3

I'm using stunnel in client mode to proxy between my Haproxy and a HTTPS backend server. I've read that Haproxy caches the resolved IPs on each config load, which isn't a problem in my current setup. However, it got me thinking whether or not stunnel caches the DNS results as well. I find that there's a delay = yes option which sounds like it should alleviate my concern. From the manual:

delay = yes | no

delay DNS lookup for connect option

This option is useful for dynamic DNS, or when DNS is not available during stunnel startup (road warrior VPN, dial-up configurations).

Delayed resolver mode is automatically engaged when stunnel fails to resolve on startup any of the connect targets for a service.

Delayed resolver inflicts failover = prio.

default: no

If I set delay = yes, will the DNS be resolved at every single connection, or does it use the OS's DNS cache (which would invalidate)?

John K. Chow
  • 171
  • 1
  • 6

1 Answers1

4

TL;DR: It doesn't cache the IP addresses

Asked this in the stunnel mail list, the author and maintainer Michal kindly responded to the question:

I specifically introduced the "delay" option to deal with dynamic IP addresses. Stunnel does not attempt to cache the IP addresses with "delay = yes". The local library may cache them, but it should honor the TTL.

John K. Chow
  • 171
  • 1
  • 6