DNS caching service (dnscache)
DNS caching service (dnscache)
Starting with Zimbra Collaboration 8.5 and above, there is now a DNS caching service available for installation. It is specifically targeted for MTA nodes, and could be perfect for Single-Server Installations. Three of our supported features rely heavily on DNS lookups:
- DKIM verification
- SpamAssassin Scoring
- Postfix RBLs for spam blocking
However, remote sites that provide the SpamAssassin scoring and Postfix RBLs do *not* like heavy DNS traffic overloading their servers as DNS-Blocklists often run on the "free for some" model and/or they may limit the number of queries you can perform to maximize resources. Prolonged over-use of their DNS systems will in fact get your MTAs blacklisted from using those services, severely reducing the effectiveness of said services.
How it works
dnscache adds into the MTA servers a local DNS cache server that can keep all the external DNS request, using it the MTA server only need to ask one time to obtain the DNS info of the external domains, and the next times instead ask the Public DNS, the MTA will ask itself saving bandwidth and keep the MTA out of be blacklisted for high DNS request traffic.
How to enable it
To ensure you do not have your MTAs blacklisted the DNS caching package is now part of Zimbra Collaboration. General setup:
Answer [Y] to install zimbra-dnscache When prompted, list the IP(s) of the sites local DNS servers
The installer will automatically reconfigure the DNS cache as the primary resolver for the OS.
If you didn't select any DNS server IP, the dnscache will use the Google DNS by default (8.8.8.8)
You can start, stop, restart, reload or see the status using the next command like Zimbra user:
/opt/zimbra/bin/zmdnscachectl
NOTE: SHOULD NOT BE INSTALLED ON SYSTEMS THAT ALREADY HAVE BIND OR OTHER DNS SERVICES INSTALLED. Instead, the client should configure such servers to also act as a DNS cache.
Check the DNSMasterIP
You can check the DNSMasterIP that your dnscache is using, you can have more than one:
zmprov getServer `zmhostname` | grep DNSMasterIP zimbraDNSMasterIP: 8.8.8.8
Add a DNSMasterIP
You can also add more DNSMasterIP anytime if you need it, in case that you add some new internal DNS Server, or if you want to have more than the Google ones, for example:
zmprov ms `zmhostname` +zimbraDNSMasterIP 8.8.8.8
Remove a DNSMasterIP
If you want to remove a DNSMasterIP that was introduced wrong, or because the DNS server is not longer available, etc, run the next command:
zmprov ms `zmhostname` -zimbraDNSMasterIP 8.8.8.8
Testing the DNS caching service (dnscache)
For example, let's try to make a DNS request about mail.google.com: First time once request the DNS, is taking 62ms because the MTA asks the dnscache, and the dnscache ask the public DNS:
root@lab1:/home/oper# host -a mail.google.com Trying "mail.google.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5818 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.google.com. IN ANY ;; ANSWER SECTION: mail.google.com. 21599 IN TXT "google-site-verification=PncXpRKRCAlDAdlesTtNFf6k9TvgxgcRfojdaKkEACY" mail.google.com. 21599 IN CNAME googlemail.l.google.com. Received 141 bytes from 127.0.0.1#53 in 62 ms
Second time once request the DNS, is taking 0ms because the MTA asks the dnscache, and the dnscache have the info already cached, using 0ms not latency, neither bandwidth:
root@lab1:/home/oper# host -a mail.google.com Trying "mail.google.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52424 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.google.com. IN ANY ;; ANSWER SECTION: mail.google.com. 21593 IN TXT "google-site-verification=PncXpRKRCAlDAdlesTtNFf6k9TvgxgcRfojdaKkEACY" mail.google.com. 21593 IN CNAME googlemail.l.google.com. Received 141 bytes from 127.0.0.1#53 in 0 ms
Additonal Content
- See the Bug 83670 related to this new Feature.
- Want to read more about DNSBlocklists, or how you can have troubles without dnscache? - https://wiki.apache.org/spamassassin/DnsBlocklists
- Using the Config Guide, Zimbra Collaboration added some new attributes for the DNS caching Service:
ID | Name | Type | Since | Description |
---|---|---|---|---|
1569 | zimbraDNSMasterIP | string | 8.5.0 | IP Address(es) of the root DNS servers to be used by the DNS cache service |
1584 | zimbraDNSUseTCP | enum | 8.5.0 | For zimbra dnscache, whether or not to use TCP. Defaults to yes |
1586 | zimbraDNSUseUDP | enum | 8.5.0 | For zimbra dnscache, whether or not to use UDP. Defaults to yes |
1597 | zimbraDNSTCPUpstream | enum | 8.5.0 | For zimbra dnscache, whether or not to only use TCP when talking to the upstream Master DNS servers. Defaults to no |
Identified Support Issues
- No Support issues reported yet.