Apache: honouring the DNS ttl in proxy-pass

apache-2.4domain-name-systemmod-proxy

We’re trying to set a bunch of Apaches 2.4.18 to proxy pass the requests it receives to our partner's upstream server. Our partner uses Amazon’s Elastic Load Balancing and thus the only we know about their servers is its DNS names.

The TTL of the DNS records is 60 seconds and I’d like to know if Apache can honour that ttl, keeping the connection alive as long as the DNS record is valid and then requesting the translation when the TTL has expired.

Using mod_proxy DisableReuse = on forces opening a new connection every time a resource is needed upstream. That would do the trick as long as the underneath operating system does the DNS TTL caching. If not, every time a new resource is needed Apache will force a new DNS request, increasing the response time.

I’ve thought of playing with the mod_proxy ttl and timeout parameters, but I think I’m not correctly solving the problem. According to the docs, the mod_proxy’s timeout parameter controls the time a socket will wait for data from upstream, but I’m not sure if the Apache instance will close the connection an open a new one. Also, playing with the timeout is error prone, because a lower value may sent an wrong answer to the client.

I’ve spend a few time trying to tackle this setup with no joy. Is there any special setup to cover that scenario? Or perhaps I’ve skipped something? Any help would be appreciated.

Best,

Gustau

Best Answer

The only option that can be helpful for your use case is disablereuse=On.

The DNS queries are performed by resolver part of glibc. The results are not cached by this library, or by OS. In apache case the DNS results are cached by apache worker process. You can have a DNS service, like nscd or dnsmasq, that is doing the DNS caching.

Here are excerpts from the apache documentation.

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#workers

DNS resolution for origin domains

DNS resolution happens when the socket to the origin domain is created for the first time. When connection reuse is enabled, each backend domain is resolved only once per child process, and cached for all further connections until the child is recycled. This information should to be considered while planning DNS maintenance tasks involving backend domains. Please also check ProxyPass parameters for more details about connection reuse.

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass

disablereuse (by default is "Off") This parameter should be used when you want to force mod_proxy to immediately close a connection to the backend after being used, and thus, disable its persistent connection and pool for that backend. This helps in various situations where a firewall between Apache httpd and the backend server (regardless of protocol) tends to silently drop connections or when backends themselves may be under round- robin DNS. When connection reuse is enabled each backend domain is resolved (with a DNS query) only once per child process and cached for all further connections until the child is recycled. To disable connection reuse, set this property value to On.

Related Solutions

DNS TTL – How to See Time-To-Live (TTL) for a DNS Record

Yes, the number there is the number of seconds left until that record expires (providing we're not querying the authoritative nameserver). Obviously with a CNAME there's a level of redirection, so the TTL for the A record it points to in this case may be important as well.

If you wait a couple of seconds and run dig again on your local nameserver, you should see that TTL number decrease by the number of seconds you waited (approximately). When it hits 0, it'll refresh or if your nameserver refreshes the zone for some reason.

As mentioned above, there is a difference between dig being run against a nameserver with a cached entry and the nameserver that is authoritative for that entry.

(in the examples I use below I use the +noauthority +noquestion & +nostats flags just to keep the output terse).

Note the difference between the following queries:

$ dig +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.

; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50066
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; ANSWER SECTION:
stackoverflow.com.  432000  IN  A   69.59.196.211

So in the above query, we're querying a nameserver that is authoritative for stackoverflow.com. If you notice the flags section, pay special attention to the aa flag which denotes this is an authoritative answer (i.e. not cached).

$ dig +noauthority +noquestion +noadditional +nostats stackoverflow.com 

; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +noadditional +nostats stackoverflow.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; ANSWER SECTION:
stackoverflow.com.  246696  IN  A   69.59.196.211

In the above query, we don't have an aa flag, and the TTL will keep decreasing as we query and query. This is essentially the counter I was talking about previously.

How to set a hard Apache timeout when using mod_proxy

Have you tried setting

ProxyTimeout

in your config?

http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxytimeout

Best Answer

Related Solutions

DNS TTL – How to See Time-To-Live (TTL) for a DNS Record

How to set a hard Apache timeout when using mod_proxy

Related Topic