Tag Archives: dns

NSCD – Cache DNS requests

DNS queries can be an issue on Cloud infrastructure, where SaaS are generally configured using FQDN instead of IP. This means that every time your application needs MySQL or Redis or any of the Platform/Software as a service, a DNS query will be issued.

Sometimes this could hammer the local DNS and service providers might block your DNS traffic.

To minimise this, you could use nscd to cache the DNS queries and reduce the traffic to the local DNS servers.

>> Test if port 53 has been blocked
tcpdump -vvv -s 0 -l -n port 53

>> Check what is currently cached
nscd -g (and check hosts cache)

>> Configuration file
grep -v "^#" /etc/nscd.conf (leaving only 'hosts' details)

	server-user		nscd
	debug-level		0
	paranoia		no

	enable-cache		hosts		yes
	positive-time-to-live	hosts		3600
	negative-time-to-live	hosts		20
	suggested-size		hosts		211
	check-files		hosts		yes
	persistent		hosts		yes
	shared			hosts		yes
	max-db-size		hosts		33554432

DNS updated via DHCP: BIND9 and ISC-DHCP on Linux

Linux: Debian stable (currently version 7)


apt-get install install bind9 isc-dhcp-server

Create a key required for DHCP server to update the DNS zones:

/usr/sbin/rndc-confgen -a

This will create /etc/bind/rndc.key, whose contents will look something like this:

key "rndc-key" {
algorithm hmac-md5;
secret "+zZSeeetHWFdNwECit1Ktw==";

BIND configuration

Configuration files:


/etc/hosts localhost dns.lab.loc dns

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters



// Do any local configuration here
// Consider adding the 1918 zones here, if they are not used in your organization
include "/etc/bind/zones.rfc1918";

include "/etc/bind/rndc.key";

zone "lab.loc" {
type master;
file "/etc/bind/db.lab.loc";
allow-update { key rndc-key; };

zone "60.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.0.60";
allow-update { key rndc-key; };



(just to setup the external forwarders)

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {

// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

allow-query {
allow-transfer {

listen-on-v6 { any; };



$ORIGIN lab.loc.
$TTL 24h ;$TTL (DNS time-to-live setting) used for all RRs without explicit TTL value

;SOA - Start of Authority. This is the record that states that this server is authoritative for the specified domain
;The SOA record lists the name server for the domain, and next the e-mail address of the administer of the domain
;(note that the @ has been replaced by a period).
@ IN SOA dns.lab.loc. root.lab.loc. (
2014032109 ; serial YYYYMMDDNN
10800 ; refresh (3 hours)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
38400 ; minimum (10 hrs 40 min)
IN NS dns.lab.loc. ;Specifies the name server to use to look up a domain
; IN NS dns2.lab.loc. ;Specifies the name server to use to look up a domain
IN A ; IP Address(es) of the DNS server(s)
; IN A ; IP Address(es) of the DNS server(s)
IN MX 10 dns.lab.loc. ;Specifies mail server(s) for the domain

dns IN A
;dns2 A

esxi01 IN A
esxi02 IN A
esxi03 IN A

freenas IN A

mail IN CNAME dns
dnsmaster IN CNAME dns
storage IN CNAME freenas



; BIND reverse file for lab.loc
$ORIGIN 60.0.10.in-addr.arpa.
$TTL 24h
@ IN SOA dsn.lab.loc. root.lab.loc. (
2014032104 ; serial number YYMMDDNN
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
38400 ; Min TTL (10 hours 40 minutes)
IN NS dns.lab.loc.
; IN NS dns2.lab.loc.

;LIST OF HOSTS (reverse)

60 IN PTR dns.lab.loc.

71 IN PTR esxi01.lab.loc.
72 IN PTR esxi02.lab.loc.
73 IN PTR esxi03.lab.loc.

80 IN PTR freenas.lab.loc.


DHCP configuration

Here there is just one file that has to be modified: dhcpd.conf


Here we need to enter the key in plain text.

ddns-updates on;
ddns-update-style interim;
update-static-leases on;
key rndc-key { algorithm hmac-md5; secret +zZSeeetHWFdNwECit1Ktw==;}
allow unknown-clients;
use-host-decl-names on;
default-lease-time 1814400; #21 days
max-lease-time 1814400; #21 days
log-facility local7;

# lab.loc DNS zones
zone lab.loc. {
primary localhost; # This server is the primary DNS server for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates
zone 60.0.10.in-addr.arpa. {
primary localhost; # This server is the primary DNS server for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates

# lab.loc LAN scope
subnet netmask {
option subnet-mask;
option routers;
option domain-name-servers;
option domain-name "lab.loc";
ddns-domainname "lab.loc.";
ddns-rev-domainname "in-addr.arpa.";

# lab.loc STATIC assigned group
group {
host freenas.lab.loc {
hardware ethernet 00:0c:29:18:af:b4;
ddns-hostname "freenas";
host esxi01.lab.loc {
hardware ethernet 00:0c:29:d4:14:ce;
ddns-hostname "esxi01";
host esxi02.lab.loc {
hardware ethernet 00:0c:29:2c:30:fd;
ddns-hostname "esxi02";
host esxi03.lab.loc {
hardware ethernet 00:0c:29:46:90:fd;
ddns-hostname "esxi03";


Once everything is configured, just restart bind and dhcp:

/etc/init.d/bind9 restart && /etc/init.d/isc-dhcp-server restart