不使用nscd缓存的DNS查询

Question

我正在尝试使用nscd (Nameservices )本地缓存DNS，这样我就可以停止使用Bind来实现它了。我已经启动了它，ntpd似乎试图使用它。但对于主机来说，其他的一切似乎都忽略了它。例如，如果我挖掘apache.org 3次，它们都不会进入缓存。我正在使用nscd -g查看缓存统计数据，以确定是否使用了它。我还将调试日志级别调高，以查看是否可以看到它命中，并且查询甚至没有命中nscd。

nsswitch.conf

# Begin /etc/nsswitch.conf
passwd: files
group: files
shadow: files

publickey: files

hosts: cache files dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files
# End /etc/nsswitch.confenter code here

nscd.conf

#
# /etc/nscd.conf
#
# An example Name Service Cache config file.  This file is needed by nscd.
#
# Legal entries are:
#
#       logfile                 <file>
#       debug-level             <level>
#       threads                 <initial #threads to use>
#       max-threads             <maximum #threads to use>
#       server-user             <user to run server as instead of root>
#               server-user is ignored if nscd is started with -S parameters
#       stat-user               <user who is allowed to request statistics>
#       reload-count            unlimited|<number>
#       paranoia                <yes|no>
#       restart-interval        <time in seconds>
#
#       enable-cache            <service> <yes|no>
#       positive-time-to-live   <service> <time in seconds>
#       negative-time-to-live   <service> <time in seconds>
#       suggested-size          <service> <prime number>
#       check-files             <service> <yes|no>
#       persistent              <service> <yes|no>
#       shared                  <service> <yes|no>
#       max-db-size             <service> <number bytes>
#       auto-propagate          <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#

    logfile                 /var/log/nscd.log
    threads                 4
    max-threads             32
    server-user             nobody
#   stat-user               somebody
    debug-level             9
#   reload-count            5
    paranoia                no
#   restart-interval        3600

    enable-cache            passwd          yes
    positive-time-to-live   passwd          600
    negative-time-to-live   passwd          20
    suggested-size          passwd          211
    check-files             passwd          yes
    persistent              passwd          yes
    shared                  passwd          yes
    max-db-size             passwd          33554432
    auto-propagate          passwd          yes

    enable-cache            group           yes
    positive-time-to-live   group           3600
    negative-time-to-live   group           60
    suggested-size          group           211
    check-files             group           yes
    persistent              group           yes
    shared                  group           yes
    max-db-size             group           33554432
    auto-propagate          group           yes

    enable-cache            hosts           yes
    positive-time-to-live   hosts           3600
    negative-time-to-live   hosts           20
    suggested-size          hosts           211
    check-files             hosts           yes
    persistent              hosts           yes
    shared                  hosts           yes
    max-db-size             hosts           33554432

    enable-cache            services        yes
    positive-time-to-live   services        28800
    negative-time-to-live   services        20
    suggested-size          services        211
    check-files             services        yes
    persistent              services        yes
    shared                  services        yes
    max-db-size             services        33554432

resolv.conf

# Generated by dhcpcd from eth0
nameserver 127.0.0.1
domain westell.com
nameserver 192.168.1.1
nameserver 208.67.222.222
nameserver 208.67.220.220

顺便提一下，我使用的是。

注意:这已经被移动了两次，我从来没有想过为什么应用程序，不包括dig，没有进入nscd缓存，浏览器，IM，IRC，都应该是，但它们没有。

Answer 1

丢失缓存命中的原因是dig直接查询DNS。您可以尝试查看缓存是否与getent命令一起工作：

getent hosts host.example.com

运行单独的缓存DNS是一个好主意，但是如果可能的话，您应该考虑在网络级别上运行它。如果每个主机分别缓存数据，它们仍将对同一主机运行多个查询。单个缓存可以解决这个问题。

Nscd本身是NSS函数的缓存守护进程。因此，重点与本机缓存命名服务器略有不同。因此，如果您只想要一个缓存名称服务器，可以使用nscd以外的其他内容。如果您希望将共享用户名和主机数据等缓存到正常DNS系统之外，请选择nscd。

作为记录，我已经非常喜欢powerdns解析器(pdns-解析器)。

Answer 2

您缺少了nscd.conf中的主机配置。我把我的帖子作为一个例子：

enable-cache            hosts           yes
positive-time-to-live   hosts           3600
negative-time-to-live   hosts           20
suggested-size          hosts           211
check-files             hosts           yes
persistent              hosts           yes
shared                  hosts           yes
max-db-size             hosts           33554432

这会破坏一些东西。以下信息来自Debian包：

  Since this release, hosts caching in nscd is off by default: for some of the
  libc calls (gethostby* calls) nscd does not respect the DNS TTLs.  It can
  lead to system lockups (e.g. if you are using pam-ldap and change the IP of
  your authentication server) hence is not considered safe.

  See debian bug #335476 and how upstream answered to that in
  http://sourceware.org/bugzilla/show_bug.cgi?id=4428.

 -- Pierre Habouzit <madcoder@debian.org>  Sat, 28 Apr 2007 11:10:56 +0200

Answer 3

我对nscd不太了解，只是它经常给DNS查找带来麻烦，所以我总是禁用它(或者至少是主机查找部分)。Nscd允许您设置实时值，我知道DNS希望“拥有”这些值，并让所有解析器遵守它们。如果DNS中的TTL不受尊重，您可能会得到奇怪的结果。我建议不要使用nscd来缓存DNS。看起来您已经在本地框上运行了缓存名称服务器，因此不需要缓存两次DNS查找。