Fix TTL setting on DNS channel (#347)

* Fix a bug in TTL setting, and increase the TTL for the apex domain to lower the DNS load for web and other token hits Signed-off-by: Jacob Torrey <jacob@thinkst.com> * Clean up apex domain matching Co-authored-by: thinkst-az <156116192+thinkst-az@users.noreply.github.com> * Update canarytokens/channel_dns.py Co-authored-by: thinkst-az <156116192+thinkst-az@users.noreply.github.com> * Make the NS TTL consistent Signed-off-by: Jacob Torrey <jacob@thinkst.com> --------- Signed-off-by: Jacob Torrey <jacob@thinkst.com> Co-authored-by: thinkst-az <156116192+thinkst-az@users.noreply.github.com>
thinkst · Feb 16, 2024 · fc475a2 · fc475a2
1 parent 3ed2695
commit fc475a2
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/canarytokens/channel_dns.py b/canarytokens/channel_dns.py
@@ -107,7 +107,7 @@ def _do_ns_response(self, name=None):
         answer = dns.RRHeader(
             name=name,
             payload=dns.Record_NS(
-                ttl=10,
+                ttl=300,
                 name=".".join(["ns1", name.decode()]),
             ),
             type=dns.NS,
@@ -118,6 +118,7 @@ def _do_ns_response(self, name=None):
             payload=dns.Record_A(ttl=10, address=self.frontend_settings.PUBLIC_IP),
             type=dns.A,
             auth=True,
+            ttl=300
         )
         answers = [answer]
         authority: list[str] = []
@@ -142,6 +143,7 @@ def _do_soa_response(self, name=None):
             ),
             type=dns.SOA,
             auth=True,
+            ttl=300
         )
         answers = [answer]
         authority = []
@@ -154,8 +156,14 @@ def _do_dynamic_response(self, name=None):
         Calculate the response to a query.
         """
         log.info(f"Building A record: ip = {self.frontend_settings.PUBLIC_IP}")
-        payload = dns.Record_A(ttl=10, address=self.frontend_settings.PUBLIC_IP)
-        answer = dns.RRHeader(name=name, payload=payload, type=dns.A, auth=True)
+        ttl = 10
+
+        if name.lower().decode() in self.canary_domains:
+            # This is a resolution of the apex domain, not a token, so we can bump up the TTL
+            ttl = 600 # 10 min seems plenty short enough to allow for IP changes without getting overloaded
+
+        payload = dns.Record_A(ttl=ttl, address=self.frontend_settings.PUBLIC_IP)
+        answer = dns.RRHeader(name=name, payload=payload, type=dns.A, auth=True, ttl=ttl)
         answers = [answer]
         authority: list[str] = []
         additional: list[str] = []