[dnsdist] dnsdist-cache-questions

Remi Gacogne remi.gacogne at powerdns.com
Tue Sep 22 09:56:25 UTC 2020


Hi Tom, Daniel,

On 9/22/20 11:48 AM, Daniel Stirnimann via dnsdist wrote:
> On 22.09.20 11:26, Tom via dnsdist wrote:
>> My 2nd question:
>> Assuming the dnsdist-cache is working, has a A-Record-cache-entry for 
>> "www.example.com" and dnsdist is in front of a resolver and the resolver 
>> (backend) stops working. dnsdist has the record "www.example.com" still 
>> in his cache, because only the backend server stops working. Why does 
>> dnsdist not answer the query for "www.example.com" from the cache, when 
>> the backend server is "down"? Is there a configuration option for this?
> 
> From your previous config snippet it looks like you are already using
> staleTTL:
> 
> staleTTL=60: int - When the backend servers are not reachable, and
> global configuration setStaleCacheEntriesTTL is set appropriately, TTL
> that will be used when a stale cache entry is returned.
> 
> How do you verify that dnsdist is not answering queries from the cache?
> 
> Keep in mind that dnsdist caches packets and not responses to DNS
> queries. Recent 'dig' versions have EDNS cookies enabled by default.
> Each of your queries (packets) will therefore differ. Try 'dig' with
> +nocookie

Please also note that there is a special case if you enable the passing
of the client IP to the backend via EDNS Client Subnet. Since the query
is then cached with EDNS Client Subnet added to it, the cache lookup
needs to be aware of that. As it's usually set on a backend-level, and
there is no usable backend remaining in your pool, the cache defaults to
do a lookup without ECS. You can fix that by telling dnsdist that all
backends in a pool need ECS, via ServerPool:setECS [1].
So if you set useClientSubnet=true in your newServer() directive, you
should do something like:

getPool("bind"):setECS(true)


[1]: https://dnsdist.org/reference/config.html?#ServerPool:setECS

Hope that helps,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200922/70acfc04/attachment.sig>


More information about the dnsdist mailing list