[dnsdist] dnsdist-cache-questions

Tue Sep 22 11:54:07 UTC 2020

Hi Daniel

Thank you for your answers.

On 22.09.20 11:48, Daniel Stirnimann wrote:
> Hello Tom,
> 
> On 22.09.20 11:26, Tom via dnsdist wrote:
>> When I now want to query the cache via console, I always get the
>> following error:
>>   > getPool("bind"):getCache()
>> Command returned an object we can't print: Trying to cast a lua variable
>> from "userdata" to
> 
>> Any hints for this?
> 
> getCache() returns a PacketCache class. You cannot print the class on
> the console but need to do something with it e.g.:
> 
>> getPool("bind"):getCache():printStats()

This make sense...

> 
> 
>> My 2nd question:
>> Assuming the dnsdist-cache is working, has a A-Record-cache-entry for
>> "www.example.com" and dnsdist is in front of a resolver and the resolver
>> (backend) stops working. dnsdist has the record "www.example.com" still
>> in his cache, because only the backend server stops working. Why does
>> dnsdist not answer the query for "www.example.com" from the cache, when
>> the backend server is "down"? Is there a configuration option for this?
> 
>  From your previous config snippet it looks like you are already using
> staleTTL:
> 
> staleTTL=60: int - When the backend servers are not reachable, and
> global configuration setStaleCacheEntriesTTL is set appropriately, TTL
> that will be used when a stale cache entry is returned.
> 
> How do you verify that dnsdist is not answering queries from the cache?

Verifying the cache before the backend server is down:
 > getPool("bind"):getCache():dump("/tmp/test4")
Dumped 7 records

$ cat /tmp/test4
; dnsdist's packet cache dump follows
;
www.google.com. 223 A ; key 1016681760, length 87, tcp 0, added 1600774835
www.google.com. 223 A ; key 2656564995, length 87, tcp 0, added 1600774834
www.google.com. 223 A ; key 978655059, length 87, tcp 0, added 1600774834
www.google.com. 223 A ; key 909047115, length 87, tcp 0, added 1600774833
www.google.com. 223 A ; key 3059942742, length 87, tcp 0, added 1600774833
www.google.com. 223 A ; key 3932187633, length 87, tcp 0, added 1600774832
www.google.com. 223 A ; key 2216669160, length 87, tcp 0, added 1600774832

Then stopping the backend server. Verifying the cache again.., shows 
still seven entries. Then dig'ing dnsdist (not the backend!) with "dig 
@192.168.1.2 www.google.com" gives me a query timeout instead the A 
record for www.google.com. There's also no ip address in the cache dump 
above...?

Must the backend server being up to get a cached responses from dnsdist? 
Or do I misunderstand packetcache/dnscache here?

Thank you.
Kind regards,
Tom

> 
> Keep in mind that dnsdist caches packets and not responses to DNS
> queries. Recent 'dig' versions have EDNS cookies enabled by default.
> Each of your queries (packets) will therefore differ. Try 'dig' with
> +nocookie
> 
> Daniel
> 