Commit | Line | Data |
---|---|---|
b4588d5c GP |
1 | .TH dnscache 8 |
2 | ||
3 | .SH NAME | |
4 | dnscache \- a DNS cache. | |
5 | ||
6 | .SH DESCRIPTION | |
7 | This is a reference page. | |
8 | For tutorial information, see the instructions for | |
9 | .br | |
10 | .B workstations | |
11 | (http://cr.yp.to/djbdns/run-cache.html), | |
12 | .br | |
13 | .B home computers | |
14 | (http://cr.yp.to/djbdns/run-cache-home.html), | |
15 | .br | |
16 | .B external caches | |
17 | (http://cr.yp.to/djbdns/run-cache-x.html), | |
18 | or | |
19 | .br | |
20 | .B upgrading from BIND | |
21 | (http://cr.yp.to/djbdns/run-cache-bind-1.html). | |
22 | ||
23 | .B dnscache | |
24 | accepts recursive DNS queries | |
25 | from local clients such as web browsers and mail transfer agents. | |
26 | It collects responses from remote DNS servers. | |
27 | It caches the responses to save time later. | |
28 | ||
29 | .SH Configuration | |
30 | Normally | |
31 | .B dnscache | |
32 | is set up by the | |
33 | .BR dnscache-conf (8) | |
34 | program. | |
35 | ||
36 | .B dnscache | |
37 | runs chrooted in the directory | |
38 | specified by the | |
39 | .I $ROOT | |
40 | environment variable, | |
41 | under the uid and gid | |
42 | specified by the | |
43 | .I $UID | |
44 | and | |
45 | .I $GID | |
46 | environment variables. | |
47 | ||
48 | .B dnscache | |
49 | listens for incoming UDP packets and TCP connections | |
50 | addressed to port 53 of | |
51 | .IR $IP . | |
52 | Typically | |
53 | .I $IP | |
54 | is | |
55 | .IR 127.0.0.1 , | |
56 | but it can also be an externally accessible IP address. | |
57 | ||
58 | .B dnscache | |
59 | accepts a packet or connection | |
60 | from IP address | |
61 | .I 1.2.3.4 | |
62 | if it sees a file named | |
63 | .I ip/1.2.3.4 | |
64 | or | |
65 | .I ip/1.2.3 | |
66 | or | |
67 | .I ip/1.2 | |
68 | or | |
69 | .IR ip/1 . | |
70 | ||
71 | .B dnscache | |
72 | sends outgoing packets from high ports of | |
73 | .IR $IPSEND . | |
74 | Typically | |
75 | .I $IPSEND | |
76 | is | |
77 | .IR 0.0.0.0 , | |
78 | meaning the machine's primary IP address. | |
79 | ||
80 | .B dnscache | |
81 | reads a seed, up to 128 bytes, | |
82 | from standard input, | |
83 | and passes the seed to | |
84 | dns_random_init. | |
85 | ||
86 | .B dnscache | |
87 | reads a list of dotted-decimal root server IP addresses, | |
88 | one address per line, | |
89 | from | |
90 | .IR servers/@ . | |
91 | It also scans the | |
92 | .I servers | |
93 | directory | |
94 | for server IP addresses for other domains. | |
95 | If there are addresses listed in | |
96 | .IR servers/moon.af.mil , | |
97 | for example, | |
98 | then | |
99 | .B dnscache | |
100 | will send queries for | |
101 | .I anything.moon.af.mil | |
102 | to those addresses, | |
103 | and will not cache records for | |
104 | .I anything.moon.af.mil | |
105 | from outside servers such as the root servers. | |
106 | ||
107 | Versions 1.03 and above: | |
108 | If | |
109 | .I $FORWARDONLY | |
110 | is set, | |
111 | .B dnscache | |
112 | treats | |
113 | .I servers/@ | |
114 | as a list of IP addresses | |
115 | for other caches, not root servers. | |
116 | It forwards queries to those caches the same way that a client does, | |
117 | rather than contacting a chain of servers according to NS records. | |
118 | ||
119 | .SH Memory use | |
120 | ||
121 | .B dnscache | |
122 | uses a fixed-size table, under 256K, | |
123 | to keep track of as many as 200 simultaneous UDP queries | |
124 | and 20 simultaneous TCP connections. | |
125 | It also dynamically allocates memory, | |
126 | usually just a few bytes but occasionally much more, | |
127 | for each active query. | |
128 | If it runs out of memory handling a query, it discards that query. | |
129 | ||
130 | .B dnscache | |
131 | asks the operating system to reserve a 128K buffer | |
132 | for bursts of incoming UDP queries. | |
133 | In versions 1.03 and above, | |
134 | if a new UDP query arrives | |
135 | when | |
136 | .B dnscache | |
137 | is already handling 200 simultaneous UDP queries, | |
138 | .B dnscache | |
139 | drops the oldest query. | |
140 | If a new TCP connection arrives | |
141 | when | |
142 | .B dnscache | |
143 | is already handling 20 simultaneous TCP connections, | |
144 | .B dnscache | |
145 | drops the oldest connection. | |
146 | ||
147 | .B dnscache | |
148 | uses a fixed-size cache, | |
149 | as controlled by the | |
150 | .I $CACHESIZE | |
151 | environment variable. | |
152 | Roughly 5% of the cache is used for a hash table. | |
153 | The rest is used for cache entries | |
154 | (including 8-byte Y2038-compliant expiration times): | |
155 | ||
156 | .TP | |
157 | o | |
158 | A sets. | |
159 | 22 bytes plus 4 bytes per address plus the length of the owner name. | |
160 | .TP | |
161 | o | |
162 | NS sets or PTR sets or CNAME sets. | |
163 | 22 bytes plus the length of the owner name and all the data names. | |
164 | .TP | |
165 | o | |
166 | MX sets. | |
167 | 22 bytes plus 2 bytes per MX plus the length of all the names. | |
168 | .TP | |
169 | o | |
170 | Other record sets. | |
171 | 22 bytes plus 2 bytes per record | |
172 | plus the length of all the data strings | |
173 | plus the length of the owner name. | |
174 | .TP | |
175 | o | |
176 | Nonexistent domain or server failure. | |
177 | 22 bytes plus the length of the owner name. | |
178 | ||
179 | .P | |
180 | Sets larger than 8192 bytes are not cached. | |
181 | ||
182 | .B dnscache | |
183 | does not exit when it runs out of space in its cache; | |
184 | it simply removes the oldest entries to make more space. | |
185 | ||
186 | .SH Resolution and caching policies | |
187 | ||
188 | .B dnscache | |
189 | relies on a configured list of root name servers. | |
190 | In contrast, BIND starts from a ``hint file'' listing name servers, | |
191 | and asks those name servers where the root name servers are. | |
192 | ||
193 | .B dnscache | |
194 | does not cache (or pass along) records outside the server's bailiwick; | |
195 | those records could be poisoned. | |
196 | Records for | |
197 | .IR foo.dom , | |
198 | for example, | |
199 | are accepted only from the root servers, | |
200 | the | |
201 | .I dom | |
202 | servers, and the | |
203 | .I foo.dom | |
204 | servers. | |
205 | ||
206 | .B dnscache | |
207 | does not bypass its cache | |
208 | to obtain glue from the additional section of a response. | |
209 | In particular, it will not use glue outside the server's bailiwick, | |
210 | or glue with TTL 0, | |
211 | or glue that violates other caching policies. | |
212 | ||
213 | .B dnscache | |
214 | caches records for at most a week. | |
215 | It interprets TTLs above 2147483647 as 0. | |
216 | ||
217 | .B dnscache | |
218 | does not cache SOA records. | |
219 | However, it does use SOA TTLs to determine cache times (up to an hour) | |
220 | for zero-record responses and nonexistent domains. | |
221 | ||
222 | .SH Responses to DNS clients | |
223 | ||
224 | .BR dnscache 's | |
225 | responses are generally much smaller than BIND's responses. | |
226 | They do not include | |
227 | authority records | |
228 | (NS records of the source name servers | |
229 | and SOA records for negative answers) | |
230 | or additional records | |
231 | (A records relevant to NS or MX records). | |
232 | When the answer section is truncated by UDP length limits, | |
233 | it is eliminated entirely. | |
234 | ||
235 | .B dnscache | |
236 | tries to prevent local users from snooping on other local users. | |
237 | It discards non-recursive queries; | |
238 | it discards inverse queries; | |
239 | and it discards zone-transfer requests. | |
240 | If | |
241 | .I $HIDETTL | |
242 | is set, | |
243 | .B dnscache | |
244 | always uses a TTL of 0 in its responses. | |
245 | In versions before 1.03, | |
246 | .B dnscache | |
247 | always uses a TTL of 0 in its responses. | |
248 | ||
249 | According to RFC 1035, | |
250 | the AA bit ``specifies that the responding name server | |
251 | is an authority for the domain name in question section.'' | |
252 | ||
253 | .B dnscache | |
254 | is not an authority for any domain names. | |
255 | ||
256 | .B dnscache | |
257 | never sets the AA bit | |
258 | (except in NXDOMAIN responses, as required by RFC 2308, | |
259 | to work around a common client bug). | |
260 | In contrast, BIND often sets AA for positive responses | |
261 | even when it is not an authority for the domain name. | |
262 | (This appears to have been fixed in BIND 9.) | |
263 | ||
264 | .SH Repeated IP addresses | |
265 | If a server | |
266 | sends | |
267 | .B dnscache | |
268 | a repeated IP address, | |
269 | .B dnscache | |
270 | passes the repeated IP address along to the client. | |
271 | The server's behavior violates RFC 2181, section 5.5, | |
272 | but there are reasonable uses of repeated IP addresses for load balancing, | |
273 | so | |
274 | .B dnscache | |
275 | does not go out of its way to remove repetitions when they occur. | |
276 | ||
277 | A widespread BIND server bug (apparently fixed in BIND 9.1) | |
278 | can unintentionally produce repeated IP addresses. | |
279 | Here is an example from one of the BIND company's servers (now fixed): | |
280 | ||
281 | % dnsq a ns-ext.vix.com ns-ext.vix.com | |
282 | 1 ns-ext.vix.com: | |
283 | 117 bytes, 1+1+2+2 records, response, authoritative, noerror | |
284 | query: 1 ns-ext.vix.com | |
285 | answer: ns-ext.vix.com 3600 A 204.152.184.64 | |
286 | authority: vix.com 3600 NS ns-ext.vix.com | |
287 | authority: vix.com 3600 NS ns1.gnac.com | |
288 | additional: ns-ext.vix.com 3600 A 204.152.184.64 | |
289 | additional: ns1.gnac.com 130768 A 209.182.195.77 | |
290 | ||
291 | This BIND bug is the most common reason | |
292 | for users to see repeated IP addresses from | |
293 | .BR dnscache . | |
294 | ||
295 | .SH Special names | |
296 | ||
297 | .B dnscache | |
298 | handles | |
299 | .I localhost | |
300 | internally, | |
301 | giving it an A record of 127.0.0.1. | |
302 | ||
303 | .B dnscache | |
304 | handles | |
305 | .I 1.0.0.127.in-addr.arpa | |
306 | internally, | |
307 | giving it a PTR record of | |
308 | .IR localhost . | |
309 | ||
310 | .B dnscache | |
311 | handles dotted-decimal domain names internally, | |
312 | giving (e.g.) the domain name | |
313 | .I 192.48.96.2 | |
314 | an A record of | |
315 | .IR 192.48.96.2 . | |
316 | ||
317 | .SH SEE ALSO | |
318 | dnscache-conf(8) | |
319 | ||
320 | http://cr.yp.to/djbdns.html |