Linode's Cloudflare DNS Firewall settings

Linode uses Cloudflare's DNS Firewall (formerly Virtual DNS). I don't use it myself – I mean, as an administrator -- but Cloudflare's public information shows it has minimum & maximum edge cache TTL settings.

How does Linode have it configured? How does it work?

If I make a change to a DNS record, how long could Cloudflare cache it before the changes fully "propagate"?

In a master zone? A slave zone?

If my TTL is 1 second? 1 minute? 1 hour? 1 day? 1 week?

Okay, that was too many questions, but still. :o

4 Replies

I'm compeltely unaware of any of this. I was under impression that the nsX.linode.com infrastructure is Linode's own, so I'm not sure how Cloudflare is involved; in any case from the control panel to Linode nameservers the propagation seems to be near instant, it

I'm pretty sure Linode is only using Cloudflare's DNS firewall for its own infra - it stills runs its own nameservers, which is what the DNS manager uses.

Similar to how Cloudflare and other CDNs offer HTTP caching reverse proxies, DNS Firewall is a DNS caching reverse proxy. The nsX.linode.com backends are still operated by Linode but the frontend is Cloudflare.

You can look up the IPs and see.

ns1.linode.com.  (unsigned)  300  A     162.159.27.72
ns1.linode.com.  (unsigned)  300  AAAA  2400:cb00:2049:1::a29f:1a63

I agree "propagation" still appears to be instant (disregarding the 15 minute thing), but I don't know if that's because my unpopular zones have a poor cache hit rate, or because the cache actually is configured with very short time limits. ;-)

https://www.cloudflare.com/dns/dns-firewall/

Our settings are 30 seconds / 15 minutes min/max.

Effectively, this works like any DNS TTL, except if you set your TTL to less than 30 seconds, CF acts as if you set it to 30 seconds. If you set your TTL to 2 days, CF acts as if you set it to 15 minutes. But it still passes through the TTL values you set in your records when someone downstream queries CF for your zone. This works the same whether Linode is master or slave for your zone.

My experience watching the difference between our master servers and CloudFlare's servers is that updates happen very quickly, despite our own zone's TTL being much longer than 15 minutes. Generally CF reflects our master nameservers within a minute or two, often much less, once all of our masters are in sync. It may be they pay attention to the NOTIFY signals we send, but I'm not certain of that. But worst-case scenario, you shouldn't see a delay of more than 15 minutes between our master servers being updated and CF reflecting that update. (Keeping in mind that there is a delay between updating in the manager and that update being injected into the DNS system.) Any time I've seen tickets indicating an unexpected delay in DNS updates, it's been a problem on our end (the delay was in getting to our master servers). CloudFlare has been very reliable for us.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct