The Resolution Chain”Each resolver caches the answer for the duration of the TTL (Time to Live) value set by the authoritative server. A TTL of 300 seconds means changes take up to 5 minutes to propagate. A low TTL propagates changes quickly but increases query load on the authoritative server. For OT device records that change infrequently, a TTL of 3600 seconds (1 hour) reduces query traffic without causing stale-record issues.
DNS Record Types
Section titled “DNS Record Types”DNS stores different record types for different purposes. OT networks use most of these for device management, email routing, and reverse lookups.
| Record | Purpose | Example |
|---|---|---|
| A | Maps hostname to IPv4 address | sw-cell1.plant.local → 192.168.10.1 |
| AAAA | Maps hostname to IPv6 address | sw-cell1.plant.local → fd00::1 |
| CNAME | Alias pointing to another hostname | historian.plant.local → hist-srv01.plant.local |
| MX | Mail exchange server for a domain | plant.local → mail.plant.local (priority 10) |
| PTR | Reverse lookup: IP to hostname | 1.10.168.192.in-addr.arpa → sw-cell1.plant.local |
| NS | Authoritative nameserver for a zone | plant.local → ns1.plant.local |
| SOA | Start of Authority: zone metadata | Serial number, refresh interval, retry interval |
| TXT | Arbitrary text (SPF, DKIM, verification) | v=spf1 include:_spf.google.com ~all |
| SRV | Service location (port and host) | _sip._tcp.plant.local → sip.plant.local:5060 |
PTR records are essential for OT network management. HiVision and other NMS tools perform reverse lookups to label devices on topology maps. A missing PTR record causes the NMS to display raw IP addresses instead of hostnames.
Using dig for DNS Troubleshooting
Section titled “Using dig for DNS Troubleshooting”The dig command queries DNS servers directly and shows the full response, including TTL, authority section, and query time. dig is the primary CLI tool for DNS troubleshooting.
# Query an A recorddig sw-cell1.plant.local A
# Query a specific DNS serverdig @192.168.1.1 sw-cell1.plant.local A
# Reverse lookupdig -x 192.168.10.1
# Query all record types for a domaindig plant.local ANY
# Trace the full resolution chain from root serversdig +trace sw-cell1.plant.localThe +trace option follows the delegation chain from root servers to the authoritative server, revealing where a resolution breakdown occurs. When the trace succeeds but a normal query is unsuccessful, the issue is in the recursive resolver’s cache or configuration.
TTL Impact on Failover
Section titled “TTL Impact on Failover”When a server becomes inoperable and the DNS record is updated to point to a backup, clients continue using the previous IP until the cached TTL expires. A TTL of 3600 seconds means up to 1 hour of downtime after the DNS change. For services that require fast failover, set the TTL to 60 seconds before the planned change, wait for the previous TTL to expire, then perform the cutover.
The following script queries DNS records programmatically. The script is useful for verifying that switch hostnames resolve correctly across the plant network.
import dns.resolverimport dns.reversename
def dns_lookup(name: str, record_type: str = "A") -> list[str]: try: answers = dns.resolver.resolve(name, record_type) return [f"{r} (TTL={answers.rrset.ttl}s)" for r in answers] except dns.exception.DNSException as e: return [f"ERROR: {e}"]
# Forward lookupsfor rtype in ["A", "AAAA", "MX", "NS"]: result = dns_lookup("plant.local", rtype) print(f"{rtype:5s}: {result}")
# Reverse lookuprev_name = dns.reversename.from_address("192.168.10.1")print(f"PTR : {dns_lookup(str(rev_name), 'PTR')}")The forward lookup confirms the switch resolves to the expected IP. The reverse lookup confirms the PTR record exists. HiVision uses PTR records for topology labeling.
Key Takeaways
Section titled “Key Takeaways”PTR records enable NMS labeling
HiVision and other tools use reverse lookups to display hostnames on topology maps. Missing PTR records show raw IPs.
Use dig +trace to find resolution breakdowns
The trace follows the delegation chain from root to authoritative server, pinpointing where resolution breaks.
What Comes Next
Section titled “What Comes Next”Accurate DNS records depend on accurate time. When a device’s clock drifts, log timestamps become unreliable and certificate validation is unsuccessful. The next page covers NTP, the protocol that synchronizes clocks across the network.
References
Section titled “References”- RFC 1035 — Domain Names: Implementation and Specification (IETF, 1987)