We observed a significant overhead in DNS lookups when using hostname for peer addresses. Upon some investigation it was found that when using Golang on Linux the DNS lookup were not being cached.
This issue points to the go-doh-resolver as a possible solution for caching DNS results.
Is this the recommended DNS name resolver for direct one-to-one connections? Or are there other techniques that would be more performant?
I wanted to get a general sense of how/which DNS resolver should we be using.
I would say it is the best option we have for caching DNS resolution right now; plus it comes with privacy advantages, as you are not leaking DNS to your ISP.
A follow up question on this - the go-do-resolver does DNS over HTTPS instead of the the traditional DNS on UDP. What are the advantage of doing that and wouldn’t it be more costly?
thanks,
-v-
Bit of a history lesson, the TLDR is you’re a bad Linux Admin if you don’t have system level hostname caching… Setup unbound or even nscd.
What used to happen is something called tcpwrapper would block doing revers lookups on incoming connections. This wasn’t obvious to noob sysadmins and users who were frantically trying to telnet in by IP address because the DNS servers were down and, get this, they needed an incoming telnet connection by an admin so whatever was wrong could be fixed. Obviously, the advent of ssh made this issue go-away, but other systems used to use tcpwrapper and many more still perform revers lookups on incoming connections and are all still effected by a lack of a local caching proxy server.
The specific symptoms are: For some reason you know you need to use the host’s IP address to connect to it, but more importantly you get a good connection but no text/data from the remote host.
The fix was to wait with the connection idle no less than 60 seconds, but no more than 63… You’ve a total of 3 seconds to log in via telnet under those conditions, miss it because you’re bored with paying attention or too slow at typing a complicated password and you need to start waiting all over again. It takes 60 seconds for the falling lookup to timeout and 63 seconds for the login app to timeout and disconnect you.
What will a cache do, well after 60 seconds an NXDOMAIN record is entered into the cache… Then the revers lookups are snappy, refreshes will be OOB and you’ll have literally forever to fix your DNS server… Assuming you don’t use it for anything else.
To reiterate, every unix host in 2021 needs a local caching server and DNS servers should be running nscd configured for hosts along with the DNS servers because you’re modifying them all the time and need a backup caching service. I haven’t used any other OS in more than two decades, so I can’t comment on how Windows and OSX handle these things.