Best way to set up DNS caching?
In order to speed up DNS lookups, I want to install a DNS cache or proxy.
I can see at least three programs I think will do the job: bind9, pdnsd, or dnsmasq.
I would like to make sure that if I install one of I do not leave it poorly configured from a performance or security point of view. So, what would people recommend, and are there any configuration changes I should immediately make after installing?
Solution 1:
- Install bind9
- Point resolv.conf to 127.0.0.1
To do this follow this steps:
To Install Bind9
- Open "Ubuntu Software Center" (Applications->Ubuntu Software Center)
- Search for bind9
- Check to display "Technical Items"
- Mark bind9 and install it
Update /etc/resolv.conf
- Open Network Manager (System->Preferences->Network Manager)
- Find your connection and edit it (wired or wireless)
- Toggle "IPV4 configuration" tab
- On "DNS Servers" field write 127.0.0.1
It's done!
To test
Open gnome-terminal (Applications > Accessories > Terminal ) and type
dig ubuntu.com
(if you don't have it, install dnsutils package as explained to bind9)
Check the last answers, as an example:
My first query at ubuntu.com
;; Query time: **209 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 22 12:20:12 2011
;; MSG SIZE rcvd: 196
My second query:
;; Query time: **0 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 22 12:18:23 2011
;; MSG SIZE rcvd: 156
The server 127.0.0.1 means that you're resolving locally. Take a look in query time (surrounded by **) , the second one is cached.
Solution 2:
I would recommend dnsmasq,
See a nice tutorial here; http://embraceubuntu.com/2006/08/02/local-dns-cache-for-faster-browsing/
You may want to read a comparison here;
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
Solution 3:
"In order to speed up DNS lookups, I want to install a DNS cache or proxy."
Ok. But there's an easier way, too. Using OpenDNS and/or Google name servers will be faster than your own local cache for names that already exist in the OpenDNS/Google caches. Using 208.67.222.222, 208.67.220.220, and/or 8.8.8.8 as name serves will be faster almost all of the time. You can test this with time nslookup www.google.com 208.67.222.222
to test speed on one of the OpenDNS name servers, time nslookup www.google.com 8.8.8.8
for Google, or time nslookup www.google.com 127.0.0.1
on your local cache. When I say faster, I mean technically faster and not so much faster that a person could easily notice a difference.
"I can see at least three programs I think will do the job: bind9, pdnsd, or dnsmasq."
Are you open to the dnscache portion of djbdns? Instructions below. Though, it does not save the cache without a patch...
sudo apt-get remove bind9 dnsmasq-base
sudo apt-get install djbdns dnscache-run
sudo killall -9 dnsmasq
sudo update-rc.d -f bind9 remove
Then we'll need to tell the system to use our cache.
sudo gedit /etc/resolv.conf
Edit the file to look like this example. This file defines which name servers to use, the default domain, and the search suffix. The search suffix makes it possible to run queries using only the hostname portion of a fully-qualified domain name. For exmaple, 'nslookup www' automagically becomes 'nslookup www.example.com' when example.com is the value of the "search" parameter.
nameserver 127.0.0.1 # Use the local resolver first.
nameserver 208.67.222.222 # OpenDNS
nameserver 8.8.8.8 # Google
domain example.com
search example.com
This is a little fancy, but we need to get the lastest root name servers.
sudo dnsip $(dnsqr ns . | sed -e '/answer/!d;s/\(.*\)NS \(.*\)/\2/') | sudo tee /etc/dnscache/root/servers/@
I think the resolv.conf file is overwritten when we use DHCP. I choose to give myself a static IP address and remove the software that squashes it, editing the interfaces file to set up the static IP address. But you could try to work with Network Manager if you are so inclined.
sudo apt-get purge network-manager network-manager-gnome
sudo gedit /etc/network/interfaces
My interfaces file looks as follows, but modify yours to your configuration.
# Loopback
#
auto lo
iface lo inet loopback
# First network card (attached to NAT router, attached to cable internet)
#
auto eth0
iface eth0 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
Now let's just restart.
sudo reboot
Now you are using a local resolver and the latest root servers. But you'll notice if you try that OpenDNS and Google are in fact answering faster (for names that are in their caches, which is all of the most popular domains). There is no additional configuration that could cause the software to become any more secure that it already is.
Solution 4:
I'm using "dnscache" (package "dnscache-run") and it's very simply. No need to configure anything.
It captures the DNS petitions (port 53) and it caches the responses, the next time that Linux ask for that domain, dnscache returns the IP immediately.
Although there are two parameters that can be changed to improve this program:
echo 16000000 > /etc/sv/dnscache/env/CACHESIZE
echo 16777216 > /etc/sv/dnscache/env/DATALIMIT