NSX-T: Clear NSX-T DNS Forwarder Cache

[Update: NSX-T ingests negative SOA TTL from myDNS server in this example.  Microsoft DNS defaults this to 1 hour.  So NSX-T will cache the negative result for an hour.
To combat this behavior, you can set your source DNS server to a lower TTL so that cache in NSX-T clear quicker.  Valid records in this setup will still cache for 1 hour or whatever you have your DNS server set to.]
To determine TTL value for the negative record:
nslookup -type=a -nosearch -d2 brokenaka.ninja.corp


Ran into an interesting behavior w/ NSX-T's DNS forwarder service.  Basically, if I queried for an invalid DNS name, NSX-T's DNS caching appears to capture that invalid query for an undetermined amount of time.

So what does this do?  Basically, if I queried for ninja.naka.corp w/o creating the entry on my DNS server, NSX-T caches that invalid record.  If I then registered ninja.naka.corp on my DNS server, NSX-T will continue to tell me that the record is invalid even though does now exist in my DNS server.

Verified this behavior occurs w/ NSX-T 2.5.2.  It 'might' occur in 3.x, but unsure.  What I am aware of is that there still does not appear to be a UI method to flush this service's cache.


The only way around this problem appears to either wait for the cache to time out or force flushing of cache via API.  Below are curl and powershell examples of how to do this:

Curl Method:

Powershell Method:


Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

NSX-T: Release associated invalid node ID from certificate

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.