How to flush DNS cache on Ubuntu 22?
-
@msbt oh, for that, you have to flush your PC's cache and not Cloudron server. The answer then depends on Linux/Windows/Mac/Android/iOS.
As for the intermediate routers, generally you cannot do anything. This is the thing with setting high TTL. Also, the issue will only be on your network and not in other people's network (they will get the latest DNS). You can test with you 4G/5G for example.
-
@msbt Ah ok, for that it means that the DNS is stuck somewhere in the "world". You can try something like this:
- Get the name servers -
host -t NS domain.com
- Then,
host some.nameserver.above
. This will give an IP address - Then,
host domain.com ip.of.nameserver
- Does this work for all the nameservers in step 2?
The above is roughly what Cloudron does. If one or more nameservers are not in "sync", then cert generation will fail because Let's Encrypt does the same thing.
- Get the name servers -
-
@msbt yeah, ping just picks the first one that responds. So, while it's a good check, it's not complete.
The app logs will tell you which DNS server is the "culprit". The issue is that LE verification will fail as the IP address is different and it will hit some other server.
-
@girish ah thx, that's what it says:
box:dns/waitfordns isChangeSynced: domain.com (A) was resolved to old.ip at NS helium.ns.hetzner.de (193.47.99.5). Expecting new.ip. Match false
So there's no way around that other than lowering the TTL before a change?
-
@msbt the TTL is the cache time and hint for resolvers to cache. So, if you had a long TTL with the old IP address, it's probably going to get cached for that long. Which means changing it before making a change to new IP, doesn't help.
In general, keep long TTLs only if you are super sure IP won't change. If a customer had a long TTL to begin with, one has to wait it out, there is no other way.
That said, there's more things at play here. For LE, it has never probably seen this domain before. So, it's going to query from "scratch" and thus TTL does not come into play for LE network itself. The issue here seems to be that Hetzner's nameservers have not "synced" the change. These servers are called "authoritative servers" and will usually update asap (since they are the "authority" on this DNS entry and they know things have changed). But it looks like you are waiting for hours already... Maybe you can ask hetzner what's going on?
-
@girish thanks for the explanation! Yeah the change happened ~14 hours ago and the TTL was set to 24 hours I reckon. I'll just wait until tomorrow to continue
My plan would have been to lower the TTL a few days prior to the A record, so the caches would invalidate sooner.
-
-