1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ?

Discussion in 'Tomato Firmware' started by hvda, Oct 16, 2009.

  1. hvda

    hvda Addicted to LI Member

    Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ? [Solved...]

    Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ?

    I installed a WRTG54GL1.1 router and loaded Tomato ND V1.26 build 1777 firmware to help me find a DNS-related problem in my home network.
    Among the tools I use to identify the problem are:
    - "port-mirroring" by adding iptables ROUTE --tee rules in PREROUTING and POSTROUTING chains of mangle table (+ packet capture on PC with Wireshark and windump).
    - DNS logging and DNS cache dump (running dnsmasq with log-queries option and SIGUSR1 signaling to dnsmasq in a telnet session).

    But I do not know how to interpret the "Expires" numbers that are listed in the DNS cache dump syslog-messages.
    Here is a sample of one of the DNS cache dumps I made:

    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: Host Address Flags Expires
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: austria1.adverserve.net 77.72.164.30 4F 716
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: sb.l.google.com 66.249.89.190 4F 4294967270
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: www.win2day.at 193.46.41.41 4F 4
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: m1.emea.2mdn.net.edgesuite.net a423.g.akamai.net CF 2991
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: a423.g.akamai.net 194.78.100.10 4F 4294967123
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: sb.google.com sb.l.google.com CF 580351

    How should I read these Expires numbers ?
    - Are these relative numbers , eg seconds (TTL ? remaining TTL?) to count from a reference date+time ? In that case: what is that reference date+time ?
    - Are these absolute numbers, eg date+time ? (I can hardly believe because some numbers seem to small to resolve to a date+time.)
    - Other ?

    Note: on this web-site http://my.safaribooksonline.com/9780596102487/managing_dnsmasqs_dns_cache I found documentation about the Flags in the DNS cache dump and also an example of a DNS cache dump that shows Expires in a date+time format (in "absolute" format).
    Excerpt from that example:
    dnsmasq: Host Address Flags Expires
    dnsmasq: i.cnn.net 64.236.16.137 4F Wed Jan 24 15:36:42 2007

    can any one help please?
     
  2. hvda

    hvda Addicted to LI Member

    Is this interpretation correct ?

    No hints...
    -> Made some more DNS cache dump tests:
    - WAN (PPPoE) packet capture (Wireshark) of DNS-related packets (source/destination = port 53) on a DSL modem with port-mirror facility.
    - WRT54GL Tomato DNS logging (dnsmasq custom configuration = log-queries) + DNS cache dumps at regular (10sec) intervals.
    - Analyze + cross-reference packet capture file and tomato log file (analyze "Time to live" in DNS responses <-> log timestamps and "Expires" values.)

    These are my findings about how DNS cache dump numbers should be interpreted in tomato log file:
    (1) First line of dump; example: "time 397715" = seconds; seems to correspond to System Uptime (*) in Status > Overview Web GUI page. [(*) not to WAN Connection Uptime].
    (2) "Expires" values:
    - if value in the range somewhere between 0 and say 20.000 (or more) : value = "remaining" time-to-live (seconds); reference time = log timestamp.
    - if value in the range 4.294.967.xxx (eg: 4.294.967.283) : value = "time-to-live has expired since 4.294.967.296-(value)" (seconds); reference time = log timestamp.

    Why 4.294.967.296:
    - WRT54GL = Broadcom BCM5352 chip based on MIPS32 microprocessor = 32-bit implementation (please correct me if I am mistaken).
    - 32-bit register holds max value of 2^32 -1 = 4.294.967.296 - 1.
    - Values in the range 4.294.967.xxx are 32-bit 2's complement of negative time-to-live values ("expired-since").
    - Actual display format seems to me very hardware-linked (you may calculate what these values will look like in a 64-bit router).
    Note: you can check/convert to binary those "Expires" values in the range 4.294.967.xxx with Excel spreadsheet formula =DEC2BIN((MOD(A1;4294967296)/16777216);8) & DEC2BIN(MOD(A1;16777216)/65536;8) & DEC2BIN(MOD(A1;65536)/256;8) & DEC2BIN(MOD(A1;256);8)

    If these findings are correct, then my (next) question: why are expired "time-to-live" values shown in 2's complement and not as signed values ?
     
  3. jan.n

    jan.n Addicted to LI Member

    DNS entries expire, read this Link, the expire time set in the SOA

     

Share This Page