Tuesday, August 4, 2009

Cache it, cache it, cache it!

Now that we have a [semi] working box, we can "boost" the connection by adding caching. We can add caching for:
  • dns queries: We already did that when setting up dnsmasq.
  • Web: a squid proxy will do the job.
Even if dnsmasq was extremely easy to configure, it has a big disadvantage: it does not keep the cache between two reboots. Personally, my box reboots at least once a day, so if I can keep the cache it would be great. After googling for a while, I figured out that dnsmasq does not have permanent caching :(. That's very sad. However, there is another another proxy dns server called pdnsd, keeping the cache permanently, ie surviving the reboots.

Here is my configuration file:

global {
perm_cache=1024;
cache_dir="/var/cache/pdnsd";
run_as="nobody";
server_ip = ath0; # Use eth0 here if you want to allow other
# machines on your network to query pdnsd.
status_ctl = on;
# but may make pdnsd less efficient, unfortunately.
query_method=udp_tcp;
min_ttl=15m; # Retain cached entries at least 15 minutes.
max_ttl=2w; #
timeout=10; # Global timeout option (10 seconds).
server_port=53;
daemon=on;
}

server {
ip="83.219.127.194";
label= "resolvconf";
# This may be necessary if you are behind some
# kind of firewall and cannot receive replies
# from outside name servers.
timeout=4; # Server timeout; this may be much shorter
# that the global timeout option.
uptest=if; # Test if the network interface is active.
interface=ath0; # The name of the interface to check.
interval=10m; # Check every 10 minutes.
purge_cache=off; # Keep stale cache entries in case the ISP's
# DNS servers go offline.
}


I put server_ip = ath0 to listen to my WPA encrypted interface. The IP entry is one of the /etc/resolv.conf file. This is not really interesting to have to import manually the nameserver from resolv.conf, but it is not really hard to do a small script that does it. There are plenty of ressources for that on the net.

If the router's IP address is 192.168.100.1, you have to add "nameserver 192.168.100.1" to the client's resolv.conf. Then, you can test that it is working properly (from the client):


> dig @192.168.100.1 mycokemusic.ch mx

;; QUESTION SECTION:
;mycokemusic.ch. IN MX

;; ANSWER SECTION:
mycokemusic.ch. 3600 IN MX 10 mx.eunet.at.

;; AUTHORITY SECTION:
mycokemusic.ch. 3587 IN NS ns3.ko.com.
mycokemusic.ch. 3587 IN NS ns4.ko.com.

;; ADDITIONAL SECTION:
ns3.ko.com. 123575 IN A 205.160.52.52
ns4.ko.com. 49422 IN A 205.160.52.53

;; Query time: 365 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Tue Aug 4 20:34:38 2009
;; MSG SIZE rcvd: 133





> dig @192.168.100.1 mycokemusic.ch mx

;; QUESTION SECTION:
;mycokemusic.ch. IN MX

;; ANSWER SECTION:
mycokemusic.ch. 3597 IN MX 10 mx.eunet.at.

;; AUTHORITY SECTION:
mycokemusic.ch. 3584 IN NS ns3.ko.com.
mycokemusic.ch. 3584 IN NS ns4.ko.com.

;; ADDITIONAL SECTION:
ns3.ko.com. 123572 IN A 205.160.52.52
ns4.ko.com. 49419 IN A 205.160.52.53

;; Query time: 1 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Tue Aug 4 20:34:41 2009
;; MSG SIZE rcvd: 133


We passed from 365ms to 1ms, which is not bad. Note that since we are not using dnmasq for its dns proxy settings, we have to deactivate it. I did not find how to disable it, so I simply added port=1 to the dnsmasq.conf.

Now it's time for squid. As you probably now, squid has a feature called "accelerator mode". The idea here is that we want to configure the proxy and the user not to have to configure it manually (ie transparent proxying).
I did not change a lot from the squid.conf default file. I added the following at the end of the file:

acl port80 port 80
http_access allow port80
always_direct allow all


I also changed the file were the cache is written, due to the partitioning of my CF.

cache_mem 100 MB
cache_dir ufs /home/squid/ 100 16 256


After that, squid is opened on port 3128. We want to redirect all the http traffic toward the squid proxy (the same way we did for sslstrip)

iptables -t nat -A PREROUTING -i ath0 -p tcp --dport 80 -j REDIRECT --to-port 3128


From the client, you should be able to connect to the net, without having to modify the network settings of your browser.

By using these two caching methods we substantially decreased the amount of internet traffic ;)

No comments:

Post a Comment