<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" id="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=10.0,initial-scale=1.0" />
<style>
html{-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}h1{font-size:1.3em;line-height:1.2;margin:0}ul,ol{margin:0;padding:0}ul li,ol li,li li{margin:0 0 0 36px}[dir=rtl] li{margin:0 18px 0 0}blockquote{border-color:#dfdee1;border-style:solid;border-width:0 0 0 1px;margin:0;padding:0 0 0 1em}[dir=rtl] blockquote,blockquote[dir=rtl]{border-width:0 1px 0 0;padding:0 1em 0 0}pre{font-family:"SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace;font-size:0.9em;margin:0;padding:1rem;background-color:#f6f5f3;white-space:pre-wrap;word-wrap:break-word;overflow:visible}.message-content{font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";line-height:1.4}.attachment{display:inline-block;margin:0;padding:0}.attachment__caption{padding:0;text-align:center}.attachment__caption a[href]{text-decoration:none;color:#333333}.attachment--preview{width:100%;text-align:center;margin:0.625em 0}.attachment--preview img{border:1px solid #dfdee1;vertical-align:middle;width:auto;max-width:100%;max-height:640px}.attachment--preview .attachment__caption{color:#716d7b;font-size:0.85em;margin-top:0.625em}.attachment--file{color:#282138;line-height:1;margin:0 2px 2px 0;padding:0.4em 1em;border:1px solid #dfdee1;border-radius:5px}.permalink{color:inherit}.txt--xx-small{font-size:14px}.flush{margin:0;padding:0}.push--bottom{margin-bottom:8px}.border--top{border-top:1px solid #ECE9E6}.btn{padding:0.2em 0.4em;font-weight:500;text-decoration:none;border-radius:3rem;white-space:nowrap;background:#5522FA;border-color:#5522FA;color:#ffffff}.btn--email{display:inline-block;text-align:center;font-weight:500;font-size:1em;text-decoration:none;border-radius:2em;white-space:nowrap;background:#5522FA;border-color:#5522FA;color:#ffffff;border-top:0.3em solid #5522FA;border-left:1em solid #5522FA;border-bottom:0.3em solid #5522FA;border-right:1em solid #5522FA}.shaded{padding:1em;border-radius:4px;background-color:#f6f5f3;border:1px solid #dfdee1}
</style>
</head>
<body>
<div class="message-content">
<div class="trix-content">
<div>Hi,</div><div><br></div><div>I am trying to create an edge DNS for all my dns queries with a similar setup as described in the picture: </div><div>https://drive.google.com/file/d/1s95aWn2g5X4AkWOESmxFBP-p8fa9FImc/view?usp=sharing</div><div><br></div><div>dnsconfig.conf<br>=== cut ====</div><div><br></div><div>setLocal("<a href="http://0.0.0.0:53">0.0.0.0:53</a>",{reusePort=true})<br>setWeightedBalancingFactor(1.1)<br>setMaxCachedTCPConnectionsPerDownstream(50)<br>setMaxTCPClientThreads(50)<br>setMaxTCPQueuedConnections(0)<br><br>-- Downstream server config<br>pc = newPacketCache(10000, {maxTTL=172800, maxNegativeTTL=6000,minTTL=0, temporaryFailureTTL=6000, keepStaleData=true,staleTTL=86400, dontAge=true})<br>getPool(""):setCache(pc)<br>setServerPolicy(wrandom)<br>-- Primary server<br>newServer({weight=100000,retries=2,address="192.168.178.100", name="pi0ipv4",checkTCP=true,reconnectOnUp=true})<br>-- Failover servers<br>newServer({weight=1,address="<a href="http://1.1.1.1:853">1.1.1.1:853</a>",name="cloud-flair-dot1", tls="openssl", subjectName="<a href="http://cloudflare-dns.com">cloudflare-dns.com</a>", validateCertificates=true})<br>name="cloud-flair-doh2", tls="openssl", subjectName="<a href="http://cloudflare-dns.com">cloudflare-dns.com</a>", validateCertificates=true})</div><div>newServer({weight=1,address="<a href="http://1.0.0.1:853">1.0.0.1:853</a>",name="cloud-flair-dot2", tls="openssl", subjectName="<a href="http://cloudflare-dns.com">cloudflare-dns.com</a>", validateCertificates=true})<br>=== cut ====</div><div><br>There are several issues I am trying to resolve:<br><br>1 - If the primary is down, and there is no stale cache, direct the dns traffic to fallback servers do not cache responses, direct the traffic backup to primary when primary is up<br>2 - Tune cache to reduce the latency<br><br><br>For #1: I didn't find a proper server policy to fit my needs but, it doesn't seem to be a completely new thing to have. Currently the weighted random policy does work to some extent. But there are some queries which goto the fallback servers, for eg out of 30k queries at least 50 of them goto the fallback servers, I do not want this. Is there a way to achieve what I described in #1?<br><br>For #2: This is the most concerning issue for me at the moment, the average latency is about 80 ms (10k packet average), where as my primary server latency is much lower (~50ms) and most confusing part is the packet cache stats:<br><br>Entries: 86/10000<br>Hits: 4894<br>Misses: 21543<br>Deferred inserts: 0<br>Deferred lookups: 0<br>Lookup Collisions: 0<br>Insert Collisions: 0<br>TTL Too Shorts: 0<br><br>I was under the impression that if there's a cache miss then the downstream response will be cached. Testing my setup for a couple of days, I have never seen my cache crossing 100. Why is the response not being cached, where there's a miss. Here are the current extended stats:<br><br>acl-drops 0 noncompliant-responses 0<br>cache-hits 4898 outgoing-doh-query-pipe-full 0<br>cache-misses 21620 proxy-protocol-invalid 0<br>cpu-iowait 9878 queries 26941<br>cpu-steal 0 rdqueries 26941<br>cpu-sys-msec 589145 real-memory-usage 100343808<br>cpu-user-msec 2644549 responses 21589<br>doh-query-pipe-full 0 rule-drop 0<br>doh-response-pipe-full 0 rule-nxdomain 0<br>downstream-send-errors 0 rule-refused 0<br>downstream-timeouts 31 rule-servfail 0<br>dyn-block-nmg-size 0 rule-truncated 0<br>dyn-blocked 423 security-status 1<br>empty-queries 0 self-answered 0<br>fd-usage 369 servfail-responses 63<br>frontend-noerror 25941 special-memory-usage 87216128<br>frontend-nxdomain 336 tcp-cross-protocol-query-pipe-full 0<br>frontend-servfail 210 tcp-cross-protocol-response-pipe-full 0<br>latency-avg100 53222.4 tcp-listen-overflows 31<br>latency-avg1000 59723.1 tcp-query-pipe-full 0<br>latency-avg10000 77151.4 trunc-failures 0<br>latency-avg1000000 2226.7 udp-in-csum-errors 0<br>latency-count 26487 udp-in-errors 188<br>latency-slow 290 udp-noport-errors 9946<br>latency-sum 2245700 udp-recvbuf-errors 0<br>latency0-1 4898 udp-sndbuf-errors 0<br>latency1-10 28 udp6-in-csum-errors 0<br>latency10-50 9836 udp6-in-errors 342<br>latency100-1000 3900 udp6-noport-errors 7<br>latency50-100 7532 udp6-recvbuf-errors 342<br>no-policy 0 udp6-sndbuf-errors 1<br><br><br>from what I see, there are a lot of udp errors. How to fix this? Also to add: all my traffic is udp based, I am not accepting TCP traffic yet. <br><br><br>Any help would be much appreciated!<br><br>Thanks,<br>Chandra</div>
</div>
</div>
</body>
</html>