0

Is there a simple dns proxy for centos 8 that can cache requests?

I am running a .net core app on linux and it sends http request to a Web server.

Currently name resolution take 300ms.

I would like to cut it down to 1ms. Can it be achieved with a dns proxy and which one requires minimum setup?

Boppity Bop
  • 722
  • 3
  • 11
  • 29

2 Answers2

1

Sounds like a good use case for either unbound or dnsmasq, both of which are caching DNS servers by design. I personally have the most experience with unbound, so I'll describe that here but guides for installing and configuring dnsmasq are widely available as well.

Installation is as simple as running yum:

sudo yum install unbound

Then, configure unbound by editing /etc/unbound/unbound.conf. A reasonable default would be the following:

server:
  access-control: 127.0.0.0/8 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow
  aggressive-nsec: yes
  cache-max-ttl: 14400
  cache-min-ttl: 1200
  hide-identity: yes
  hide-version: yes
  interface: 0.0.0.0
  prefetch: yes
  rrset-roundrobin: yes
    so-reuseport: yes
  use-caps-for-id: yes
  verbosity: 1
  num-threads: 2
  private-address: 192.168.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8

forward-zone:
   name: "."
   forward-addr: 1.0.0.1@53 # Cloudflare
   forward-addr: 1.1.1.1@53 # Cloudflare
   forward-addr: 8.8.4.4@53 # Google
   forward-addr: 8.8.8.8@53 # Google

This configures unbound to be accessible from all RFC1918 (private) addresses, and forwards all requests to Cloudflare and Google DNS servers. Once configured, restart unbound:

sudo systemctl restart unbound

And you should be good to go!

dwaler
  • 26
  • 4
  • I just installed `bind` using: https://linuxapt.com/blog/caching-dns-server-on-centos-8 and `nslookup google.com` shows `Server: 169.254.169.254` which is not my IP.. ideas? – Boppity Bop Jan 25 '21 at 20:13
  • That IP address is a so-called APIPA address and is most likely the IP address of one of your interfaces not having gotten an IP address from a DHCP server. Did you configure the interface for bind anywhere? Also, bind seems to be quite overkill (and a bit more difficult to understand) for a caching DNS server, which is why I did not mention it. – dwaler Jan 26 '21 at 12:52
  • idk whats apipa but the address is google cloud dns server and it is being overriden in my resolv.config every time i restart the machine - see my other question https://serverfault.com/questions/1051184/why-gcp-overrides-my-etc-resolv-conf-file-and-how-to-avoid-it/1051228#1051228 – Boppity Bop Jan 26 '21 at 15:17
0

A DNS proxy would be a device that accepts DNS requests for another device and forwards them on the behalf of that device. DNS proxy is not really a real thing in the definition of a proxy you are referring to. It would be the same functions as a recursive DNS server.

That aside though, the DNS client on your Centos machine would already be handling what you are trying to solve. If it is constantly reaching out to an external nameserver for an address, the TTL for the record is likely lower than it should be. It should reach out to the name server once, then use cache until the TTL expires. If that isn't happening, it sounds like the DNS record.

DubStep
  • 264
  • 2
  • 8
  • the dns record in question is amazon cloud. so i dont think dns record is at fault. any other ideas? TTL is 29 sec btw. is plenty for me. but it doesnt work (or so to seems) – Boppity Bop Jan 25 '21 at 19:57
  • Are you sure it's 29 seconds? Or is that 29 seconds on the server you are looking at? Remember, most DNS servers are recursive and caching, so they cache records based on TTL. You'd have to query an authoritative server to get the actual TTL of the record vs the TTL of the record left in cache. Also, low TTLs on a cloud service DNS record isn't uncommon. And if it is truly 29 seconds, that isn't plenty lol. That means it will reach our every 29 seconds, and unless your requests are happening more frequently than 29 seconds, that means it will reach out with every request. – DubStep Feb 02 '21 at 21:15
  • yes i queried GCP DNS server. TTL is 29 sec. Apparently it is by design and the behaviour in question is known and is fixed now (see my other question). The local DNS caching works fine now using `bind`. thank you for trying to help. – Boppity Bop Feb 03 '21 at 16:18