resolving — DNS resolving in Kernun applications
All Kernun proxies use Kernun library name resolver, which differs from the standard FreeBSD name resolver in several points:
It is possible to set the total timeout for a query regardless of the number of domain in the search list and the number of servers.
It is possible to set different timeouts for different situations.
It is possible to set the timeout for the
connect() call in the case of a TCP query.
It is possible to set different port numbers for different servers.
For these features, the configuration has a special section named
resolver that contains the necessary directives (name
server addresses, domain search list and
several timeouts). The same way is used also to define the information for
the standard system name resolver, i.e. the resolver section is
the source for the file /etc/resolv.conf. On the
contrary, the behavior of the system name-service switch dispatcher
(nsdispatch() function) is not changed - Kernun
creates the file /etc/nsswitch.conf with the content
“hosts: files dns” during the installation and does not
alter it further.
In UDP-based proxies there is a problem with online resolving.
Since all requests are processed in a single process, the calling
of regular blocking resolver routines would increase proxy latency.
Thus, UDP-based proxies running in parent/child mode
(i.e. not in the singleproc mode) start an extra child process
(“Asynchro Parallel Resolver”, or APR)
that provides the resolution work.
This process is, in fact, an engine of the dns-proxy(8) working in the forwarding mode.
There are four different timeouts in the system of Kernun resolver configuration.
conf-timeout
seconds;The timeout for resolution of each domain name used in configuration. Default: 15 sec.
For configuration resolution, see the section called “Configuration Resultion” below.
initial-timeout
seconds;The timeout for the initial attempt to deresolve a client address. Default: 1 sec.
When a client contacts the proxy, an attempt to deresolve its address is made. If it fails, the client's address will be logged without a name until the SESSION-END message. In the case of APR (see above) usage, this timeout is ignored.
final-timeout
seconds;The timeout used for deresolving a client address immediately before logging the SESSION-END message. Default: 5 sec.
When a session closes, the SESSION-END log message is to be
printed. For this message, another attempt to deresolve the client's address
is made (of course, only if the first attempt on client
deresolution failed because of initial-timeout).
conn-timeout
seconds;Timeout to resolve connection critical addresses. Default: 30 sec.
This timeout will be used for any resolution necessary for successful progress of the proxy's work, e.g. of a server address.
All names in the configuration are resolved during the
proxy startup. Within this process, each name resolution is
tried for conf-timeout seconds; if it fails,
the name remains unresolved.
If the proxy runs in the parent/child mode
(i.e. not the singleproc mode),
it starts an extra child process
(“Asynchro Configuration Resolver”,
or ACR) as soon as new resolution is needed
(i.e. some names have expired). This child tries to resolve the expired names
again and stores the result in a memory mapped file shared by all
regular children.
There are some exceptions to this rule. For instance,
the listen-on addresses must be resolved immediately
at the beginning of the proxy run and they are not refreshed
until the end of the execution of the proxy.
Some parameters of the configuration resolution refreshment
can be specified by means of the cfg-resolution
configuration item (see proxy(5)).
max-addrsEvery configuration name has a limited number of addresses, to which it can be resolved. Default: 10.
def-ttlIf the name remains unresolved (either for the negative answer or because of query expiration), this value is used as expiration (and thus also next refresh period) time. Default: 1 min.
max-ttlIf the name TTL is too high, or the name is resolved
using the /etc/hosts file (not by DNS),
this value is used as expiration
(and thus also next refresh period) time. Default: 1 day.
pool-dirParent process, resolving child and regular children use a
shared file for exchanging resolution results. The file is named
RESCFG.
and resides in the proxy-name.parent-PIDpool-dir directory.
Default: /tmp.
Kernun: proxy(5), resolver(5), system(5), dns-proxy(8)
FreeBSD: resolv.conf(5), nsswitch.conf(5)