Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ?

Discussion in 'Tomato Firmware' started by hvda, Oct 16, 2009.

  1. hvda

    hvda Addicted to LI Member

    Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ? [Solved...]

    Tomato: What is the interpretation of "Expires" numbers in dnsmasq DNS cache dump ?

    I installed a WRTG54GL1.1 router and loaded Tomato ND V1.26 build 1777 firmware to help me find a DNS-related problem in my home network.
    Among the tools I use to identify the problem are:
    - "port-mirroring" by adding iptables ROUTE --tee rules in PREROUTING and POSTROUTING chains of mangle table (+ packet capture on PC with Wireshark and windump).
    - DNS logging and DNS cache dump (running dnsmasq with log-queries option and SIGUSR1 signaling to dnsmasq in a telnet session).

    But I do not know how to interpret the "Expires" numbers that are listed in the DNS cache dump syslog-messages.
    Here is a sample of one of the DNS cache dumps I made:

    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: Host Address Flags Expires
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: austria1.adverserve.net 77.72.164.30 4F 716
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: sb.l.google.com 66.249.89.190 4F 4294967270
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: www.win2day.at 193.46.41.41 4F 4
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: m1.emea.2mdn.net.edgesuite.net a423.g.akamai.net CF 2991
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: a423.g.akamai.net 194.78.100.10 4F 4294967123
    Oct 16 07:09:15 WRT54GL1 daemon.debug dnsmasq[505]: sb.google.com sb.l.google.com CF 580351

    How should I read these Expires numbers ?
    - Are these relative numbers , eg seconds (TTL ? remaining TTL?) to count from a reference date+time ? In that case: what is that reference date+time ?
    - Are these absolute numbers, eg date+time ? (I can hardly believe because some numbers seem to small to resolve to a date+time.)
    - Other ?

    Note: on this web-site http://my.safaribooksonline.com/9780596102487/managing_dnsmasqs_dns_cache I found documentation about the Flags in the DNS cache dump and also an example of a DNS cache dump that shows Expires in a date+time format (in "absolute" format).
    Excerpt from that example:
    dnsmasq: Host Address Flags Expires
    dnsmasq: i.cnn.net 64.236.16.137 4F Wed Jan 24 15:36:42 2007

    can any one help please?
     
  2. hvda

    hvda Addicted to LI Member

    Is this interpretation correct ?

    No hints...
    -> Made some more DNS cache dump tests:
    - WAN (PPPoE) packet capture (Wireshark) of DNS-related packets (source/destination = port 53) on a DSL modem with port-mirror facility.
    - WRT54GL Tomato DNS logging (dnsmasq custom configuration = log-queries) + DNS cache dumps at regular (10sec) intervals.
    - Analyze + cross-reference packet capture file and tomato log file (analyze "Time to live" in DNS responses <-> log timestamps and "Expires" values.)

    These are my findings about how DNS cache dump numbers should be interpreted in tomato log file:
    (1) First line of dump; example: "time 397715" = seconds; seems to correspond to System Uptime (*) in Status > Overview Web GUI page. [(*) not to WAN Connection Uptime].
    (2) "Expires" values:
    - if value in the range somewhere between 0 and say 20.000 (or more) : value = "remaining" time-to-live (seconds); reference time = log timestamp.
    - if value in the range 4.294.967.xxx (eg: 4.294.967.283) : value = "time-to-live has expired since 4.294.967.296-(value)" (seconds); reference time = log timestamp.

    Why 4.294.967.296:
    - WRT54GL = Broadcom BCM5352 chip based on MIPS32 microprocessor = 32-bit implementation (please correct me if I am mistaken).
    - 32-bit register holds max value of 2^32 -1 = 4.294.967.296 - 1.
    - Values in the range 4.294.967.xxx are 32-bit 2's complement of negative time-to-live values ("expired-since").
    - Actual display format seems to me very hardware-linked (you may calculate what these values will look like in a 64-bit router).
    Note: you can check/convert to binary those "Expires" values in the range 4.294.967.xxx with Excel spreadsheet formula =DEC2BIN((MOD(A1;4294967296)/16777216);8) & DEC2BIN(MOD(A1;16777216)/65536;8) & DEC2BIN(MOD(A1;65536)/256;8) & DEC2BIN(MOD(A1;256);8)

    If these findings are correct, then my (next) question: why are expired "time-to-live" values shown in 2's complement and not as signed values ?
     
  3. jan.n

    jan.n LI Guru Member

    DNS entries expire, read this Link, the expire time set in the SOA

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice