# Caching DNS server suggestions?

## Cyker

Hey all,

I've been having issues with my ISP and DNS lately which is causing massive delays and timeouts for DNS lookups; I often have to refresh pages several times before the Looking up <FQDN> changes to Connecting to <FQDN>.

I tried installing BIND to try and mitigate this but have discovered it's mostly useless as it still seems to be sending all requests up to the various forwarders instead of pulling them from its cache and not really speeding up DNS resolution at all.

It turns out this is because lots of sites (Facebook and Google to name two major ones) have very low TTLs so they effectively don't get cached at all.

Now, BIND has setting to limit the maximum TTL/expiry of an entry but no way to force a minimum.

Does anyone know of such an alternative that does?

Ideally, I'd like something that stores cached entries for much longer, e.g. a week, and returns that value as soon as it's queried, but on querying, also sends a request to the forwarder (So that if the forwarder *is* changed and/or not dead the entry gets updated as it should). It should also return the correct TTL to queries so local caches expire at the right time.

Is there such a thing??

----------

## 666threesixes666

both dnsmasq and bind can do what you want, though dnsmasq is quite a bit more apparent as to whats going on.  if you look at the wiki page it resolves against 8.8.8.8, googles dns cutting your isp's dns out of the equation.  only down side you need to run dnsmasq, or bind.  why not just set /etc/resolve.conf to 8.8.8.8, emerge namebench & benchmark some dns servers for future use?

----------

## PaulBredbury

The advantage of BIND (which I use, and always recommend) is that it performs DNS resolution properly, without using an ISP's crappy caching DNS server.

Have you mistakenly set up BIND to still use a crappy caching DNS server?

Do you really have a DNS-specific problem, or a general network problem?

----------

## Cyker

<Tangential>

To be honest, I don't know what it is. I *suspect* my line has some sort of interference issue and is dropping/corrupting packets but I haven't been able to prove it and my ISP say everything is fine on their side and that it must be something at my side (Which they pretty much always do)

Most DNS benchmarks show extremely rapid reply rates from my ISP's DNS, which is weird given what I'm experiencing, but one of them, (Steve Gibson's one from grc.com, yes yes it's Windows...!) noted that it was experiencing high loss intermittently during the tests which none of the other programs flagged up.

Additionally, tunnelling with PuTTy works but pings show very high latency (Like, 2-3+ seconds!), and OpenVPN works but shows lots of dropped pings and cuts out very often.

Clearly something is messed up, but at this point I wouldn't know where to start and as I am getting a pretty solid 100mbps down and 10mpbs up from speedtest.net, as far as my ISP is concerned there is no problem.

</Tangential>

So, I am looking for things to mitigate the problem at my end, in this case, a local DNS server!

I'm 99% sure neither BIND nor dnsmasq are capable of doing what I am after (In fact, other people who have asked have been told explicitly that neither program will ever support what I am trying to do as it 'breaks DNS', and that the user would have to hack the source themselves if they wanted such a feature!)

I have been pointed at unbound so I'm going to try that out; That does have options to ignore the TTL of authoritative servers, which would stop it always going to the forwarder due to the cache expiring so quickly, but alas doesn't check the DNS record within that TTL and so may cause problems with Dynamic DNS hosts...

I must admit I am not too knowledgeable with DNS stuff and am finding it difficult to articulate what I am trying to achieve!

For instance tho, both BIND and dnsmasq will cache DNS entries when queried. However, if the DNS entry has a TTL of, say, 10 seconds, it will stay in the cache for 10 seconds and the be removed.

This means, if someone requested that same DNS entry 20s later, BIND/dnsmasq has to go ask the forwarder again and so no benefit is achieved.

What I want is something that will:

1) Keep entries in the cache beyond the TTL time, e.g. up to a week, and return that instantly when requested instead of going to the forwarder

2) If the TTL *would have* expired, then it should also query the forwarder and update the cache (AFTER replying to the client UNLESS the forwarder replies within, say, 5ms, so there is no waiting for the client)

I hope this explains it a bit better...!

----------

## PaulBredbury

Try e.g. MTU, and quit blaming DNS  :Wink: 

----------

## Cyker

???!!!

----------

## Cyker

Woo! Unbound works!!  :Very Happy: 

I did find a patch for dnsmasq which allows one to override the TTL but it was more work to integrate it into Gentoo than I wanted for what's essential a quick fix, so I just went with Unbound.

Set the minimum TTL to 600000 seconds so it actually caches the addresses for a vaguely useful period of time instead of a handful of minutes!

Testing with drill, I was getting query times of between 100ms and 4000ms when querying www.google.com and www.facebook.com via my ISP and 8.8.8.8 at intervals of several minutes, averaging in the high 2000's; Unbound gave a response time of 3000ms for the first query but after that I'm getting 1 and 2 ms response times so as workarounds go this seems to have done the trick.

As predicted there are issues with DDNS hosts but I can manually purge those when I need to update them.

----------

## thegeezer

have to be honest - the 3 seconds time for initial dns query is really poor 

you might want to get that looked at as DNS is very light in terms of IP

----------

