Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring a local caching DNS resolver

Written by
Updated at May 7, 2025

Do not use Yandex Cloud DNS directly for requesting external domain names.

Instead, install and configure a local caching DNS resolver, e.g., systemd-resolved, dnsmasq, or unbound. This will speed up the execution of public DNS queries, reduce their number, and save you money.

If your VM runs Ubuntu 18.04 LTS or higher, it already has the systemd-resolved service by default, and no additional installation and setup actions are required. For more information, see Test systemd-resolved performance.

If you are using an older version of Ubuntu, such as 16.04 LTS, you need to install a caching DNS resolver yourself. We recommend using dnsmasq or unbound. For more information, see Install an alternative resolver.

To configure a local caching DNS resolver:

  1. Get your cloud ready.
  2. Prepare your infrastructure.
  3. Test systemd-resolved performance.
  4. Install an alternative resolver.
  5. Replace the resolver.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

Prepare the infrastructure

  1. Create a VM with an Ubuntu OS, e.g., Ubuntu 18.04 LTS.
  2. Assign a public IP address to the VM.

Test systemd-resolved performance

  1. Connect to the VM over SSH.

  2. Find out the status of the systemd-resolved caching DNS resolver. To do this in Ubuntu version 18.04 or above, run this command:

    systemd-resolve --status

    As the systemd-resolved utility was renamed to resolvectl, for Ubuntu 22.04+, the command will be different:

    resolvectl status

    Result:

    <...>
Link 2 (eth0)
<...>
Current DNS Server: 192.168.6.2         
         DNS Servers: 192.168.6.2         
         DNS Domain: ru-central1.internal
                     auto.internal

    If the configuration is correct, the Current DNS Server: line in the command output will show the Yandex Cloud DNS server address, the second one in the virtual network. For example, 192.168.6.2 for a VM in the 192.168.6.0/24 subnet.

  3. Make sure external DNS names are resolved successfully by the 127.0.0.53#53 DNS server. Do it by using the dig utility:

    dig example.com

    Result:

    <...>
;; Query time: 69 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
<...>

    All resolutions of an external DNS name, except for the very first one, are executed almost instantly.

Install an alternative resolver

Warning

Configuration parameters are given as an example. For information about how to set up a caching resolver based on the VM's workload and your needs, see the documentation for the selected resolver.

dnsmasq is a lightweight caching DNS resolver that has a small footprint.

  1. Install the dnsmasq and dnsutils packages:

    sudo apt-get update -y
sudo apt-get install dnsmasq dnsutils -y

  2. Edit the /etc/dnsmasq.conf configuration file by increasing the cache size to 1,000 and restricting to the local VM the addresses listened by the caching resolver.

    1. Open the file:

      sudo nano /etc/dnsmasq.conf

    2. Paste this text to the file:

      cache-size=1000
listen-address=127.0.0.1
interface=lo
bind-interfaces

  3. Restart dnsmasq to apply the new settings. Make sure dnsmasq gets the active (running) status and there is the Started dnsmasq.service line at the end of the service log:

    sudo systemctl restart dnsmasq.service
sudo systemctl status dnsmasq.service

    Result:

    ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
Active: active (running) <...>
<...>
Oct 28 22:39:57 <...> systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Oct 28 22:39:57 <...> dnsmasq[<...>]: dnsmasq: syntax check OK.
Oct 28 22:39:57 <...> dnsmasq[<...>]: started, version 2.75 cachesize 150
<...>
Oct 28 22:39:58 <...> dnsmasq[<...>]: using nameserver 192.168.6.2#53
Oct 28 22:39:58 <...> systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

    Also pay attention to the address in the using nameserver <...> line. The line should contain the Yandex Cloud DNS server address, the second one in the virtual network. For example, 192.168.6.2 for a VM in the 192.168.6.0/24 subnet.

  4. Use dig to check that external DNS names are successfully resolved:

    dig example.com @127.0.0.1 | grep -B3 Query

    Result:

    ;; ANSWER SECTION:
example.com.    65420   IN  A  93.184.216.34
;; Query time: 3 msec

unbound is a validating, recursive, and caching DNS resolver. It focuses on fast performance, efficient resource consumption, and compliance with modern open standards.

  1. Install the unbound and dnsutils packages:

    sudo apt-get update -y
sudo apt-get install unbound dnsutils -y

  2. Specify the server settings at the end of the /etc/unbound/unbound.conf global configuration file or in a separate configuration file named /etc/unbound/unbound.conf.d/<file_name>.conf.

    1. Open the file:

      sudo nano /etc/unbound/unbound.conf

    2. Paste this text at the end of the file:

      server:
      port: 53
      interface: 127.0.0.1
      access-control: 127.0.0.0/8 allow
      do-ip4: yes
      do-ip6: no
      do-udp: yes
      do-tcp: yes
      num-threads: 2
      num-queries-per-thread: 1024
      hide-identity: yes
      hide-version: yes
      prefetch: yes
      verbosity: 1

  3. Run unbound to apply the new settings. Make sure unbound gets the active (running) status and there is the Started unbound.service line at the end of the service log:

    sudo systemctl start unbound.service
sudo systemctl status unbound.service

    Result:

    ● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) <...>
<...>
Oct 29 00:21:06 <...> unbound[<...>]:  * Starting DNS server unbound
Oct 29 00:21:06 <...> unbound[<...>]: [<...>:0] info: start of service (unbound 1.5.8).
Oct 29 00:21:06 <...> unbound[<...>]:    ...done.
Oct 29 00:23:21 <...> systemd[1]: Started unbound.service.

  4. Use dig to check that external DNS names are successfully resolved:

    dig example.com @127.0.0.1 | grep -B3 Query

    Result:

    ;; ANSWER SECTION:
example.com.    86400  IN  A  93.184.216.34
;; Query time: 611 msec

Replace the resolver

If you need to replace systemd-resolved with a different local caching DNS resolver:

  1. Follow the guide in Alternative resolvers to install an alternative resolver.

  2. Edit the /etc/systemd/resolved.conf file to disable the stub resolver and set 127.0.0.1 as the DNS server address:

    1. Open the file:

      sudo nano /etc/unbound/unbound.conf

    2. Paste the following text after the [Resolve] line:

      DNS=127.0.0.1
DNSStubListener=no

  3. Create a symlink:

    sudo ln -svi /run/systemd/resolve/resolv.conf /etc/resolv.conf

  4. Restart systemd-resolved:

    systemctl restart systemd-resolved

  5. Make sure dig now uses the 127.0.0.1#53 server instead of 127.0.0.53#53:

    dig example.com

    Result:

    <...>
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
<...>

How to delete the resources you created

To stop paying for the resources you created, delete your VM.

Previous
Setting up a UserGate proxy server
Next
Migrating DNS zones from Yandex 360 to Cloud DNS