The 128T-dns-cache plugin provides a DNS caching service on your 128T router by forwarding all traffic on a configured
tenant to dnsmasq. By default it uses existing system configuration for nameserver resolution, but supports optionally configuring custom server addresses. The plugin is implemented as a service function chain (SFC) where the DNS traffic received on an ingress interface is detoured through a Kernel Network Interface (KNI) to be cached by
dnsmasq. A typical flow of the packets for the plugin is illustrated below:
lan-intf (lan-tenant) >
dnsmasq > dns-kni (
tenant) > egress-service > wan-intf
By enabling this plugin, you can provide DNS caching with fast resolution times to your network.
The instructions for installing and managing the plugin can be found here.
Assuming the below 128T configuration:
We can apply the following DNS cache plugin configuration:
|enabled||boolean||Default value: true. Governs whether the DNS cache is operationally enabled or not.|
|name||128T device name||Default value: |
|addresses||IPv4 address||Multiple instance object. This will specify the upstream DNS resolvers to use, overriding the ones normally used by the Linux host operating system on the machine.|
|ingress-service||reference||This refers to a configured |
|plugin-network||CIDR||Default value: 169.254.141.128/30. This controls the IP addresses used for the internal SFC network to detour packets to and from the on-board DNS cache. This should only be changed if there is a conflict with another IP block in use on this same host system.|
|tenant||reference||This is the tenant that will be assigned to the SFC interface (of type KNI). All packets leaving the DNS cache and heading toward an upstream DNS resolver will be associated with this tenant. For this reason, it is important that your 128T configuration also includes a |
|ingress-source-nat-pool||reference||This refers to a configured |
Notes about the Sample Configuration
ingress-service we have configured is
dns-catcher. This is a simple service that matches any IP address (0.0.0.0/0) and has a destination protocol and port of UDP/53. Our
dns-catcher service is set to allow the
lan-clients tenant (which is assigned to the LAN
network-interface), so any traffic arriving on this interface destined for UDP/53 will be detoured to the DNS cache.
The DNS cache will either respond locally (if there's an existing cache entry), or will forward the request to an upstream resolver. For the latter case, it will reenter the 128T's forwarding plane via the KNI interface (a.k.a. the "service function chain" interface) and be affiliated with the
Once in the 128T's data plane, this traffic will match the
internet service (we've added an
allow statement for the
dns-cache-plugin tenant), and be forwarded out to the upstream server(s).
Custom DNS Servers
To configure custom server addresses for dnsmasq instead of the ones affiliated with the host machine that the plugin is running on, add the
Redirecting and blocking domains
The DNS cache plugin will send all requests it processes to the list of servers provided in its configuration. Generally, these are configured as public DNS servers. However, many enterprises commonly host their own authoritative name server for their own domain (e.g., some-private-domain.com). The redirect-domains configuration lets administrators specify a distinct DNS server for a given domain, and 128T will use this when issuing queries for any host within that domain.
block-domains configuration allows the DNS server to block those domains by replying back with NXDOMAIN indicating that the domain name doesn't exist.
Third Party Software and Licenses
- dnsmasq (GNU GPL v2, v3)
To verify that the services are running properly on the 128T router:
systemctl status 128T-dns-cache-forwarder.service
systemctl status 128T-dns-cache-matcher.service
Verify that the dns-cache network interface (default
dns-cache-intf) is UP.
Release 1.1.0, 2.1.0
New Features and Improvements
- PLUGIN-641 Provide support for redirecting and blocking domains
Added support for redirecting domains to a different upstream domain server. In addition, added support for blocking domains that the user should not be able to access.
PLUGIN-684 DNS cache plugin fails to apply configuration on initial installation
Resolution: Make config handling on the router dependent on a successful plugin router RPM installation.
Release 1.0.1, 2.0.1
- PLUGIN-402 Ensure the application restarts with 128T