I'm using stunnel in client mode to proxy between my Haproxy and a HTTPS backend server. I've read that Haproxy caches the resolved IPs on each config load, which isn't a problem in my current setup. However, it got me thinking whether or not stunnel caches the DNS results as well. I find that there's a delay = yes
option which sounds like it should alleviate my concern. From the manual:
delay = yes | no
delay DNS lookup for connect option
This option is useful for dynamic DNS, or when DNS is not available
during stunnel startup (road warrior VPN, dial-up configurations).Delayed resolver mode is automatically engaged when stunnel fails to
resolve on startup any of the connect targets for a service.Delayed resolver inflicts failover = prio.
default: no
If I set delay = yes
, will the DNS be resolved at every single connection, or does it use the OS's DNS cache (which would invalidate)?
Best Answer
TL;DR: It doesn't cache the IP addresses
Asked this in the stunnel mail list, the author and maintainer Michal kindly responded to the question: