[hcoop/zz_old/debian/djbdns.git] / debian / djbdns-man / dnscache.8

.TH dnscache 8

.SH NAME
dnscache \- a DNS cache.

.SH DESCRIPTION
This is a reference page.
For tutorial information, see the instructions for
.br
.B workstations
(http://cr.yp.to/djbdns/run-cache.html),
.br
.B home computers
(http://cr.yp.to/djbdns/run-cache-home.html),
.br
.B external caches
(http://cr.yp.to/djbdns/run-cache-x.html),
or
.br
.B upgrading from BIND
(http://cr.yp.to/djbdns/run-cache-bind-1.html).

.B dnscache
accepts recursive DNS queries
from local clients such as web browsers and mail transfer agents.
It collects responses from remote DNS servers.
It caches the responses to save time later.

.SH Configuration
Normally 
.B dnscache
is set up by the
.BR dnscache-conf (8)
program.

.B dnscache
runs chrooted in the directory
specified by the 
.I $ROOT
environment variable,
under the uid and gid
specified by the 
.I $UID
and 
.I $GID
environment variables.

.B dnscache
listens for incoming UDP packets and TCP connections
addressed to port 53 of 
.IR $IP .
Typically 
.I $IP
is 
.IR 127.0.0.1 ,
but it can also be an externally accessible IP address.

.B dnscache
accepts a packet or connection
from IP address 
.I 1.2.3.4
if it sees a file named 
.I ip/1.2.3.4
or 
.I ip/1.2.3
or 
.I ip/1.2
or 
.IR ip/1 .

.B dnscache
sends outgoing packets from high ports of 
.IR $IPSEND .
Typically 
.I $IPSEND
is 
.IR 0.0.0.0 ,
meaning the machine's primary IP address.

.B dnscache
reads a seed, up to 128 bytes,
from standard input,
and passes the seed to
dns_random_init.

.B dnscache
reads a list of dotted-decimal root server IP addresses,
one address per line,
from 
.IR servers/@ .
It also scans the 
.I servers
directory
for server IP addresses for other domains.
If there are addresses listed in 
.IR servers/moon.af.mil ,
for example,
then 
.B dnscache
will send queries for 
.I anything.moon.af.mil
to those addresses,
and will not cache records for 
.I anything.moon.af.mil
from outside servers such as the root servers.

Versions 1.03 and above:
If
.I $FORWARDONLY
is set,
.B dnscache
treats
.I servers/@
as a list of IP addresses
for other caches, not root servers.
It forwards queries to those caches the same way that a client does,
rather than contacting a chain of servers according to NS records.

.SH Memory use

.B dnscache
uses a fixed-size table, under 256K,
to keep track of as many as 200 simultaneous UDP queries
and 20 simultaneous TCP connections.
It also dynamically allocates memory,
usually just a few bytes but occasionally much more,
for each active query.
If it runs out of memory handling a query, it discards that query.

.B dnscache
asks the operating system to reserve a 128K buffer
for bursts of incoming UDP queries.
In versions 1.03 and above,
if a new UDP query arrives
when
.B dnscache
is already handling 200 simultaneous UDP queries,
.B dnscache
drops the oldest query.
If a new TCP connection arrives
when
.B dnscache
is already handling 20 simultaneous TCP connections,
.B dnscache
drops the oldest connection.

.B dnscache
uses a fixed-size cache,
as controlled by the 
.I $CACHESIZE
environment variable.
Roughly 5% of the cache is used for a hash table.
The rest is used for cache entries
(including 8-byte Y2038-compliant expiration times):

.TP
o
A sets.
22 bytes plus 4 bytes per address plus the length of the owner name.
.TP
o
NS sets or PTR sets or CNAME sets.
22 bytes plus the length of the owner name and all the data names.
.TP
o
MX sets.
22 bytes plus 2 bytes per MX plus the length of all the names.
.TP
o
Other record sets.
22 bytes plus 2 bytes per record
plus the length of all the data strings
plus the length of the owner name.
.TP
o
Nonexistent domain or server failure.
22 bytes plus the length of the owner name.

.P
Sets larger than 8192 bytes are not cached.

.B dnscache
does not exit when it runs out of space in its cache;
it simply removes the oldest entries to make more space.

.SH Resolution and caching policies

.B dnscache
relies on a configured list of root name servers.
In contrast, BIND starts from a ``hint file'' listing name servers,
and asks those name servers where the root name servers are.

.B dnscache
does not cache (or pass along) records outside the server's bailiwick;
those records could be poisoned.
Records for 
.IR foo.dom ,
for example,
are accepted only from the root servers,
the 
.I dom
servers, and the 
.I foo.dom
servers.

.B dnscache
does not bypass its cache
to obtain glue from the additional section of a response.
In particular, it will not use glue outside the server's bailiwick,
or glue with TTL 0,
or glue that violates other caching policies.

.B dnscache
caches records for at most a week.
It interprets TTLs above 2147483647 as 0.

.B dnscache
does not cache SOA records.
However, it does use SOA TTLs to determine cache times (up to an hour)
for zero-record responses and nonexistent domains.

.SH Responses to DNS clients

.BR dnscache 's
responses are generally much smaller than BIND's responses.
They do not include
authority records
(NS records of the source name servers
and SOA records for negative answers)
or additional records
(A records relevant to NS or MX records).
When the answer section is truncated by UDP length limits,
it is eliminated entirely.

.B dnscache
tries to prevent local users from snooping on other local users.
It discards non-recursive queries;
it discards inverse queries;
and it discards zone-transfer requests.
If
.I $HIDETTL
is set,
.B dnscache
always uses a TTL of 0 in its responses.
In versions before 1.03,
.B dnscache
always uses a TTL of 0 in its responses.

According to RFC 1035,
the AA bit ``specifies that the responding name server 
is an authority for the domain name in question section.''

.B dnscache
is not an authority for any domain names.

.B dnscache
never sets the AA bit
(except in NXDOMAIN responses, as required by RFC 2308,
to work around a common client bug).
In contrast, BIND often sets AA for positive responses
even when it is not an authority for the domain name.
(This appears to have been fixed in BIND 9.)

.SH Repeated IP addresses
If a server
sends
.B dnscache
a repeated IP address,
.B dnscache
passes the repeated IP address along to the client.
The server's behavior violates RFC 2181, section 5.5,
but there are reasonable uses of repeated IP addresses for load balancing,
so
.B dnscache
does not go out of its way to remove repetitions when they occur.

A widespread BIND server bug (apparently fixed in BIND 9.1)
can unintentionally produce repeated IP addresses.
Here is an example from one of the BIND company's servers (now fixed):

  % dnsq a ns-ext.vix.com ns-ext.vix.com
  1 ns-ext.vix.com:
  117 bytes, 1+1+2+2 records, response, authoritative, noerror
  query: 1 ns-ext.vix.com
  answer: ns-ext.vix.com 3600 A 204.152.184.64
  authority: vix.com 3600 NS ns-ext.vix.com
  authority: vix.com 3600 NS ns1.gnac.com
  additional: ns-ext.vix.com 3600 A 204.152.184.64
  additional: ns1.gnac.com 130768 A 209.182.195.77

This BIND bug is the most common reason
for users to see repeated IP addresses from
.BR dnscache .

.SH Special names

.B dnscache
handles 
.I localhost
internally,
giving it an A record of 127.0.0.1.

.B dnscache
handles 
.I 1.0.0.127.in-addr.arpa
internally,
giving it a PTR record of
.IR localhost .

.B dnscache
handles dotted-decimal domain names internally,
giving (e.g.) the domain name 
.I 192.48.96.2
an A record of 
.IR 192.48.96.2 .

.SH SEE ALSO
dnscache-conf(8)

http://cr.yp.to/djbdns.html
Commit	Line	Data
b4588d5c GP	1	.TH dnscache 8
	2
	3	.SH NAME
	4	dnscache \- a DNS cache.
	5
	6	.SH DESCRIPTION
	7	This is a reference page.
	8	For tutorial information, see the instructions for
	9	.br
	10	.B workstations
	11	(http://cr.yp.to/djbdns/run-cache.html),
	12	.br
	13	.B home computers
	14	(http://cr.yp.to/djbdns/run-cache-home.html),
	15	.br
	16	.B external caches
	17	(http://cr.yp.to/djbdns/run-cache-x.html),
	18	or
	19	.br
	20	.B upgrading from BIND
	21	(http://cr.yp.to/djbdns/run-cache-bind-1.html).
	22
	23	.B dnscache
	24	accepts recursive DNS queries
	25	from local clients such as web browsers and mail transfer agents.
	26	It collects responses from remote DNS servers.
	27	It caches the responses to save time later.
	28
	29	.SH Configuration
	30	Normally
	31	.B dnscache
	32	is set up by the
	33	.BR dnscache-conf (8)
	34	program.
	35
	36	.B dnscache
	37	runs chrooted in the directory
	38	specified by the
	39	.I $ROOT
	40	environment variable,
	41	under the uid and gid
	42	specified by the
	43	.I $UID
	44	and
	45	.I $GID
	46	environment variables.
	47
	48	.B dnscache
	49	listens for incoming UDP packets and TCP connections
	50	addressed to port 53 of
	51	.IR $IP .
	52	Typically
	53	.I $IP
	54	is
	55	.IR 127.0.0.1 ,
	56	but it can also be an externally accessible IP address.
	57
	58	.B dnscache
	59	accepts a packet or connection
	60	from IP address
	61	.I 1.2.3.4
	62	if it sees a file named
	63	.I ip/1.2.3.4
	64	or
65	.I ip/1.2.3
66	or
67	.I ip/1.2
68	or
69	.IR ip/1 .
70
71	.B dnscache
72	sends outgoing packets from high ports of
73	.IR $IPSEND .
74	Typically
75	.I $IPSEND
76	is
77	.IR 0.0.0.0 ,
78	meaning the machine's primary IP address.
79
80	.B dnscache
81	reads a seed, up to 128 bytes,
82	from standard input,
83	and passes the seed to
84	dns_random_init.
85
86	.B dnscache
87	reads a list of dotted-decimal root server IP addresses,
88	one address per line,
89	from
90	.IR servers/@ .
91	It also scans the
92	.I servers
93	directory
94	for server IP addresses for other domains.
95	If there are addresses listed in
96	.IR servers/moon.af.mil ,
97	for example,
98	then
99	.B dnscache
100	will send queries for
101	.I anything.moon.af.mil
102	to those addresses,
103	and will not cache records for
104	.I anything.moon.af.mil
105	from outside servers such as the root servers.
106
107	Versions 1.03 and above:
108	If
109	.I $FORWARDONLY
110	is set,
111	.B dnscache
112	treats
113	.I servers/@
114	as a list of IP addresses
115	for other caches, not root servers.
116	It forwards queries to those caches the same way that a client does,
117	rather than contacting a chain of servers according to NS records.
118
119	.SH Memory use
120
121	.B dnscache
122	uses a fixed-size table, under 256K,
123	to keep track of as many as 200 simultaneous UDP queries
124	and 20 simultaneous TCP connections.
125	It also dynamically allocates memory,
126	usually just a few bytes but occasionally much more,
127	for each active query.
128	If it runs out of memory handling a query, it discards that query.
129
130	.B dnscache
131	asks the operating system to reserve a 128K buffer
132	for bursts of incoming UDP queries.
133	In versions 1.03 and above,
134	if a new UDP query arrives
135	when
136	.B dnscache
137	is already handling 200 simultaneous UDP queries,
138	.B dnscache
139	drops the oldest query.
140	If a new TCP connection arrives
141	when
142	.B dnscache
143	is already handling 20 simultaneous TCP connections,
144	.B dnscache
145	drops the oldest connection.
146
147	.B dnscache
148	uses a fixed-size cache,
149	as controlled by the
150	.I $CACHESIZE
151	environment variable.
152	Roughly 5% of the cache is used for a hash table.
153	The rest is used for cache entries
154	(including 8-byte Y2038-compliant expiration times):
155
156	.TP
157	o
158	A sets.
159	22 bytes plus 4 bytes per address plus the length of the owner name.
160	.TP
161	o
162	NS sets or PTR sets or CNAME sets.
163	22 bytes plus the length of the owner name and all the data names.
164	.TP
165	o
166	MX sets.
167	22 bytes plus 2 bytes per MX plus the length of all the names.
168	.TP
169	o
170	Other record sets.
171	22 bytes plus 2 bytes per record
172	plus the length of all the data strings
173	plus the length of the owner name.
174	.TP
175	o
176	Nonexistent domain or server failure.
177	22 bytes plus the length of the owner name.
178
179	.P
180	Sets larger than 8192 bytes are not cached.
181
182	.B dnscache
183	does not exit when it runs out of space in its cache;
184	it simply removes the oldest entries to make more space.
185
186	.SH Resolution and caching policies
187
188	.B dnscache
189	relies on a configured list of root name servers.
190	In contrast, BIND starts from a ``hint file'' listing name servers,
191	and asks those name servers where the root name servers are.
192
193	.B dnscache
194	does not cache (or pass along) records outside the server's bailiwick;
195	those records could be poisoned.
196	Records for
197	.IR foo.dom ,
198	for example,
199	are accepted only from the root servers,
200	the
201	.I dom
202	servers, and the
203	.I foo.dom
204	servers.
205
206	.B dnscache
207	does not bypass its cache
208	to obtain glue from the additional section of a response.
209	In particular, it will not use glue outside the server's bailiwick,
210	or glue with TTL 0,
211	or glue that violates other caching policies.
212
213	.B dnscache
214	caches records for at most a week.
215	It interprets TTLs above 2147483647 as 0.
216
217	.B dnscache
218	does not cache SOA records.
219	However, it does use SOA TTLs to determine cache times (up to an hour)
220	for zero-record responses and nonexistent domains.
221
222	.SH Responses to DNS clients
223
224	.BR dnscache 's
225	responses are generally much smaller than BIND's responses.
226	They do not include
227	authority records
228	(NS records of the source name servers
229	and SOA records for negative answers)
230	or additional records
231	(A records relevant to NS or MX records).
232	When the answer section is truncated by UDP length limits,
233	it is eliminated entirely.
234
235	.B dnscache
236	tries to prevent local users from snooping on other local users.
237	It discards non-recursive queries;
238	it discards inverse queries;
239	and it discards zone-transfer requests.
240	If
241	.I $HIDETTL
242	is set,
243	.B dnscache
244	always uses a TTL of 0 in its responses.
245	In versions before 1.03,
246	.B dnscache
247	always uses a TTL of 0 in its responses.
248
249	According to RFC 1035,
250	the AA bit ``specifies that the responding name server
251	is an authority for the domain name in question section.''
252
253	.B dnscache
254	is not an authority for any domain names.
255
256	.B dnscache
257	never sets the AA bit
258	(except in NXDOMAIN responses, as required by RFC 2308,
259	to work around a common client bug).
260	In contrast, BIND often sets AA for positive responses
261	even when it is not an authority for the domain name.
262	(This appears to have been fixed in BIND 9.)
263
264	.SH Repeated IP addresses
265	If a server
266	sends
267	.B dnscache
268	a repeated IP address,
269	.B dnscache
270	passes the repeated IP address along to the client.
271	The server's behavior violates RFC 2181, section 5.5,
272	but there are reasonable uses of repeated IP addresses for load balancing,
273	so
274	.B dnscache
275	does not go out of its way to remove repetitions when they occur.
276
277	A widespread BIND server bug (apparently fixed in BIND 9.1)
278	can unintentionally produce repeated IP addresses.
279	Here is an example from one of the BIND company's servers (now fixed):
280
281	% dnsq a ns-ext.vix.com ns-ext.vix.com
282	1 ns-ext.vix.com:
283	117 bytes, 1+1+2+2 records, response, authoritative, noerror
284	query: 1 ns-ext.vix.com
285	answer: ns-ext.vix.com 3600 A 204.152.184.64
286	authority: vix.com 3600 NS ns-ext.vix.com
287	authority: vix.com 3600 NS ns1.gnac.com
288	additional: ns-ext.vix.com 3600 A 204.152.184.64
289	additional: ns1.gnac.com 130768 A 209.182.195.77
290
291	This BIND bug is the most common reason
292	for users to see repeated IP addresses from
293	.BR dnscache .
294
295	.SH Special names
296
297	.B dnscache
298	handles
299	.I localhost
300	internally,
301	giving it an A record of 127.0.0.1.
302
303	.B dnscache
304	handles
305	.I 1.0.0.127.in-addr.arpa
306	internally,
307	giving it a PTR record of
308	.IR localhost .
309
310	.B dnscache
311	handles dotted-decimal domain names internally,
312	giving (e.g.) the domain name
313	.I 192.48.96.2
314	an A record of
315	.IR 192.48.96.2 .
316
317	.SH SEE ALSO
318	dnscache-conf(8)
319
320	http://cr.yp.to/djbdns.html