Best way to set up DNS caching?

Question

In order to speed up DNS lookups, I want to install a DNS cache or proxy.

I can see at least three programs I think will do the job: bind9, pdnsd, or dnsmasq.

I would like to make sure that if I install one of I do not leave it poorly configured from a performance or security point of view. So, what would people recommend, and are there any configuration changes I should immediately make after installing?

Answer 1

1. Install bind9
2. Point resolv.conf to 127.0.0.1

To do this follow this steps:

To Install Bind9

1. Open "Ubuntu Software Center" (Applications->Ubuntu Software Center)
2. Search for bind9
3. Check to display "Technical Items"
4. Mark bind9 and install it

Update /etc/resolv.conf

1. Open Network Manager (System->Preferences->Network Manager)
2. Find your connection and edit it (wired or wireless)
3. Toggle "IPV4 configuration" tab
4. On "DNS Servers" field write 127.0.0.1

It's done!

To test

Open gnome-terminal (Applications > Accessories > Terminal ) and type

dig ubuntu.com 

(if you don't have it, install dnsutils package as explained to bind9)

Check the last answers, as an example:

My first query at ubuntu.com

;; Query time: **209 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 22 12:20:12 2011
;; MSG SIZE  rcvd: 196

My second query:

;; Query time: **0 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 22 12:18:23 2011
;; MSG SIZE  rcvd: 156

The server 127.0.0.1 means that you're resolving locally. Take a look in query time (surrounded by **) , the second one is cached.

Answer 2

I would recommend dnsmasq,

See a nice tutorial here; http://embraceubuntu.com/2006/08/02/local-dns-cache-for-faster-browsing/

You may want to read a comparison here;

http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

Answer 3

"In order to speed up DNS lookups, I want to install a DNS cache or proxy."

Ok. But there's an easier way, too. Using OpenDNS and/or Google name servers will be faster than your own local cache for names that already exist in the OpenDNS/Google caches. Using 208.67.222.222, 208.67.220.220, and/or 8.8.8.8 as name serves will be faster almost all of the time. You can test this with time nslookup www.google.com 208.67.222.222 to test speed on one of the OpenDNS name servers, time nslookup www.google.com 8.8.8.8 for Google, or time nslookup www.google.com 127.0.0.1 on your local cache. When I say faster, I mean technically faster and not so much faster that a person could easily notice a difference.

"I can see at least three programs I think will do the job: bind9, pdnsd, or dnsmasq."

Are you open to the dnscache portion of djbdns? Instructions below. Though, it does not save the cache without a patch...

sudo apt-get remove bind9 dnsmasq-base
sudo apt-get install djbdns dnscache-run
sudo killall -9 dnsmasq
sudo update-rc.d -f bind9 remove

Then we'll need to tell the system to use our cache.

sudo gedit /etc/resolv.conf

Edit the file to look like this example. This file defines which name servers to use, the default domain, and the search suffix. The search suffix makes it possible to run queries using only the hostname portion of a fully-qualified domain name. For exmaple, 'nslookup www' automagically becomes 'nslookup www.example.com' when example.com is the value of the "search" parameter.

nameserver 127.0.0.1      # Use the local resolver first.
nameserver 208.67.222.222 # OpenDNS
nameserver 8.8.8.8        # Google
domain example.com
search example.com

This is a little fancy, but we need to get the lastest root name servers.

sudo dnsip $(dnsqr ns . | sed -e '/answer/!d;s/\(.*\)NS \(.*\)/\2/') | sudo tee /etc/dnscache/root/servers/@

I think the resolv.conf file is overwritten when we use DHCP. I choose to give myself a static IP address and remove the software that squashes it, editing the interfaces file to set up the static IP address. But you could try to work with Network Manager if you are so inclined.

sudo apt-get purge network-manager network-manager-gnome
sudo gedit /etc/network/interfaces

My interfaces file looks as follows, but modify yours to your configuration.

# Loopback
#
auto lo
iface lo inet loopback

# First network card (attached to NAT router, attached to cable internet)
#
auto eth0
iface eth0 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

Now let's just restart.

sudo reboot

Now you are using a local resolver and the latest root servers. But you'll notice if you try that OpenDNS and Google are in fact answering faster (for names that are in their caches, which is all of the most popular domains). There is no additional configuration that could cause the software to become any more secure that it already is.

Answer 4

I'm using "dnscache" (package "dnscache-run") and it's very simply. No need to configure anything.
It captures the DNS petitions (port 53) and it caches the responses, the next time that Linux ask for that domain, dnscache returns the IP immediately.
Although there are two parameters that can be changed to improve this program:

echo 16000000 > /etc/sv/dnscache/env/CACHESIZE
echo 16777216 > /etc/sv/dnscache/env/DATALIMIT

Answer 5

Whichever tool you use, ensure that port 53 is not enabled incoming on your firewall. You may want to allow only the host with the cache outbound access.

DNSMasq is easy to setup, and well documented. If you install it on a firewall, specify the interfaces to bind to excluding the Internet interface.

Bind is more difficult to configure and may be overkill for as a cache for a small network. I believe the default configuration is caching only. You may want to add an ACL to restrict which addresses can use your server.

Answer 6

The dnscache-run package has had the least conflicts with other packages, like libvirt, which use bridge networking and dnsmasq.

sudo apt-get install dnscache-run

This package removes resolvconf (/etc/resolv.conf), and you will need to use /etc/network/interfaces or network manager to view your configuration.