Persistently caching DNS cache for Linux

Is there a free DNS proxy/cache software that caches positive answers indefinitely until some new positive answer is received ? That means the cache should live longer than the TTL received as long as the upstream DNS server does not answer or gives a negative (NXDOMAIN) answer.

An alternative name for this question could have been Resilient DNS cache as it helps in case of outages.

Best cache behavior would be not to forward client queries if a cached answer is available within its TTL and forward client queries otherwise. If there is no answer within a configurable timeout or there is a negative answer from upstream, the cache contents are returned with some configurable artificial TTL value. If there is a positive answer, it is returned to the client and saved in the cache.


Specifically, the term you're looking for is "serve stale" or "serve expired". Quite a few DNS resolvers support serving old data; this feature actually exists even as an IETF specification.

For example,

  • "serve-stale" has been implemented by ISC BIND 9.11 (the link is to a blog post which also talks about the history of the feature);

  • it is called "serve-expired" in Unbound – might go along well with its "prefetch" feature (which automatically refreshes cached entries);

  • dnsdist has had "keepStaleData" added in 1.4.0;

  • while pdns-recursor still has only a pending feature request.

However, this only works for complete outages. It does not apply to NXDOMAIN responses, as those are still perfectly valid responses – a fake "no such domain" is indistinguishable from a legitimate one (unless it fails DNSSEC vallidation). Negative replies are in fact cacheable too.


Additionally, many resolvers support putting a minimum limit on the received TTL, so that e.g. replies with a TTL of 30 seconds would instead be cached for 5 minutes. This can help when using an unreliable upstream resolver.

  • Unbound has "cache-min-ttl";

  • dnsmasq has "min-cache-ttl" (limited to 1 hour).


Similar threads:

  • https://serverfault.com/questions/817589/can-a-local-dns-cache-be-configured-to-use-stale-records-when-upstream-fails
  • https://unix.stackexchange.com/questions/287836/how-to-override-ttl-in-a-caching-only-bind9