default local DNS failover solution needed, nscd?

Andrew Lutomirski luto at mit.edu
Fri Apr 25 22:58:44 UTC 2014 

On Fri, Apr 25, 2014 at 3:51 PM, Chuck Anderson <cra at wpi.edu> wrote:
> I'm starting a new thread to clarify and emphasize the problem I'm
> actually trying to solve.  Here is the problem restated as I posted it
> to the dns-operations list:
>
> -----
> Is it really expected that the first DNS server listed in
> /etc/resolv.conf should never go down?  Operationally speaking, who
> can actually rely on listing multiple nameservers in /etc/resolv.conf
> and using libc's failover mechanism in any kind of production server?
> Because the failover behavior in libc is atrocious--each new or
> existing process has to re-do the failover after timing out, and even
> long-running processes have to call res_init() to re-read resolv.conf.
> It seems that the only sensible way to run a datacenter (or a network
> full of Linux workstations for that matter) is to either:
>
> 1. Make sure the first nameserver listed in resolv.conf never goes
>    down by using Anycast DNS or some other failover mechanism like
>    VRRP or CARP on the DNS server side.

Unworkable on normal servers or for normal home users.

>
> or:
>
> 2. Use a local DNS daemon on every server with forwarders configured
>    to the network's nameservers, and fix resolv.conf to 127.0.0.1.
> -----
>
> (I've since learned that nscd can be a third option)

>
>> >nscd is ... bad
>
> I've since learned more about nscd.  Apparently its reputation may be
> undeserved, at least the newer versions in glibc.  I have no direct
> experience, but I finally found a good thread about fixing the stub
> resolver that addresses people's unwillingness to use nscd as well as
> some other things that could be done, such as a patch apparently
> carried by Debian and Ubuntu that improves detection of changes to
> resolv.conf:
>
> https://sourceware.org/ml/libc-alpha/2012-12/msg00416.html

I've never understood why something like nscd is even worth trying to
support.  There's a simple, well specified protocol that program can
use to talk to a DNS resolver.  It's called DNS.  Why try to shoehorn
it into something else when all you're likely to do is come up with a
poor imitation of what you get by sending DNS queries over DNS to a
local resolver?

I'm sure it would be possible to improve/rewrite nscd, but at
best you'll match the quality of something like unbound.  And you'll
never be compatible with all the third-party resolver clients out
there.

--Andy

More information about the devel mailing list