[dnsdist] Cache, chrome and dns tunneling

bert hubert bert.hubert at powerdns.com
Sat May 5 18:40:54 UTC 2018

On Thu, May 03, 2018 at 12:25:28PM -0300, Nico wrote:
> We have a bunch of resolvers (unbound and pdns resolver).
> And cache, because mobile users only ask for google, facebook and twitter
> :-)
>  cache = newPacketCache(1000000, 86400, 0, 60, 60)
Hi Nico - thanks for sharing this insight! I wonder about a few things.
Usually DNS tunnel packets have pretty low TTL and get cleaned quickly
enough. In other words, this should not be causing too many problems. Do you
know anything about the TTL?

> After some tcpdumping and testing we found that chrome and dns tunneling
> were filing the cache,
> even if the percent of this queries was very low in the total.

Chrome is known to generate random queries which get pretty low TTL answers.
So again, I wonder if we have a bug somehow. Also, Chrome normally does only
a few of these queries, so it is somewhat of a mystery how you end up with
so many in the cache.

Your cache is limited at 1 million, you could try a bit more. You could also
explore the settings of newPacketCache in terms of TTL limits.

> Hope it help someone.
> (we will be upgrading to 1.3 =very soon)

If you could check how 1.3 survives without your special rules, that would
be very useful to know.

Again, thanks for sharing your results!


More information about the dnsdist mailing list