Proxy servers will commonly be required to perform two kinds of DNS lookups those to resolve IP addresses from the hostnames and reverse lookups to find the hostname given the IP address. The DNS lookups will normally require contacting the DNS service and therefore there will be an impact on speed and some latency. It is therefore important to optimize these lookups in order to minimize the impact on the proxy performance.

The main goal in optimizing DNS lookups of all sorts is to actually avoid doing external lookups whenever possible. The more DNS lookups that are performed the bigger the impact on the performance of the proxy server. DNS lookups are of course pretty much essential in running any sort of proxy, without a method to determine IP addresses and hostnames they will be unable to retrieve the information and URLs requested. Unfortunately there’s no way to completely replace these requests however one method can reduce the number that is required – DNS caching.

Reverse DNS lookups will be utilised when the IP address is available but we need the DNS Hostname. This is usually the situation when the connection is inbound and the receiver wants to find out which host the connection is coming from. In this situation the socket can actually be queried to obtain the IP address (that the connection is from) however the DNS Hostname would not be available in that information. This is because the TCP/IP protocol works with IP address and not DNS hostnames.

Reverse DNS requests are commonly needed to apply access rights and controls. This is because these are usually assigned by client hostname or domain name not IP addresses. For example it is typical to assign internet rights based on physical clients or membership of a domain group, the IP address is not typically used to control rights in this way. Also most logs store information on proxies in hostname format as they are much easier to track and follow than simply numerical addresses. This makes it easier to troubleshoot things like people using external Dns servers to watch American version of Netflix from their office!

If there is no requirement for DNS host names to be used for access control, then it is often feasible to turn reverse DNS lookups off – doing so will heavily boost the performance of any internet connected proxy server. Although having hostnames in logs is convenient, it is not alone worth the performance impact. The logs can be updated after with hostnames if required by resolving the IP addresses afterwards if required.

The updating of logs with hostname resolution is actually much more efficient if done in a single batch. This is because it is likely that there are individual IP addresses repeated in the logs and these can be resolved with a single request. Especially on proxy servers this can be a significant reduction because there will likely be a fixed number of IP addresses which are repeatedly requested.

John Halliwell
http://www.iplayerabroad.com/2016/07/20/bbc-vpn-block-real/

Leave a Reply

Your email address will not be published. Required fields are marked *