Configuring a local caching DNS resolver
Do not use Yandex Cloud DNS directly for requesting external domain names.
Instead, install and configure a local caching DNS resolver, e.g., systemd-resolved
, dnsmasq
, or unbound
. This will speed up the execution of public DNS queries, reduce their number, and save you money.
If your VM runs Ubuntu 18.04 LTS or higher, it already has the systemd-resolved
service by default, and no additional installation and setup actions are required. For more information, see Test systemd-resolved
performance.
If you are using an older version of Ubuntu, such as 16.04 LTS, you need to install a caching DNS resolver yourself. We recommend using dnsmasq
or unbound
. For more information, see Install an alternative resolver.
To configure a local caching DNS resolver:
- Prepare your cloud.
- Prepare your infrastructure.
- Test
systemd-resolved
performance. - Install an alternative resolver.
- Replace the resolver.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs include:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or a static public IP address (see Yandex Virtual Private Cloud pricing).
Prepare the infrastructure
- Create a VM with an Ubuntu OS, e.g., Ubuntu 18.04 LTS.
- Assign a public IP address to the VM.
Test systemd-resolved performance
-
Connect to the VM over SSH.
-
Find out the status of the
systemd-resolved
caching DNS resolver. To do this in Ubuntu version 18.04 or above, run this command:systemd-resolve --status
As the
systemd-resolved
utility was renamed toresolvectl
, for Ubuntu 22.04+, the command will be different:resolvectl status
Result:
<...> Link 2 (eth0) <...> Current DNS Server: 192.168.6.2 DNS Servers: 192.168.6.2 DNS Domain: ru-central1.internal auto.internal
If the configuration is correct, the
Current DNS Server:
line in the command output will show the Yandex Cloud DNS server address, the second one in the virtual network. For example,192.168.6.2
for a VM in the192.168.6.0/24
subnet. -
Make sure external DNS names are resolved successfully by the
127.0.0.53#53
DNS server. Do it by using thedig
utility:dig example.com
Result:
<...> ;; Query time: 69 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) <...>
All resolutions of an external DNS name, except for the very first one, are executed almost instantly.
Install an alternative resolver
Warning
Configuration parameters are given as an example. For information about how to set up a caching resolver based on the VM's workload and your needs, see the documentation for the selected resolver.
dnsmasq
-
Install the
dnsmasq
anddnsutils
packages:sudo apt-get update -y sudo apt-get install dnsmasq dnsutils -y
-
Edit the
/etc/dnsmasq.conf
configuration file by increasing the cache size to 1,000 and restricting to the local VM the addresses listened by the caching resolver.-
Open the file:
sudo nano /etc/dnsmasq.conf
-
Paste this text to the file:
cache-size=1000 listen-address=127.0.0.1 interface=lo bind-interfaces
-
-
Restart
dnsmasq
to apply the new settings. Make surednsmasq
gets theactive (running)
status and there is theStarted dnsmasq.service
line at the end of the service log:sudo systemctl restart dnsmasq.service sudo systemctl status dnsmasq.service
Result:
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) <...> <...> Oct 28 22:39:57 <...> systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... Oct 28 22:39:57 <...> dnsmasq[<...>]: dnsmasq: syntax check OK. Oct 28 22:39:57 <...> dnsmasq[<...>]: started, version 2.75 cachesize 150 <...> Oct 28 22:39:58 <...> dnsmasq[<...>]: using nameserver 192.168.6.2#53 Oct 28 22:39:58 <...> systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Also pay attention to the address in the
using nameserver <...>
. The line should contain the Yandex Cloud DNS server address, the second one in the virtual network. For example,192.168.6.2
for a VM in the192.168.6.0/24
subnet. -
Use
dig
to check that external DNS names are successfully resolved:dig example.com @127.0.0.1 | grep -B3 Query
Result:
;; ANSWER SECTION: example.com. 65420 IN A 93.184.216.34 ;; Query time: 3 msec
unbound
-
Install the
unbound
anddnsutils
packages:sudo apt-get update -y sudo apt-get install unbound dnsutils -y
-
Specify the server settings at the end of the
/etc/unbound/unbound.conf
global configuration file or in a separate configuration file named/etc/unbound/unbound.conf.d/<file_name>.conf
.-
Open the file:
sudo nano /etc/unbound/unbound.conf
-
Paste this text at the end of the file:
server: port: 53 interface: 127.0.0.1 access-control: 127.0.0.0/8 allow do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes num-threads: 2 num-queries-per-thread: 1024 hide-identity: yes hide-version: yes prefetch: yes verbosity: 1
-
-
Run
unbound
to apply the new settings. Make sureunbound
gets theactive (running)
status and there is theStarted unbound.service
line at the end of the service log:sudo systemctl start unbound.service sudo systemctl status unbound.service
Result:
● unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: active (running) <...> <...> Oct 29 00:21:06 <...> unbound[<...>]: * Starting DNS server unbound Oct 29 00:21:06 <...> unbound[<...>]: [<...>:0] info: start of service (unbound 1.5.8). Oct 29 00:21:06 <...> unbound[<...>]: ...done. Oct 29 00:23:21 <...> systemd[1]: Started unbound.service.
-
Use
dig
to check that external DNS names are successfully resolved:dig example.com @127.0.0.1 | grep -B3 Query
Result:
;; ANSWER SECTION: example.com. 86400 IN A 93.184.216.34 ;; Query time: 611 msec
Replace the resolver
If you need to replace systemd-resolved
with a different local caching DNS resolver:
-
Follow the guide in Alternative resolvers to install an alternative resolver.
-
Edit the
/etc/systemd/resolved.conf
file to disable the stub resolver and set127.0.0.1
as the DNS server address:-
Open the file:
sudo nano /etc/unbound/unbound.conf
-
Paste the following text after the
[Resolve]
line:DNS=127.0.0.1 DNSStubListener=no
-
-
Create a symlink:
sudo ln -svi /run/systemd/resolve/resolv.conf /etc/resolv.conf
-
Restart
systemd-resolved
:systemctl restart systemd-resolved
-
Make sure
dig
now uses the127.0.0.1#53
server instead of127.0.0.53#53
:dig example.com
Result:
<...> ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) <...>
How to delete the resources you created
To stop paying for the resources you created, delete the VM.