forked from kamailio/kamailio
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdns.txt
318 lines (256 loc) · 15 KB
/
dns.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
Kamailio and DNS Overview
---------------------------
The DNS subsystem in Kamailio can either directly use libresolv and a combination
of the locally configured DNS server, /etc/hosts and the local Network
Information Service (NIS/YP a.s.o) or cache the query results (both positive
and negative) and look first in its internal cache.
When its internal DNS cache is enabled, Kamailio can also use DNS failover: if
one destination resolves to multiple addresses Kamailio can try all of them until
it finds one to which it can successfully send the packet or it exhausts all
of them. Kamailio (The tm module to be more precise) uses the DNS failover also
when the destination host doesn't send any reply to a forwarded invite within the
SIP timeout interval (whose value can be configured using the tm fr_timer
parameter).
When SRV based load balancing is enabled Kamailio can even do DNS based load
balancing (see RFC2782 and the dns_srv_lb option below). This is using the
weight value in the DNS SRV record.
DNS Cache and Failover Drawbacks
--------------------------------
Using the DNS cache and the DNS failover has also some drawbacks:
1. Only the locally configured DNS server (usually in /etc/resolv.conf) is
used for the requests (/etc/hosts and the local Network Information Service
are ignored).
Workaround: disable the DNS cache (use_dns_cache=off or compile without -DUSE_DNS_CACHE).
2. The DNS cache uses extra memory
Workaround: disable the DNS cache.
3. The DNS failover introduces a very small performance penalty
Workaround: disable the DNS failover (use_dns_failover=off).
4. The DNS failover increases the memory usage (the internal structures
used to represent the transaction are bigger when the DNS failover support is
compiled).
Workaround: compile without DNS failover support (-DUSE_DNS_FAILOVER).
Turning it off from the config file is not enough in this case (the extra
memory will still be used).
On the other hand using the DNS cache saves lots of DNS queries and makes
DNS based failover and DNS based load balancing possible. If the destination
blacklist is enabled, Kamailio can do failover even if forwarding in stateless
mode.
In the ideal case with the DNS cache enabled Kamailio will do only one query for
a NAPTR (if enabled) or SRV lookup and then it will use the results for the
record's TTL (for example if all the resulting records have 1 minute TTL,
the server won't make another query for this domain for 1 minute). Even negative
answers will be cached.
Without the DNS cache, each NAPTR or SRV lookup will result in at least 2
queries. These queries will happen every time, for each message (even if
all of them go to the same domain).
DNS Resolver Options
--------------------
The DNS resolver options control how Kamailio will interact with the external
DNS servers. These options (with the dns_try_ipv6 exception) are passed to
libresolv and are used each time a DNS request is made.
The default values are system specific and generally depend on the
/etc/resolv.conf content. For servers doing a lot of DNS requests it is
highly recommended to change the default values in the Kamailio config file
(even if using Kamailio's internal DNS cache).
dns_try_ipv6 = on | off - if on and Kamailio listens on at least one ipv6 socket,
ipv6 (AAAA) lookups will be performed if the ipv4 (A) lookups fail.
If off only ipv4 (A) lookups will be used.
Default: on if Kamailio is compiled with ipv6 support.
dns_try_naptr = on | off - if on Kamailio will first try a NAPTR lookup for
destinations that don't have the protocol or port specified and
are not simple ip addresses (as described in RFC 3263). This will
introduce a slight performance penalty and will probably cause extra
DNS lookups. For example a lookup for a non-existing domain will
produce one extra query: NAPTR(domain), SRV(_sip._udp.domain)
and A/AAAA(domain).
If the result of a query contains several NAPTR records, Kamailio will select
among them according to the RFC2915 and Kamailio preference towards a
specific protocol (see dns_udp_pref, dns_tcp_pref and dns_tls_pref
below). For an RFC3263 compliant configuration (choose the remote side
preferred protocol if supported), set dns_udp_pref, dns_tcp_pref and
dns_tls_pref to the same value (>=0), e.g. 0.
Default: off
dns_udp_pref = number - udp protocol preference when doing NAPTR lookups.
This option works together with dns_tcp_pref, dns_tls_pref and
dns_sctp_pref. If all this options have the same positive value and more
NAPTR records are available, Kamailio will select the NAPTR record preferred
by the remote side (according to RFC2915). If the values are positive
but different, Kamailio will select the NAPTR record whose protocol it
prefers the most (the protocol with the highest dns_<proto>_pref
number). If there are several NAPTR records with the same preferred
protocol, Kamailio will select among them based on their order and preference
(see RFC2915).
To completely disable selecting a specific protocol, use a negative
number. For example dns_tcp_pref=-1 will completely disable selection
of tcp NAPTR records, even if this will result in the NAPTR lookup
failure. Note: if a protocol is disabled in Kamailio (e.g. tls_disable=1)
the corresponding NAPTR records selection will be also disabled,
irrespective of the dns_<proto>_preference value.
Default: dns_udp_pref=30, dns_tcp_pref=20, dns_tls_pref=10 and
dns_sctp_pref=20.
(prefer udp, but if no udp NAPTR record found or no SRV-resolvable
udp NAPTR record found use tcp or sctp records and if this fails too
use tls)
dns_tcp_pref = number (see dns_udp_pref above)
dns_tls_pref = number (see dns_udp_pref above)
dns_sctp_pref = number (see dns_udp_pref above)
dns_retr_time = time - time in s before retrying a DNS request.
Default: system specific, depends also on the/etc/resolv.conf content
(usually 5 s).
dns_retr_no = no. - number of DNS retransmissions before giving up.
Default: see above (usually 4)
dns_servers_no = no. - how many DNS servers from the ones defined in
/etc/resolv.conf will be used. Default: all of them.
dns_use_search_list= yes/no - if no, the search list in /etc/resolv.conf
will be ignored (=> fewer lookups => gives up faster).
Default: yes.
HINT: even if you don't have a search list defined, setting this option
to "no" will still be "faster", because an empty search list is in
fact search "" (so even if the search list is empty/missing there will
still be 2 DNS queries, eg. foo+'.' and foo+""+'.')
dns_search_full_match = yes/no - controls the check of the name part
which is found in the answer expanding the searched name before
the answer is treated as correct and "link" (fake CNAME record)
between the short name (query) and long name (answer) is created
which is then stored in dns_cache and reused for next queries.
If set to no - no additional check is done.
If set to yes - the additional part is checked against the search list.
The maximum time a DNS request can take (before failing) is:
(dns_retr_time*dns_retr_no) * (search_list_domains) If dns_try_ipv6 is yes,
mutliply it again by 2.
The option combination that produces the "fastest" DNS resolver config
(the "faster" in the sense that it gives up the quickest) is:
dns_try_ipv6=no
dns_retr_time=1
dns_retr_no=1
dns_servers_no=1
dns_use_search_list=no
The recommended DNS configuration is to have a "close" DNS caching recursive
server configured in /etc/resolv.conf, set the DNS resolver options in Kamailio's
config as in the above example and enable the DNS cache (in Kamailio).
Pay particular attention to dns_servers_no and dns_use_search_list. It's a
good idea to make sure you don't need / use the search list or more then one
DNS server (to avoid unnecessary extra lookups).
DNS Resolver Compile Options
----------------------------
USE_NAPTR - if defined the naptr lookup support will be compiled in.
NAPTR support still has to be enabled from Kamailio's config file (it's
off by default).
RESOLVE_DBG - if defined, the resolver will be very verbose: it will log
a lot of debugging information at L_DBG level.
NAPTR_DBG - if defined the NAPTR related resolver functions will be very
verbose.
DNS Cache and Failover Config Variables
---------------------------------------
use_dns_cache = on | off - if off the DNS cache won't be used (all dns
lookups will result into a DNS request). When on all the DNS request
results will be cached.
WARNING: when enabled /etc/hosts will be completely bypassed, all the dns
request will go directly to the system configured (resolv.conf) dns
server.
Default: on.
use_dns_failover = on |off - if on and sending a request fails (due to not
being allowed from an onsend_route, send failure, blacklisted destination
or, when using tm, invite timeout), and the destination resolves to
multiple ip addresses and/or multiple SRV records, the send will be
re-tried using the next ip/record. In tm's case a new branch will be
created for each new send attempt.
Default: off.
Depends on use_dns_cache being on. If tm is used along with DNS failover is
recommended to also turn on dst_blacklist.
dns_srv_lb = on | off or
dns_srv_loadbalancing = on | off - if on instead of doing simple DNS
failover (like above), Kamailio will load balance requests to different srv
records of the same priority based on the SRV records weights (like
described in RFC2782). For a destination which has different priorities
for all its SRV records, this option will be equivalent with simple
DNS failover.
Note: this option requires having DNS failover enabled (see
use_dns_failover above).
Default: off.
dns_try_ipv6 = on | off - shared with the resolver (see resolver
description).
dns_try_naptr = on | off - shared with the resolver (see resolver
description).
dns_udp_pref = number - shared with the resolver (see resolver
description).
dns_tcp_pref = number - shared with the resolver (see resolver
description).
dns_tls_pref = number - shared with the resolver (see resolver
description).
dns_cache_flags = DNS cache specific resolver flags, used for overriding
the default behaviour (low level).
Possible values:
1 - ipv4 only: only DNS A requests are performed, even if Kamailio listens
also on ipv6 addresses.
2 - ipv6 only: only DNS AAAA requests are performed. Ignored if
dns_try_ipv6 is off or Kamailio doesn't listen on any ipv6
address.
4 - prefer ipv6: try first to resolve a host name to an ipv6 address
(DNS AAAA request) and only if this fails try an ipv4
address (DNS A request).
By default the ipv4 addresses are preferred.
Default: 0
dns_cache_negative_ttl = time to live for negative results ("not found") in
seconds. Use 0 to disable.
Default: 60 s.
dns_cache_min_ttl = minimum accepted time to live for a record, in seconds.
If a record has a lower ttl, its value will be discarded and
dns_cache_min_ttl will be used instead.
Default: 0
dns_cache_max_ttl = maximum accepted time to live for a record, in seconds.
If a record has a higher ttl, its value will be discarded and
dns_cache_max_ttl will be used instead.
Default: MAXINT
dns_cache_mem = maximum memory used for the DNS cache in Kb.
Default: 500 Kb
dns_cache_gc_interval = how often (in s) the DNS cache will be garbage
collected.
Default: 120 s.
dns_cache_del_nonexp = yes | no or
dns_cache_delete_nonexpired = yes | no - allow deletion of non-expired
records from the cache when there is no more space left for new
ones. The last-recently used entries are deleted first.
Default: no
dns_cache_init = on | off - if off, the DNS cache is not initialized
at startup and cannot be enabled runtime, that saves some memory.
Default: on
DNS Cache Compile Options
-------------------------
USE_DNS_CACHE - if defined the DNS cache support will be compiled in
(default). If not needed/wanted the dns_cache can be disabled from the
Kamailio's config file. The only advantages for not compiling the DNS cache
support is a slight decrease of the executable size and an extremely
small performance increase (1 less comparison per DNS request).
USE_DNS_FAILOVER - if defined the DNS failover support will be compiled in.
(default). Compiling the DNS failover support has a few disadvantages,
see the "Drawbacks" section.
DNS_SRV_LB - if defined (default) support for load balancing using
SRV records weights (as described in RFC2782) will be compiled in.
Note however that it still must be enabled from the Kamailio config, it's
disabled by default (see the dns_srv_lb config option).
USE_NAPTR - (shared with the resolver) if defined NAPTR support will
be compiled in (default). Note that even if compiled, NAPTR support
must be enabled also from the Kamailio config (see the dns_try_naptr option).
NAPTR_CACHE_ALL_ARS - if defined all the additional records in a NAPTR
answer will be cached. Normally Kamailio would cache only "related" records
(records that are directly referred), but for answers with lots of
A/AAAA records it might happen that not all of the SRV records will fit
in the AR section. In this case, without this compile option Kamailio will
not cache the un-referred A/AAAA records. BY default this option is
disabled.
CACHE_RELEVANT_RECS_ONLY - if defined (default), records in the AR section
of an answer will be cached only if they are "related" to the query.
For example if the query is for a SRV record, A & AAAA records in the
AR section will be cached only if there are SRV records pointing to
them. This avoids adding possible garbage to the cache.
If this option is not defined (experimental), everything in the AR
section will be added to the cache.
DNS_CACHE_DEBUG - if defined the DNS cache will be very verbose (it will
log lots of messages at the L_DBG levell).
Note: To remove a compile options, edit Kamailio's Makefile.defs and remove it
from DEFS list. To add a compile options add it to the make command line,
e.g.: make proper; make all extra_defs=-DUSE_DNS_FAILOVER
or for a permanent solution, edit Makefile.defs and add it to DEFS
(don't foget to prefix it with -D). Some options require editing
dns_cache.c or resolve.[ch] (just grep after them).