Reading Time: 4minutes
If you're an performance optimization freak and you want to optimize your Linux servers to perform better in terms of DNS resolve slowness because of failing DNS resolve queries due to Domain Name Server request overload or due to Denial of Service attack towards it. It might be interesting to mention about some little known functionalities of /etc/resolv.conf described in the manual page.
The defined nameservers under /etc/resolv.conf are queried one by one waiting for responce of the sent DNS resolve request if it is not replied from the first one for some time, the 2nd one is queried until a responce is received by any of the defined nameserver IPs
A default /etc/resolv.conf on a new Linux server install looks something like this:
search sub.subdomain.com subdom.dom.domain.com
However one thing is that defined if NS1 dies out due to anything, it takes timeout time until the second or 3rd working one takes over to resolve the query.
This is controlled by the timeout value.
Below is description from man page
sets the amount of time the resolver will wait for a
response from a remote name server before retrying the
query via a different name server. Measured in
seconds, the default is RES_TIMEOUT (currently 5, see
<resolv.h>). The value for this option is silently
capped to 30.
- In other words Timeout value is time to resolving IP address from hostname through DNS server,timeout option is to reduce hostname lookup time
As you see from manual default is 5 seconds which is quite high, thus reducing the value to 3 secs or even 1 seconds is a good sysadmin practice IMHO.
Another value that could be tuned in /etc/resolv.conf is attempts value below is what the manual says about it:
Sets the number of times the resolver will send a query to its name servers before giving up and returning an error to the calling application. The default is RES_DFLRETRY (cur‐
rently 2, see <resolv.h>). The value for this option is silently capped to 5.
- This means default behaviour on a failing DNS query resolve is to try to resend the DNS resolve request to the failing nameserver 5 more times, that is quite high thus it is a good practice from my experience to reduce it to something as 2 or 1
Another very useful resolv.conf value is rotate
The default behavior of how DNS outgoing Domain requests are handled is to use only the primary defined DNS, instead if you need to do a load balancing in a round-robin manner add to conf rotate option.
The final /etc/resolv.conf optimized would look like so:
linux# cat /etc/resolv.conf
search sub.subdomain.com subdom.dom.domain.com
The search opt. placement is also important to be placed in the right location in the file. The correct placement is after the nameservers defined, I have to say in older Linux distributions the correct placement of search option was to be on top of resolv.conf.
Note that this configuration is good and fits not only Linux but also is a good DNS lookup optimization speed on other UNIX derivatives such as FreeBSD / NetBSD as well as other Proprietary OS UNIX machines running IBM AIX etc.
On Linux it is also possible to place the options given in one single line like so, below is the config I have on my pc-freak.net running Lenovo server:
options timeout:2 attempts:1 rotate
When is /etc/hosts record venerated and when is /etc/resolv.conf DNS defined queried for a defined DNS host?
One important thing to know when dealing with /etc/resolv.conf is what happens if a Name domain is defined in both /etc/hosts and /etc/resolv.conf.
For example you have a pc-freak.net domain record in /etc/hosts to a certain domain but the DNS nameserver 18.104.22.168 in Google has a record to an IP that is the real IP 22.214.171.124
126.96.36.199 irc.pc-freak.net pc-freak.net pcfreak.biz pc-freak.net pcfreak.us services.pc-freak.net jabber.pc-freak.net
# dig @188.8.131.52 pc-freak.net
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @184.108.40.206 pc-freak.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54656
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pc-freak.net. IN A
;; ANSWER SECTION:
pc-freak.net. 3599 IN A 220.127.116.11
;; Query time: 40 msec
;; SERVER: 18.104.22.168#53(22.214.171.124)
;; WHEN: чт фев 27 18:04:23 EET 2020
;; MSG SIZE rcvd: 57
- Which of the 2 different IPs will the applications installed on the server such as Apache / Squid / MySQL / tinyproxy for their DNS resolve operations?
Now it is time to say few words about /etc/nsswitch.conf (The Nameserver switching configuration file). This file defines the DNS resolve file used order in which the Operationg System does IP to domain translation and backwards.
# grep -i hosts: /etc/nsswitch.conf
hosts: files dns myhostname
As you can see first the local defined in files like /etc/hosts record is venerated when resolving, then it is the externally configured DNS resolver IPs from /etc/resolv.conf.
nsswitch.conf is used also for defining where the OS will look up for user / passwd (e.g. login credentials) on login, on systems which are having an LDAP authentication via the sssd (system security services daemon) via definitions like:
passwd: files sss
shadow: files sss
group: files sss
E.g. the user login will be first try to read from local /etc/passwd , /etc/shadow , /etc/groups and if no matched record is found then the LDAP service the sssd is queried.