So, for a while now I was having a new issue with DNS. Every once in a while, DNSSEC hosts would fail to validate and I'd get SERVFAIL errors from my own caching resolvers. Eventually, I found out this was being caused by the DNS cache on my Vigor 2860. I imagine the DNS caches of other Vigor models do the same thing.

Please note that the above occurs even when you are not directly querying the Vigor since the Vigor implements a transparent cache for DNS requests.

Since DrayTek seem committed to mangling DNS for everybody, there is no way to disable the DNS cache on the Vigor. However, you can change the cache TTL.

Code:

sys dnsCacheTbl -t 5

This command will change the DNS cache on the Vigor to timeout after 5 seconds. Meaning after 5 seconds cache entries are dropped and your DNS query will now go out to the Internet like you expect. It's not quite turned off, but probably as good as we're going to get. The dnsCacheTbl command also has a few other options that you can use to query the DNS cache.

Code:

> sys dnsCacheTbl ? Usage: sys dnsCacheTbl [- | ... ] -l : show dns ipv4 entry in the DNS cache table -s : show dns ipv6 entry in the DNS cache table -v : show ttl limit value in the DNS cache -t : set ttl limit value in the DNS cache, 0:no limit or n seconds (n >= 5) -c : clear dns cache table

I'm leaving this post here in the hope that it's of use to others, since I could find nothing on Google about the dnsCacheTbl command.

You can also do the same in the web interface, goto Diagnostics/DNS Cache table and tick the 'When and entry's TTL is larger....' ,then set the number of seconds. Click OK and all done.

Dont forget to save the config.

marjohn56 wrote: You can also do the same in the web interface

Yeah, I discovered this later in the evening and was just returning now to post it after I remembered. Thank you for pointing it out. One thing the web interface fails to mention is that the lower limit on the TTL is 5 seconds and that 0 seconds means that it will cache until (I assume) the real TTL of the record expires, so delving into the router CLI wasn't a complete waste of time.