4
dnscache \- a DNS cache.
7
This is a reference page.
8
For tutorial information, see the instructions for
11
(http://cr.yp.to/djbdns/run-cache.html),
14
(http://cr.yp.to/djbdns/run-cache-home.html),
17
(http://cr.yp.to/djbdns/run-cache-x.html),
20
.B upgrading from BIND
21
(http://cr.yp.to/djbdns/run-cache-bind-1.html).
24
accepts recursive DNS queries
25
from local clients such as web browsers and mail transfer agents.
26
It collects responses from remote DNS servers.
27
It caches the responses to save time later.
37
runs chrooted in the directory
46
environment variables.
49
listens for incoming UDP packets and TCP connections
50
addressed to port 53 of
56
but it can also be an externally accessible IP address.
59
accepts a packet or connection
62
if it sees a file named
72
sends outgoing packets from high ports of
78
meaning the machine's primary IP address.
81
reads a seed, up to 128 bytes,
83
and passes the seed to
87
reads a list of dotted-decimal root server IP addresses,
94
for server IP addresses for other domains.
95
If there are addresses listed in
96
.IR servers/moon.af.mil ,
100
will send queries for
101
.I anything.moon.af.mil
103
and will not cache records for
104
.I anything.moon.af.mil
105
from outside servers such as the root servers.
107
Versions 1.03 and above:
114
as a list of IP addresses
115
for other caches, not root servers.
116
It forwards queries to those caches the same way that a client does,
117
rather than contacting a chain of servers according to NS records.
122
uses a fixed-size table, under 256K,
123
to keep track of as many as 200 simultaneous UDP queries
124
and 20 simultaneous TCP connections.
125
It also dynamically allocates memory,
126
usually just a few bytes but occasionally much more,
127
for each active query.
128
If it runs out of memory handling a query, it discards that query.
131
asks the operating system to reserve a 128K buffer
132
for bursts of incoming UDP queries.
133
In versions 1.03 and above,
134
if a new UDP query arrives
137
is already handling 200 simultaneous UDP queries,
139
drops the oldest query.
140
If a new TCP connection arrives
143
is already handling 20 simultaneous TCP connections,
145
drops the oldest connection.
148
uses a fixed-size cache,
151
environment variable.
152
Roughly 5% of the cache is used for a hash table.
153
The rest is used for cache entries
154
(including 8-byte Y2038-compliant expiration times):
159
22 bytes plus 4 bytes per address plus the length of the owner name.
162
NS sets or PTR sets or CNAME sets.
163
22 bytes plus the length of the owner name and all the data names.
167
22 bytes plus 2 bytes per MX plus the length of all the names.
171
22 bytes plus 2 bytes per record
172
plus the length of all the data strings
173
plus the length of the owner name.
176
Nonexistent domain or server failure.
177
22 bytes plus the length of the owner name.
180
Sets larger than 8192 bytes are not cached.
183
does not exit when it runs out of space in its cache;
184
it simply removes the oldest entries to make more space.
186
.SH Resolution and caching policies
189
relies on a configured list of root name servers.
190
In contrast, BIND starts from a ``hint file'' listing name servers,
191
and asks those name servers where the root name servers are.
194
does not cache (or pass along) records outside the server's bailiwick;
195
those records could be poisoned.
199
are accepted only from the root servers,
207
does not bypass its cache
208
to obtain glue from the additional section of a response.
209
In particular, it will not use glue outside the server's bailiwick,
211
or glue that violates other caching policies.
214
caches records for at most a week.
215
It interprets TTLs above 2147483647 as 0.
218
does not cache SOA records.
219
However, it does use SOA TTLs to determine cache times (up to an hour)
220
for zero-record responses and nonexistent domains.
222
.SH Responses to DNS clients
225
responses are generally much smaller than BIND's responses.
228
(NS records of the source name servers
229
and SOA records for negative answers)
230
or additional records
231
(A records relevant to NS or MX records).
232
When the answer section is truncated by UDP length limits,
233
it is eliminated entirely.
236
tries to prevent local users from snooping on other local users.
237
It discards non-recursive queries;
238
it discards inverse queries;
239
and it discards zone-transfer requests.
244
always uses a TTL of 0 in its responses.
245
In versions before 1.03,
247
always uses a TTL of 0 in its responses.
249
According to RFC 1035,
250
the AA bit ``specifies that the responding name server
251
is an authority for the domain name in question section.''
254
is not an authority for any domain names.
257
never sets the AA bit
258
(except in NXDOMAIN responses, as required by RFC 2308,
259
to work around a common client bug).
260
In contrast, BIND often sets AA for positive responses
261
even when it is not an authority for the domain name.
262
(This appears to have been fixed in BIND 9.)
264
.SH Repeated IP addresses
268
a repeated IP address,
270
passes the repeated IP address along to the client.
271
The server's behavior violates RFC 2181, section 5.5,
272
but there are reasonable uses of repeated IP addresses for load balancing,
275
does not go out of its way to remove repetitions when they occur.
277
A widespread BIND server bug (apparently fixed in BIND 9.1)
278
can unintentionally produce repeated IP addresses.
279
Here is an example from one of the BIND company's servers (now fixed):
281
% dnsq a ns-ext.vix.com ns-ext.vix.com
283
117 bytes, 1+1+2+2 records, response, authoritative, noerror
284
query: 1 ns-ext.vix.com
285
answer: ns-ext.vix.com 3600 A 204.152.184.64
286
authority: vix.com 3600 NS ns-ext.vix.com
287
authority: vix.com 3600 NS ns1.gnac.com
288
additional: ns-ext.vix.com 3600 A 204.152.184.64
289
additional: ns1.gnac.com 130768 A 209.182.195.77
291
This BIND bug is the most common reason
292
for users to see repeated IP addresses from
301
giving it an A record of 127.0.0.1.
305
.I 1.0.0.127.in-addr.arpa
307
giving it a PTR record of
311
handles dotted-decimal domain names internally,
312
giving (e.g.) the domain name
320
http://cr.yp.to/djbdns.html