2014-06-09 00:26:41 +00:00
---
layout: "docs"
page_title: "DNS Caching"
sidebar_current: "docs-guides-dns-cache"
2014-10-19 23:40:10 +00:00
description: |-
2015-02-25 15:45:21 +00:00
One of the main interfaces to Consul is DNS. Using DNS is a simple way to integrate Consul into an existing infrastructure without any high-touch integration.
2014-06-09 00:26:41 +00:00
---
# DNS Caching
2015-02-25 15:45:21 +00:00
One of the main interfaces to Consul is DNS. Using DNS is a simple way to
2014-06-09 00:26:41 +00:00
integrate Consul into an existing infrastructure without any high-touch
integration.
By default, Consul serves all DNS results with a 0 TTL value. This prevents
2015-02-25 15:45:21 +00:00
any caching. The advantage is that each DNS lookup is always re-evaluated,
so the most timely information is served. However, this adds a latency hit
2014-06-09 00:26:41 +00:00
for each lookup and can potentially exhaust the query throughput of a cluster.
For this reason, Consul provides a number of tuning parameters that can
2015-02-25 15:45:21 +00:00
customize how DNS queries are handled.
2014-06-09 00:26:41 +00:00
2016-08-25 00:33:53 +00:00
< a name = "stale" > < / a >
2014-06-09 00:26:41 +00:00
## Stale Reads
Stale reads can be used to reduce latency and increase the throughput
2018-02-12 16:26:10 +00:00
of DNS queries. The [settings ](/docs/agent/options.html ) used to control stale reads
2015-02-25 15:45:21 +00:00
are [`dns_config.allow_stale` ](/docs/agent/options.html#allow_stale ),
2018-02-12 16:26:10 +00:00
which must be set to enable stale reads, and [`dns_config.max_stale` ](/docs/agent/options.html#max_stale )
2015-02-25 15:45:21 +00:00
which limits how stale results are allowed to be.
2014-06-09 00:26:41 +00:00
2018-02-12 16:26:10 +00:00
Since Consul 0.7.1, [`allow_stale` ](/docs/agent/options.html#allow_stale )
2016-10-06 13:00:28 +00:00
is enabled by default, using a [`max_stale` ](/docs/agent/options.html#max_stale )
2018-02-12 16:26:10 +00:00
value that defaults to a near-indefinite threshold (10 years) to allow DNS queries to continue to be served in the event
2016-11-10 21:37:44 +00:00
of a long outage with no leader. A new telemetry counter has also been added at
`consul.dns.stale_queries` to track when agents serve DNS queries that are stale
by more than 5 seconds.
2014-06-09 00:26:41 +00:00
2018-02-12 16:26:10 +00:00
Doing a stale read allows any Consul server to
service a query, but non-leader nodes may return data that is
out-of-date. By allowing data to be slightly stale, we get horizontal
read scalability. Now any Consul server can service the request, so we
increase throughput by the number of servers in a cluster.
If you want to prevent
stale reads or limit how stale they can be, you can set `allow_stale`
to false or use a lower value for `max_stale` . Doing the first will ensure that
all reads are serviced by a [single leader node ](/docs/internals/consensus.html ).
The reads will then be strongly consistent but will be limited by the throughput
of a single node.
2015-03-02 04:37:16 +00:00
## Negative Response Caching
Some DNS clients cache negative responses - that is, Consul returning a "not
found" style response because a service exists but there are no healthy
endpoints. What this means in practice is that cached negative responses may
mean that services appear "down" for longer than they are actually unavailable
when using DNS for service discovery.
One common example is that Windows will default to caching negative responses
for 15 minutes. DNS forwarders may also cache negative responses, with the same
effect. To avoid this problem, check the negative response cache defaults for
your client operating system and any DNS forwarder on the path between the
client and Consul and set the cache values appropriately. In many cases
"appropriately" simply is turning negative response caching off to get the best
recovery time when a service becomes available again.
Added SOA configuration for DNS settings. (#4714)
This will allow to fine TUNE SOA settings sent by Consul in DNS responses,
for instance to be able to control negative ttl.
Will fix: https://github.com/hashicorp/consul/issues/4713
# Example
Override all settings:
* min_ttl: 0 => 60s
* retry: 600 (10m) => 300s (5 minutes),
* expire: 86400 (24h) => 43200 (12h)
* refresh: 3600 (1h) => 1800 (30 minutes)
```
consul agent -dev -hcl 'dns_config={soa={min_ttl=60,retry=300,expire=43200,refresh=1800}}'
```
Result:
```
dig +multiline @localhost -p 8600 service.consul
; <<>> DiG 9.12.1 <<>> +multiline @localhost -p 8600 service.consul
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36557
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;service.consul. IN A
;; AUTHORITY SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. (
1537959133 ; serial
1800 ; refresh (30 minutes)
300 ; retry (5 minutes)
43200 ; expire (12 hours)
60 ; minimum (1 minute)
)
;; Query time: 4 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Wed Sep 26 12:52:13 CEST 2018
;; MSG SIZE rcvd: 93
```
2018-10-10 19:50:56 +00:00
With versions of Consul greater than 1.3.0, it is now possible to tune SOA
responses and modify the negative TTL cache for some resolvers. It can
be achieved using the [`soa.min_ttl` ](/docs/agent/options.html#soa_min_ttl )
configuration within the [`soa` ](/docs/agent/options.html#soa ) configuration.
2016-08-25 00:33:53 +00:00
< a name = "ttl" > < / a >
2014-06-09 00:26:41 +00:00
## TTL Values
2015-02-25 15:45:21 +00:00
TTL values can be set to allow DNS results to be cached downstream of Consul. Higher
TTL values reduce the number of lookups on the Consul servers and speed lookups for
clients, at the cost of increasingly stale results. By default, all TTLs are zero,
2014-06-09 00:26:41 +00:00
preventing any caching.
2015-02-25 15:45:21 +00:00
To enable caching of node lookups (e.g. "foo.node.consul"), we can set the
[`dns_config.node_ttl` ](/docs/agent/options.html#node_ttl ) value. This can be set to
"10s" for example, and all node lookups will serve results with a 10 second TTL.
2014-06-09 00:26:41 +00:00
2015-02-25 15:45:21 +00:00
Service TTLs can be specified in a more granular fashion. You can set TTLs
per-service, with a wildcard TTL as the default. This is specified using the
[`dns_config.service_ttl` ](/docs/agent/options.html#service_ttl ) map. The "*"
2018-10-19 08:53:19 +00:00
is supported at the end of any prefix and a lower precedence than strict match,
so 'my-service-x' has precedence over 'my-service-*', when performing wildcard
match, the longest path is taken into account, thus 'my-service-*' TTL will
be used instead of 'my-*' or '*'. With the same rule, '*' is the default value
when nothing else matches. If no match is found the TTL defaults to 0.
2014-06-09 00:26:41 +00:00
2015-02-25 15:45:21 +00:00
For example, a [`dns_config` ](/docs/agent/options.html#dns_config ) that provides
a wildcard TTL and a specific TTL for a service might look like this:
2014-06-09 00:26:41 +00:00
2014-10-19 23:40:10 +00:00
```javascript
{
"dns_config": {
"service_ttl": {
"*": "5s",
2018-10-19 08:53:19 +00:00
"web": "30s",
"db*": "10s",
"db-master": "3s"
2014-06-09 00:26:41 +00:00
}
2014-10-19 23:40:10 +00:00
}
}
2014-06-09 00:26:41 +00:00
```
2015-02-25 15:45:21 +00:00
This sets all lookups to "web.service.consul" to use a 30 second TTL
2014-06-09 00:26:41 +00:00
while lookups to "db.service.consul" or "api.service.consul" will use the
5 second TTL from the wildcard.
2015-11-14 20:45:34 +00:00
2018-10-19 08:53:19 +00:00
All lookups matching "db*" would get a 10 seconds TTL except "db-master"
that would have a 3 seconds TTL.
2017-04-04 16:33:22 +00:00
[Prepared Queries ](/api/query.html ) provide an additional
2015-11-14 20:45:34 +00:00
level of control over TTL. They allow for the TTL to be defined along with
the query, and they can be changed on the fly by updating the query definition.
If a TTL is not configured for a prepared query, then it will fall back to the
service-specific configuration defined in the Consul agent as described above,
and ultimately to 0 if no TTL is configured for the service in the Consul agent.