DNS TTL controls failover speed
A low TTL propagates changes quickly but increases query load. Lower the TTL before planned cutovers, then restore it afterward.
5.2 DNS
DHCP assigns addresses, but devices still need to translate hostnames into those addresses. That is the job of DNS.
DNS — Domain Name System
Section titled “DNS — Domain Name System”DNS (Domain Name System) is a distributed, hierarchical, cached database that maps hostnames to IP addresses. Understanding the caching behavior explains why DNS changes take time to propagate and why stale records cause connectivity problems.
The Resolution Chain
Section titled “The Resolution Chain”Each resolver caches the answer for the duration of the TTL (Time to Live) value set by the authoritative server. A TTL of 300 seconds means changes take up to 5 minutes to propagate. A low TTL propagates changes quickly but increases query load on the authoritative server. For OT device records that rarely change, a TTL of 3600 seconds (1 hour) reduces query traffic without causing stale-record problems.
DNS Record Types
Section titled “DNS Record Types”DNS stores different record types for different purposes. OT networks use most of these for device management, email routing, and reverse lookups.
| Record | Purpose | Example |
|---|---|---|
| A | Maps hostname to IPv4 address | sw-cell1.plant.local → 192.168.10.1 |
| AAAA | Maps hostname to IPv6 address | sw-cell1.plant.local → fd00::1 |
| CNAME | Alias pointing to another hostname | historian.plant.local → hist-srv01.plant.local |
| MX | Mail exchange server for a domain | plant.local → mail.plant.local (priority 10) |
| PTR | Reverse lookup: IP to hostname | 1.10.168.192.in-addr.arpa → sw-cell1.plant.local |
| NS | Authoritative nameserver for a zone | plant.local → ns1.plant.local |
| SOA | Start of Authority: zone metadata | Serial number, refresh interval, retry interval |
| TXT | Arbitrary text (SPF, DKIM, verification) | v=spf1 include:_spf.google.com ~all |
| SRV | Service location (port and host) | _sip._tcp.plant.local → sip.plant.local:5060 |
PTR records are critical for OT network management. HiVision and other NMS tools perform reverse lookups to label devices on topology maps. A missing PTR record causes the NMS to display raw IP addresses instead of hostnames.
Using dig for DNS Troubleshooting
Section titled “Using dig for DNS Troubleshooting”The dig command queries DNS servers directly and shows the full response, including TTL, authority section, and query time. It is the primary CLI tool for DNS troubleshooting.
# Query an A recorddig sw-cell1.plant.local A
# Query a specific DNS serverdig @192.168.1.1 sw-cell1.plant.local A
# Reverse lookupdig -x 192.168.10.1
# Query all record types for a domaindig plant.local ANY
# Trace the full resolution chain from root serversdig +trace sw-cell1.plant.localThe +trace option follows the delegation chain from root servers to the authoritative server, revealing where a resolution failure occurs. If the trace succeeds but a normal query fails, the problem is in the recursive resolver’s cache or configuration.
TTL Impact on Failover
Section titled “TTL Impact on Failover”When a server fails and you update its DNS record to point to a backup, clients continue using the old IP until the cached TTL expires. A TTL of 3600 seconds means up to one hour of downtime after the DNS change. For services that require fast failover, set the TTL to 60 seconds before the planned change, wait for the old TTL to expire, then perform the cutover.
The following script queries DNS records programmatically, which is useful for verifying that switch hostnames resolve correctly across the plant network.
import dns.resolverimport dns.reversename
def dns_lookup(name: str, record_type: str = "A") -> list[str]: try: answers = dns.resolver.resolve(name, record_type) return [f"{r} (TTL={answers.rrset.ttl}s)" for r in answers] except dns.exception.DNSException as e: return [f"ERROR: {e}"]
# Forward lookupsfor rtype in ["A", "AAAA", "MX", "NS"]: result = dns_lookup("plant.local", rtype) print(f"{rtype:5s}: {result}")
# Reverse lookuprev_name = dns.reversename.from_address("192.168.10.1")print(f"PTR : {dns_lookup(str(rev_name), 'PTR')}")The forward lookup confirms the switch resolves to the expected IP. The reverse lookup confirms the PTR record exists, which HiVision uses for topology labeling.
Key Takeaways
Section titled “Key Takeaways”PTR records enable NMS labeling
HiVision and other tools use reverse lookups to display hostnames on topology maps. Missing PTR records show raw IPs.
Use dig +trace to find resolution failures
The trace follows the delegation chain from root to authoritative server, pinpointing where resolution breaks.
What Comes Next
Section titled “What Comes Next”Accurate DNS records depend on accurate time. If a device’s clock drifts, log timestamps become unreliable and certificate validation fails. The next page covers NTP, the protocol that synchronizes clocks across the network.
References
Section titled “References”- RFC 1035 — Domain Names: Implementation and Specification (IETF, 1987)