One could only guess that the rationale for lack of DNS caching in RHEL is the arguable efficiency for those systems which aren\u2019t network connected or simply don\u2019t need to make any DNS lookups.<\/p>\n\n\n\n
There are of course such cases where you don\u2019t need (many) DNS resolutions. I can think of:<\/p>\n\n\n\n
hosts<\/code> file<\/li><\/ul>\n\n\n\nThose systems will likely issue zero to none DNS lookups while running, and DNS cache isn\u2019t really a thing for them.<\/p>\n\n\n\n
But for the most intents of running either a desktop or server RHEL machines, you will absolutely benefit from a DNS cache.<\/strong><\/p>\n\n\n\nEnabling DNS cache in RHEL 7 and 8 is easy thanks to dnsmasq<\/code> integration of NetworkManager.<\/p>\n\n\n\nThe dnsmasq<\/code> is a very lightweight caching DNS forwarder which runs great even on the tiniest hardware like your very own home router.<\/p>\n\n\n\nI won\u2019t torture you with long instructions on how to enable the DNS cache. It\u2019s really quick and goes down to:<\/p>\n\n\n\n
yum -y install dnsmasq\n\ncat << 'EOF' | sudo tee \/etc\/NetworkManager\/conf.d\/dns.conf \n[main]\ndns=dnsmasq\nEOF\n\nsystemctl reload NetworkManager<\/code><\/pre>\n\n\n\nYou have just made your machine already faster by running these.<\/p>\n\n\n\n
For more details and fine-tuning, read on.<\/p>\n\n\n\n
NetworkManager and dnsmasq<\/h2>\n\n\n\n
Let\u2019s explain what happened when we ran the above commands to enable DNS caching.<\/p>\n\n\n\n
In the first bit, we have installed the very essential of DNS caching \u2013 dnsmasq<\/code> program.<\/p>\n\n\n\nThen we write out a file, \/etc\/NetworkManager\/conf.d\/dns.conf<\/code>, with contents telling NetworkManager to enable and use its dnsmasq<\/code> plugin. Then we reload NetworkManager configuration to apply our changes.<\/p>\n\n\n\nThis, in turn, starts a private instance of dnsmasq<\/code> program, which is bound to the loopback interface, 127.0.0.1<\/code> and listening on standard DNS port, 53.<\/p>\n\n\n\nIt doesn\u2019t end there. NetworkManager now updated \/etc\/resolv.conf<\/code> and put nameserver 127.0.0.1<\/code> so that the whole operating system will perform DNS lookups against its dnsmasq<\/code> instance.<\/p>\n\n\n\nThe dnsmasq<\/code> itself will use whatever nameservers you had setup in NetworkManager explicitly, or the ones provided by DHCP requests.<\/p>\n\n\n\nVery clean and beautiful integration.<\/p>\n\n\n\n
Verify dnsmasq is working<\/h2>\n\n\n\n
Simply perform a DNS lookup using dig<\/code>, against 127.0.0.1<\/code>\u201d<\/p>\n\n\n\n# yum -y install bind-utils\ndig +short example.com @127.0.0.1<\/code><\/pre>\n\n\n\nIf the output looks like a valid IP<\/abbr> address or a list of IP addresses, then dnsmasq<\/code> is working OK.<\/p>\n\n\n\nYou can also check that DNS caching is working. Perform a resolution against another domain by running the following command twice:<\/p>\n\n\n\n
time getent hosts foo.example.com<\/code><\/pre>\n\n\n\nObserve real<\/code> timing in the output reduced for the subsequent queries. E.g. first request yields:<\/p>\n\n\n\nreal 0m0.048s\nuser 0m0.006s\nsys 0m0.006s<\/code><\/pre>\n\n\n\nSubsequent requests yield:<\/p>\n\n\n\n
real 0m0.009s\nuser 0m0.006s\nsys 0m0.002s<\/code><\/pre>\n\n\n\nSee what kind of DNS requests your system makes<\/h2>\n\n\n\n
To see what DNS request your system makes, you can temporarily enable logging of queries. Note that this will clear DNS cache because dnsmasq<\/code> will be restarted:<\/p>\n\n\n\necho log-queries | sudo tee -a \/etc\/NetworkManager\/dnsmasq.d\/log.conf\nsudo systemctl reload NetworkManager<\/code><\/pre>\n\n\n\nYou can then tail<\/code> or less<\/code> the \/var\/log\/messages<\/code> file which will have information of requests being made. Example, on the web server that is using PaperTrail\u2019s remote_syslog<\/code>:<\/p>\n\n\n\ndnsmasq[20802]: forwarded logs6.papertrailapp.com to 2606:4700:4700::1001\ndnsmasq[20802]: reply logs6.papertrailapp.com is 169.46.82.182\ndnsmasq[20802]: reply logs6.papertrailapp.com is 169.46.82.183\ndnsmasq[20802]: reply logs6.papertrailapp.com is 169.46.82.184\ndnsmasq[20802]: reply logs6.papertrailapp.com is 169.46.82.185<\/pre>\n\n\n\nThis approach may be used for finding what external sites your server communicates with.<\/p>\n\n\n\n
Once you\u2019re done, don\u2019t forget to turn off the logging:<\/p>\n\n\n\n
sudo rm \/etc\/NetworkManager\/dnsmasq.d\/log.conf\nsudo systemctl reload NetworkManager<\/code><\/pre>\n\n\n\nHow well is dnsmasq doing on your system<\/h2>\n\n\n\n
The dnsmasq<\/code> manpage has this to say:<\/p>\n\n\n\nWhen it receives a SIGUSR1, dnsmasq writes statistics to the system log. It writes the cache size, the number of names which have had to removed from the cache before they expired in order to
make room for new names and the total number of names that have been inserted into the cache. The number of cache hits and misses and the number of authoritative queries answered are also given.<\/p><\/blockquote>\n\n\n\n
So we can collect DNS query stats easily:<\/p>\n\n\n\n
sudo pkill --signal USR1 dnsmasq && sudo tail \/var\/log\/messages | grep dnsmasq<\/code><\/pre>\n\n\n\nThe output may include, for example:<\/p>\n\n\n\n
dnsmasq[31949]: cache size 400, 0\/60 cache insertions re-used unexpired cache entries.\nqueries forwarded 30, queries answered locally 60<\/code><\/pre>\n\n\n\nThe 0 in 0\/60<\/code> stands for \u201czero cache evictions\u201d. So this number indicates that cache size is adequate. It should be as low as possible.
If that number is high, it means that cache size maybe not large enough.<\/p>\n\n\n\nWe also see that 30 DNS lookups were forwarded over to upstream nameservers (misses), while 60 were satisfied directly by cache (hits).<\/p>\n\n\n\n
Gathering stats like this will work well in case you only have one instance of dnsmasq. Sometimes you have more than one (e.g. libvirt may run one of its own).<\/p>\n\n\n\n
It is more reliable to use the statistical information of dnsmasq that is exposed, not surprisingly, via DNS ???? The commands:<\/p>\n\n\n\n
dig +short chaos txt hits.bind\ndig +short chaos txt misses.bind<\/code><\/pre>\n\n\n\n\u2026 give you hits and misses, respectively.<\/p>\n\n\n\n
With some command line magic, you can easily calculate your DNS cache hit-ratio:<\/p>\n\n\n\n
# yum -y install bc\necho \"scale=2; $(dig +short chaos txt hits.bind)*100\/($(dig +short chaos txt hits.bind)+$(dig +short chaos txt misses.bind))\" | \\\n sed 's@\"@@g' | bc<\/code><\/pre>\n\n\n\nThe output is a percentage of DNS requests that were satisfied by DNS cache, e.g.: 80.95%.<\/p>\n\n\n\n
Tuning the cache size<\/h2>\n\n\n\n
The default cache size of dnsmasq<\/code> instance that is run by Networkmanager is 400.
This is a decent default<\/em> for web servers.<\/p>\n\n\n\nFor a desktop machine, you may want to increase it by large. This will assist with much less home router strain and faster network experience, especially if you\u2019re a Chrome user. This browser does DNS caching of its own, but only as long as 1 minute<\/a> \u2013 the issue that is discarded as a \u201cfeature\u201d.<\/p>\n\n\n\nSo to set DNS cache size to 20k, run:<\/p>\n\n\n\n
echo cache-size=20000 | sudo tee -a \/etc\/NetworkManager\/dnsmasq.d\/cache.conf\nsudo systemctl reload NetworkManager<\/code><\/pre>\n\n\n\ndnsmasq and your desktop<\/h2>\n\n\n\n
To expand the topic of the desktop use of dnsmasq, you can also leverage it to block tracking scripts and for speeding up your browsing experience:<\/p>\n\n\n\n
sudo curl https:\/\/raw.githubusercontent.com\/aghorler\/lightweight-dnsmasq-blocklist\/master\/list.txt \\\n --output \/etc\/NetworkManager\/dnsmasq.d\/blocklist.conf\nsudo systemctl reload NetworkManager<\/code><\/pre>\n\n\n\nFinally, you may also want to improve the DNS speed by ensuring minimum TTL<\/abbr> for DNS records that have it set too low.<\/p>\n\n\n\necho min-cache-ttl=1800 | sudo tee -a \/etc\/NetworkManager\/dnsmasq.d\/cache.conf\nsudo systemctl reload NetworkManager<\/code><\/pre>\n\n\n\nThis will ensure that even if a DNS record is configured with, e.g. 2 minutes TTL on remote nameserver, dnsmasq<\/code> will still cache it for 30 minutes.<\/p>\n\n\n\nNote that this is acceptable for desktop machines, but not for web servers:<\/p>\n\n\n\n