The peak DNS queries per second for each Cloud Virtual Machine (CVM) instance in a VPC network is 5,000. If the standalone peak DNS queries per second surpass this threshold, the speed may be limited, and the availability SLA guarantee cannot be provided. The recommended solutions to mitigate DNS load are as follows:
Scale out the number of CVM instances to distribute DNS query requests across more CVM instances, thereby reducing the number of query requests on each instance.
Start the Name Service Cache Daemon (NSCD) service for the CVM instance to achieve cache acceleration.
Note:
With the NSCD service started, the effective time for DNS record changes may become longer.
This document mainly introduces how to reduce the number of DNS query requests on CVM instances by starting the NSCD service for cache acceleration.
What Is NSCD?
NSCD is a system caching service that allows users to store name service information, such as passwd, group, hosts, services, and netgroup. It improves the cache query hit rate of the system, thereby reducing the number of name service queries and traffic consumption, and improving service response speed.
Common Linux Commands for NSCD
Command
Description
yum install -y nscd
Installs the NSCD service.
systemctl start nscd
Starts the NSCD service.
systemctl stop nscd
Stops the NSCD service.
systemctl restart nscd
Restarts the NSCD service.
systemctl status nscd
Queries the running status of NSCD.
nscd -g
Outputs the configuration of each valid parameter option and statistics on the cache hit rate.
nscd -i
To make the specified cache invalid, you can specify passwd, group, hosts, services, and netgroup. For example, nscd -i hosts.
cat /etc/nscd.conf
Queries the current NSCD configuration details.
vi /etc/nscd.conf
Modifies the NSCD configuration parameters.
Installing the NSCD Service
1. NSCD is generally installed by default on the Linux operating system. If you are not sure whether NSCD is installed on the current CVM instance, you can check it by running the following command:
systemctl status nscd #Check the running status of NSCD.
2. If the detection result is as shown below, it indicates that NSCD is not installed.
3. Run the following command to perform the installation:
yum install -y nscd
4. Run the command again to check the running status of NSCD. At this point, NSCD is already installed but in the not started status.
Starting the NSCD Service
1. Run the following command to start the NSCD service:
systemctl start nscd
2. Run the command again to check the running status of NSCD. NSCD is already in the running status.
Note:
For CentOS/Red Hat operating systems, NSCD can be installed using the following command: yum install -y nscd.
For Debian/Ubuntu operating systems, NSCD can be installed using the following command: apt-get install -y nscd.
3. The default configuration file path for NSCD is /etc/nscd.conf. You can check the NSCD configuration by running the following command:
cat /etc/nscd.conf
Key Configuration Parameter Description
Configuration Parameter
Description
debug-level
-
reload-count
This configuration parameter is related to the proactive cache refresh, which determines the number of times for the proactive cache queries and cache updates upon a successful request.
paranoia
Paranoia mode. If it is enabled, NSCD restarts periodically.
restart-interval
If the paranoia mode is enabled, this parameter indicates the restart interval.
enable-cache
Enables the caching service.
positive-time-to-live
Time-to-live (TTL) for caching successful request responses.
negative-time-to-live
TTL for caching failed request responses. It is recommended to set the value to 0 to prevent failed caches from affecting business requests.
check-files
Checks the modification time of cached files such as /etc/passwd, /etc/group, and /etc/hosts regularly. If the files have been changed since the last check, the cache expires.
persistent
When it is enabled, NSCD retains the cached content after the restart. It is recommended to enable this feature if the paranoia mode is enabled.
shared
It is used to support the shared memory mapping capability between the NSCD database and its clients. The default value is yes. To query the cache hit rate with the nscd -g command, set the parameter shared to no.
max-db-size
Maximum database cache size caused by NSCD, in bytes.
Note:
The parameter positive-time-to-live has no practical significance. The TTL value follows the one returned by the DNS query request.
When the value of the shared parameter is set to no, you can run nscd -g to query the cache hit rate.
NSCD Caching Effect Detection
Testing When NSCD Is Stopped
1. Run the following command on a CVM instance to capture UDP packets on port 53.
tcpdump -i any udp and port 53
2. Then, when NSCD is stopped, run the following command on a CVM instance multiple times, and perform three consecutive tests.
ping -c 1 -n www.qq.com #Send a ping command to the domain name www.qq.com once.
3. View the corresponding packet capture status to detect 3 DNS query requests on port 53, with each query request returning DNS records, proving that the DNS query request records are not cached. The CVM instance sends DNS query requests through port 53 every time.
Testing When NSCD Is Started
1. Run the startup command to start the NSCD service, and confirm that it is in the started status by running the status query command.
2. When the NSCD service is in the started status, run the following command on a CVM instance and perform 6 consecutive tests. It is also required to capture packets on port 53 of the CVM instance simultaneously.
ping -c 1 -n www.qq.com
3. Through viewing the corresponding packet capture situation, you can find that only 1 DNS query request is captured on port 53, proving that the DNS query request hits the NSCD cache and no DNS query request is sent through port 53.
Note:
During the packet capture process, you can find that even after the ping command is completed, DNS query request packets for the related domain name can still be queried by tcpdump at an interval. This is due to the proactive cache refresh mechanism of NSCD and is considered a normal behavior. To disable this refresh mechanism, you can set the value of the parameter reload-count to 0.
After the ping command is run multiple times within a time period, you can also run the following command to query cache hit information.
nscd -g #Output the configuration of each valid parameter option and statistics on the cache hit rate.
