Help Center/ Domain Name Service/ Best Practices/ Best Practices for Public Domain Name Resolution/ Configuring the NSCD Service to Accelerate Performance and Improve DNS Availability
Updated on 2025-08-20 GMT+08:00

Configuring the NSCD Service to Accelerate Performance and Improve DNS Availability

A maximum of 2,000 DNS requests are allowed per second for a single ECS in a VPC. If the number of DNS requests per second exceeds the threshold, throttling may occur, and the availability (SLA) cannot be guaranteed.

To address this issue, you have the following solutions:

  • Increase the number of ECSs so that DNS requests can be distributed to more ECSs. This reduces the number of DNS query requests on each ECS.
  • Enable the Name Service Cache Daemon (NSCD) service for ECSs. NSCD can accelerate performance by caching the results of name service lookups.

    NSCD can introduce cache-related issues, such as delays in applying changes made to record sets.

You can refer to this FAQ to enable the NSCD service to accelerate cache and reduce the number of DNS requests on a single ECS.

What Is NSCD?

NSCD is a system service that caches name service requests. It caches information from passwd, group, hosts, services, and netgroup databases. NSCD improves the cache hit rate and service performance by reducing the number of lookups to name services. Also, it costs a little traffic.

Common Linux Commands for NSCD

Table 1 Common Linux commands for NSCD

Command

Description

yum install -y nscd

Installs NSCD.

systemctl start nscd

Starts NSCD.

systemctl stop nscd

Stops NSCD.

systemctl restart nscd

Restarts NSCD.

systemctl status nscd

Checks the status of NSCD.

nscd -g

Returns the configuration of each parameter and the cache hit rate after the configuration is applied.

nscd -i

Invalidates the specified cached information in passwd, group, hosts, services, or netgroup databases. For example, nscd -i hosts is used to invalidate the cached information in the hosts database.

cat /etc/nscd.conf

Queries current NSCD configurations.

vi /etc/nscd.conf

Modifies NSCD configurations.

Installing NSCD

NSCD is generally installed in a Linux operating system by default. To check if NSCD is installed and running on a Linux ECS, run the following command:

systemctl status nscd#Check the running status of NSCD.

If the output is as follows, it indicates that NSCD is not installed.

Run the following command to install NSCD:

yum install -y nscd

Run the command to check the status of the NSCD again. The NSCD is installed but not started yet.

Starting NSCD

Run the following command to start NSCD:

systemctl start nscd

Run the command to check the status of the NSCD again. The NSCD is running.

  • Command for installing NSCD in CentOS/Red Hat: yum install -y nscd
  • Command for installing NSCD in Debian/Ubuntu: apt-get install -y nscd

Run the command below to view NSCD configurations. The default configuration file for NSCD is /etc/nscd.conf.

cat /etc/nscd.conf

For details, see Table 2.

Table 2 NSCD configurations

Parameter

Description

reload-count

Specifies the number of times a successful cache request will proactively query and update the cache.

paranoia

Controls whether NSCD restarts itself periodically. When paranoia is enabled, NSCD will restart at regular intervals.

restart-interval

Specifies the interval of restarts if paranoia is enabled.

enable-cache

Specifies whether to enable cache.

positive-time-to-live

Specifies the time-to-live (TTL) of a successful cached entry. It indicates how low the cached information remains valid.

negative-time-to-live

Specifies the time for which unsuccessful name service lookups (negative entries) are cached. It is recommended that this parameter be set to 0 to prevent the caching failure from affecting service requests.

check-files

Specifies whether to check the modification time of cached files like /etc/passwd, /etc/group, and /etc/hosts. If the files are modified after the last check, the cached files are invalidated.

persistent

Specifies whether to retain the cached information after NSCD restarts. It is recommended that persistent be enabled if paranoia is enabled.

shared

Specifies whether to share the NSCD databases with clients via memory mapping. The default value is yes.

If you want to run nscd -g to query the cache hit rate, set shared to no.

max-db-size

Specifies the maximum allowable size of an NSCD database, in bytes.

  • positive-time-to-live has no actual meaning. The TTL value returned by DNS requests is used.
  • You can run nscd -g to query the cache hit rate only when shared is set to no.

Checking the Impact of NSCD Caching

Performing a dialing test when NSCD is stopped

  1. Run the following command on the ECS to capture UDP packets on port 53:
    tcpdump -i any udp and port 53
  2. When NSCD is stopped, run the following command on the ECS for three consecutive times.
    ping -c 1 -n www.huaweicloud.com#Ping the domain name www.huaweicloud.com.
  3. View the corresponding captured UDP packets. You can find that three DNS requests are sent over port 53, and each DNS request is responded with a DNS record set. This indicates that the DNS record sets are not cached. As a result, the ECS needs to send the DNS request over port 53 every time.

Performing a dialing test when NSCD is started

  1. Run the startup command to start NSCD and run the status query command to check whether NSCD has been enabled.
  2. When NSCD is started, run the command below on the ECS for six consecutive times. In addition, capture packets on port 53 of the ECS.
    ping -c 1 -n www.huaweicloud.com
  3. View the corresponding captured packets. You can find that only the first DNS request is sent to port 53. This indicates that the subsequent DNS requests hit the DNS record set cached by NSCD and are not sent over port 53.
  • During packet capture, you will find that even if you have pinged the domain name, tcpdump can still be used to capture the packets of DNS requests for the domain name at regular intervals. This is caused by the automatic reload mechanism of NSCD, which is a normal phenomenon. You can set reload-count to 0 to disable the automatic reload mechanism.
  • You can also run the following command to query the cache hit after you ping a domain name several times within a period.
    nscd -g#Return the configuration of each parameter and the cache hit rate after the configuration takes effect.