DNS caching using DNS Resolver in forwarding mode
-
Is there any chance to achieve DNS caching when forwarding is enabled in DNS Resolver? Is caching working only when Resolver is not forwarding? Any idea how to achieve caching like in PI-HOLE while using Resolver because of pfBlocker? Thanks for ideas.
-
unbound is going to cache be it you resolve or forward with it..
Only difference is you normally will get a shorter ttl, how long that item is cached because you pulled entry from cache from where you forwarded too.
When you resolve, you always get the answer direct from the NS for that domain, so you will get the full TTL that the owner of said domain set..
Example.. I set say a ttl of 2 hours on my NS for www.domain.tld.. When you ask my NS it will always hand you that 2 hour ttl.
But when you forward, or ask some other NS, maybe he looked that up an hour ago... So now for unbound it will only have a ttl of 1 hour.. Or it could be 30 seconds left on it, etc..
-
Are you sure that forwarding unbound is caching requests? When forwarding is enabled I see only upstream DNS resolver addresses in DNS Resolver Infrastructure Cache Stats.
-
@sikita said in DNS caching using DNS Resolver in forwarding mode:
DNS Resolver Infrastructure Cache Stats.
That is not the cache... That is the infrastructure cache on how fast the NS answer, if your only forwarding then that is all you would see.
Look at the cache for any specific record. Say google..
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup www.google.com The following name servers are used for lookup of www.google.com. ;rrset 82180 4 0 2 0 google.com. 82180 IN NS ns2.google.com. google.com. 82180 IN NS ns1.google.com. google.com. 82180 IN NS ns3.google.com. google.com. 82180 IN NS ns4.google.com. ;rrset 82180 1 0 8 0 ns4.google.com. 82180 IN A 216.239.38.10 ;rrset 82180 1 0 8 0 ns4.google.com. 82180 IN AAAA 2001:4860:4802:38::a ;rrset 82180 1 0 8 0 ns3.google.com. 82180 IN A 216.239.36.10 ;rrset 82180 1 0 8 0 ns3.google.com. 82180 IN AAAA 2001:4860:4802:36::a ;rrset 82180 1 0 8 0 ns1.google.com. 82180 IN A 216.239.32.10 ;rrset 82180 1 0 8 0 ns1.google.com. 82180 IN AAAA 2001:4860:4802:32::a ;rrset 82180 1 0 8 0 ns2.google.com. 82180 IN A 216.239.34.10 ;rrset 82180 1 0 8 0 ns2.google.com. 82180 IN AAAA 2001:4860:4802:34::a Delegation with 4 names, of which 0 can be examined to query further addresses. It provides 8 IP addresses. 2001:4860:4802:34::a rto 376 msec, ttl 194, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed. 216.239.34.10 rto 154 msec, ttl 194, ping 14 var 35 rtt 154, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 2001:4860:4802:32::a rto 376 msec, ttl 194, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed. 216.239.32.10 rto 214 msec, ttl 194, ping 6 var 52 rtt 214, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 2001:4860:4802:36::a rto 376 msec, ttl 191, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed. 216.239.36.10 rto 199 msec, ttl 194, ping 11 var 47 rtt 199, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 2001:4860:4802:38::a rto 376 msec, ttl 194, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed. 216.239.38.10 rto 108 msec, ttl 191, ping 16 var 23 rtt 108, tA 0, tAAAA 0, tother 0, EDNS 0 probed. [2.4.5-RELEASE][admin@sg4860.local.lan]/root:
Or dump the whole cache to see what is cached.
unbound-control -c /var/unbound/unbound.conf dump_cache
Ah your forwarding, that first command only shows what NS would be used.. the dump_cache is what you would want..
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf dump_cache | grep www.google.com www.google.com. 204 IN A 172.217.4.196 www.google.com. 889 IN AAAA 2607:f8b0:4009:806::2004 msg www.google.com. IN AAAA 32896 1 889 3 1 0 0 www.google.com. IN AAAA 0 msg www.google.com. IN A 32896 1 204 3 1 0 0 www.google.com. IN A 0 [2.4.5-RELEASE][admin@sg4860.local.lan]/root:
But yes I am SURE!!! that unbound will cache what it gets back even when you forward.
-
Ok, thank you for explaining and clarification. Great. Sorry if I harm you that I was not sure with your first answer.
-
@johnpoz said in DNS caching using DNS Resolver in forwarding mode:
unbound-control -c /var/unbound/unbound.conf dump_cache | grep www.google.com
Sorry for not being sure again. But using command
unbound-control -c /var/unbound/unbound.conf lookup www.google.com
I got (as you mentioned) only NS:The following name servers are used for lookup of www.google.com. forwarding request: Delegation with 0 names, of which 0 can be examined to query further addresses. It provides 2 IP addresses. 208.67.222.222 rto 65 msec, ttl 503, ping 21 var 11 rtt 65, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 208.67.220.220 rto 100 msec, ttl 515, ping 24 var 19 rtt 100, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
and after asking the cache by
unbound-control -c /var/unbound/unbound.conf dump_cache | grep www.google.com
I got empty answer. No record. No cache hit. Did I set something wrong in Resolver? -
Using
unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num
I got some statistics and cache hits. So I asume it is really working. -
@sikita said in DNS caching using DNS Resolver in forwarding mode:
I got empty answer. No record. No cache hit. Did I set something wrong in Resolver?
Did you ask for www.google.com first? Not going to be in the cache, unless you had asked for within the timeframe of the ttl you got back last time you asked for it.. Which when you forward could be like 2 seconds, you never know.
Dump the whole cache..., just remove the grep..
I am 1000% sure that it caches...Again dump the full thing if you have questions... browse the internet for a few min, then dump the cache...
-
Yes, you are right. Stats are looking better and better. Also www.google.com already hit the cache. Thank you for helping.