DNS Caching for Proxies

Resolving names can often lead to performance issues on busy networks.  For instance in most large networks internet access is handled through central proxies, mainly for security reasons.  Organisations can control access to the internet if all traffic is funneled via a specific server, these can also be the only machines allowed through a firewall which helps maintain the integrity of the perimeter too.

However one of the issues here is that these servers can very easily become a bottleneck to external access and DNS lookups are one of the main causes.   Imagine a server is responsible for forwarding and receiving hundreds of network requests, it also has to send out and wait for name resolution requests for these connections.  Depending on the internet policies, these requests can generate many requests especially when employees are allowed to access most sorts of sites. Some organisations allow employees to use the internet unrestricted in their break so you can even find request to change netflix country like this happening online. This can take a very long time but there are ways to minimise the impact of name resolution requests.

If avoiding DNS requests is not possible then it’s usually a good idea to install some sort of DNS caching feature on the proxy.  This is a service which will enable the proxy server to internally remember all the recently looked up DNS names and associated IP addresses.  This helps them avoid having to lookup every single web address and hence reduce the amount of DNS traffic and the performance impact created by them.

The DNS packet will return a TTL (Time to Live) figure which will specify how long the data can be cached. This value is important and it should be used in caching algorithms because it helps load balancing features work properly.  Unfortunately many applications and services don’t always honour the DNS TTLs.

Remember if a proxy server is not used then it is likely that the client will request the DNS lookup, so that should be considered. If multiple proxies are used (a chain) then the DNS request will be sent by the last proxy server in that chain. DNS lookups are only made when the origin server needs to be contacted, and only by  the last entity that needs that resolution. The idea is that if the proxies perform the external DNS requests, clients are isolated from these and hence can operate when name resolution is not always available.

DNS caching can also be involved in negative situations too.  That is when a DNS request fails, perhaps no name resolution is possible on an address, this can also be cached on the proxy too.  This prevents the proxies performing many failed requests which invariably time out and can cause a severe performance impact.   These can be more common that you would imagine, typically they are a result of a misspelling or invalid hostname, but determining this can take some time.  If  the address is tagged as non-resolvable then the resources are freed from handling this request.

Further Information:

James Williams, Working Netflix VPN, Faber Press, 2010

One Response

  1. Akex March 21, 2017

Leave a Reply