Each ECS instance in a VPC has a DNS query limit of 5,000 queries per second. You can mitigate rate limiting by scaling out ECS instances or enabling the nscd caching service.
Each Elastic Compute Service (ECS) instance in a Virtual Private Cloud (VPC) has a DNS query limit of 5,000 queries per second. If the number of DNS queries from a single instance exceeds this threshold, the instance is subject to rate limiting and the availability SLA cannot be guaranteed. To mitigate this issue, consider the following approaches:
-
Scale out ECS instances so that DNS query requests are distributed across more instances, reducing the per-instance query volume.
-
Enable the nscd (Name Service Cache Daemon) service on the ECS host for cache acceleration.
NoteWhen the nscd service is enabled, it will take longer for changes to DNS records to take effect.
What is nscd?
nscd is a system cache service that caches name service information such as passwd, group, hosts, services, and netgroup. It reduces the number of name service queries and network traffic, resulting in faster service responses. This guide focuses on the hosts configuration to reduce DNS queries from ECS instances.
Common Linux commands for nscd
|
Command |
Description |
|
yum install -y nscd |
Install nscd. |
|
systemctl start nscd |
Start nscd. |
|
systemctl stop nscd |
Stop nscd. |
|
systemctl restart nscd |
Restart nscd. |
|
systemctl status nscd |
Query the operational status of nscd. |
|
nscd -g |
Outputs the effective configuration of all parameters and cache hit ratio statistics. |
|
nscd -i |
Invalidates the specified cache. You can specify passwd, group, hosts, services, netgroup, etc. For example: nscd -i hosts. |
|
cat /etc/nscd.conf |
Query the current nscd configuration details. |
|
vi /etc/nscd.conf |
Modify nscd configuration parameters. |
Installing nscd
nscd is generally installed by default on Linux. To check whether nscd is installed on your ECS instance, run the following command:
systemctl status nscd # Check the running status of nscd.If the output is as follows, nscd is not installed.
Run the following command to install nscd:
yum install -y nscd
Run the status command again. nscd is now installed but not running.
Enabling the nscd service
Run the following command to start nscd:
systemctl start nscdRun the status command again to verify that nscd is running.
To install nscd on a CentOS or Red Hat operating system, run the command: yum install -y nscd.
To install nscd on a Debian or Ubuntu operating system, run the command: apt-get install -y nscd.
Nscd configuration parameters
The default configuration file for nscd is /etc/nscd.conf. Run the following command to view the configuration:
cat /etc/nscd.conf
Key configuration parameter descriptions
|
Configuration parameter |
Description |
|
debug-level |
|
|
reload-count |
Determines how many times a successfully cached entry is actively refreshed before expiring. |
|
paranoia |
Paranoia mode. If enabled, nscd will restart periodically. |
|
restart-interval |
The interval between automatic restarts when paranoia mode is enabled. |
|
enable-cache |
Enables the cache service. |
|
positive-time-to-live |
The TTL for successful response caches. |
|
negative-time-to-live |
The TTL for failed response caches. Set this to 0 to prevent failed lookups from affecting subsequent requests. |
|
check-files |
Periodically checks whether cache-related files (/etc/passwd, /etc/group, /etc/hosts) have been modified. If changes are detected, the corresponding cache is invalidated. |
|
persistent |
Retains cache content across nscd restarts. Recommended when paranoia mode is enabled. |
|
shared |
Shares the nscd database memory mapping with clients. Defaults to yes. To query the cache hit ratio with |
|
max-db-size |
The maximum size of the nscd cache database, in bytes. |
-
The positive-time-to-live setting has no practical effect on DNS caching. The actual TTL is determined by the value returned in the DNS response.
Testing nscd cache effectiveness
Testing with nscd disabled
-
Execute the following command on the ECS instance to capture UDP packets on port 53:
tcpdump -i any udp and port 53 -
Then, with nscd disabled, execute the following command on the ECS instance multiple times, testing three times consecutively.
ping -c 1 -n www.taobao.com # Send one ping command to the domain name www.taobao.com.
-
Check the packet capture results. Three DNS query requests appear on port 53, each returning a resolution record. This confirms that DNS responses are not cached and that the ECS instance sends a new query through port 53 every time.
Testing with nscd enabled
-
Execute the start command to enable the nscd service, and confirm that nscd is enabled using the status query command.
-
With nscd enabled, execute the following command on the ECS instance, testing six times consecutively. At the same time, capture packets on port 53 of the ECS instance.
ping -c 1 -n www.taobao.com
-
Check the packet capture results. Only one DNS query request appears on port 53, confirming that subsequent queries hit the nscd cache instead of going through port 53.
ImportantDuring packet capture, you may notice that tcpdump still captures DNS query packets after the ping command completes. This is caused by the nscd active refresh mechanism and is expected. To disable active refresh, set the reload-count parameter to 0.
-
You can also check cache hit statistics. Run the ping command multiple times, then run the following command to view the statistics:
nscd -g # Output the configuration of all active parameters and cache hit ratio statistics.