12
12
.\" You can find a copy of the GNU GPL in the file COPYING in the source
13
13
.\" or documentation directory.
15
.TH PDNSD.CONF 5 "Sep 2008" "pdnsd @VERSION@"
15
.TH PDNSD.CONF 5 "Feb 2010" "pdnsd @VERSION@"
17
17
pdnsd.conf \- The configuration file for pdnsd
159
159
negatively for a domain for which no SOA record is known to pdnsd. If a SOA is present,
160
160
the ttl of the SOA is taken.
162
.B neg_rrs_pol=(on|off|auth);
162
.B neg_rrs_pol=(on|off|auth|default);
163
163
This sets the RR set policy for negative caching; this tells pdnsd under which circumstances
164
164
it should cache a record type negatively for a certain domain. off will
165
165
turn the negative caching of record types off, on will always add a negative
166
166
cache entry when a name server did not return a record type we asked it for, and auth
167
167
will only add such entries if the answer came from an authoritative name server for that
168
domain. The preset is auth. This is normally the right thing, as some caching servers
170
\fINew in version 1.2.8:\fP The default setting will add a negatively cached record
171
if either the answer was authoritive or the answer indicated the name server had "recursion available"
172
while the query explicitly requested such recursion.
174
The preset is "default" (used to be auth).
171
176
.B neg_domain_pol=(on|off|auth);
172
177
This is analogue to neg_rrs_pol for whole domain negative caching. It should be safe
224
229
One of this vulnerabilities is that an attacker may bombard you with forged answers in hopes that one may match a
226
you have done. If you have done such a query, one in 65536 forged packets will be succesful (i.e. an average packet
231
you have done. If you have done such a query, one in 65536 forged packets will be successful (i.e. an average packet
227
232
count of 32768 is needed for that attack). pdnsd can use TCP for queries,
228
233
which has a slightly higher overhead, but is much less vulnerable to such attacks on sane operating systems. Also, pdnsd
229
234
chooses random query ids, so that an attacker cannot take a shortcut. If the attacker is able to listen to your network
235
240
The paranoid option is off by default.
243
.B ignore_cd=(on|off);
244
\fINew in version 1.2.8:\fP This option lets you specify that the CD bit of a DNS query will be ignored.
245
Otherwise pdnsd will reply FORMERR to clients that set this bit in a query.
246
It is safe to enable this option, as the CD bit refers to 'Checking Disabled'
247
which means that the client will accept non-authenticated data.
249
This option is on by default. Turn it off if you want the old behaviour (before version 1.2.8).
238
251
.B scheme_file=\fIstring\fP;
239
252
In addition to normal uptests, you may specify that some servers shall only be queried when a certain
240
253
pcmcia-cs scheme is active (only under linux). For that, pdnsd needs to know where the file resides that
530
543
isdn uptest will always fail.
532
545
\(bu \fBdev\fP and \fBdiald\fP: Perform an if uptest, and, if that
533
was succesful, additionally check whether a program is running that
546
was successful, additionally check whether a program is running that
534
547
has locked a given (modem-) device. The needed parameters are an interface (specified as for the if
535
548
uptest, e.g. "ppp0") and a device relative to /dev (e.g.
536
549
"modem" for /dev/modem specified using the device= option.
655
668
.B purge_cache=(on|off);
656
669
In every fetched dns record, there is a cache timeout given, which
657
670
specifies how long the fetched data may be cached until it needs to be
658
reloaded. If purge_cache is set to off, the cached records are not purged
671
reloaded. If purge_cache is set to off, the stale records are not purged
659
672
(unless the cache size would be exceeded, in this case the oldest records are purged).
660
Instead, they are still served if they cannot succesfully be
673
Instead, they are still served if they cannot successfully be
661
674
updated (e.g. because all servers are down).
663
678
.B caching=(on|off);
664
679
Specifies if caching shall be performed for this server at all. Default is
712
.B root_server=(on|off);
713
\fINew in version 1.2:\fP Set this option to on if the servers
714
specified in a section are root servers. A root server will typically only give
715
the name servers for the top-level domain in its reply. Setting root_server=on
716
will cause pdnsd to try to use cached information about top-level domains to reduce to number
717
of queries to root servers, making the resolving of new names more efficient.
727
.B root_server=(on|off|discover);
728
Set this option to on if the servers specified in a section are root servers.
729
A root server will typically only give the name servers for the top-level domain in its reply.
730
Setting root_server=on will cause pdnsd to try to use cached information about
731
top-level domains to reduce to number of queries to root servers, making the resolving of
732
new names more efficient.
718
733
You can get a list of available root servers by running the command
721
736
This option is also necessary if you use the delegation_only option.
738
\fINew in version 1.2.8:\fP This option may also be set to "discover".
739
This will cause pdnsd to query the servers provided with the ip= option
740
to obtain the full list of root servers. The root-server addresses will replace the addresses
741
specified with the ip= option.
742
This will only be done once on startup, or after a "pdnsd\-ctl\ config" command.
743
In this case the name servers specified with the ip= option don't have to be
744
root servers, they just have to know the names and addresses of the root servers.
745
After root-server discovery pdnsd will behave just as if root_server=on
725
750
.B randomize_servers=(on|off);
954
979
.B ptr=\fIstring\fP;
955
980
Defines a PTR (domain name pointer) record. The argument is a host name in
956
dotted notation (see name). The ptr record is for resolving adresses into names. For example, if
957
you want the adress 127.0.0.1 to resolve into localhost, and localhost into 127.0.0.1, you need something
981
dotted notation (see name). The ptr record is for resolving addresses into names. For example, if
982
you want the address 127.0.0.1 to resolve into localhost, and localhost into 127.0.0.1, you need something
958
983
like the following sections:
980
1005
There is something special about the name in the second section:
981
1006
when a resolver wants to get a host name from an internet address,
982
1007
it composes an address that is built of the IP address in reverse byte order
983
(1.0.0.127 instead of 127.0.0.1) where each byte of the adress written
1008
(1.0.0.127 instead of 127.0.0.1) where each byte of the address written
984
1009
as number constitutes a sub-domain under the domain in-addr.arpa.
986
So, if you want to compose an adress for reverse resolving, take your ip in dotted notation (e.g. 1.2.3.4),
1011
So, if you want to compose an address for reverse resolving, take your ip in dotted notation (e.g. 1.2.3.4),
987
1012
reverse the byte order (4.3.2.1) and append in-addr.arpa. (4.3.2.1.in-addr.arpa.)
988
1013
Then, define an rr section giving this address as name and the domain name corresponding to
989
1014
that ip in the ptr option.
1072
1097
cached negatively locally. Queries for negatively cached records are always answered
1073
1098
immediatley with an error or an empty answer without querying other hosts as long
1074
1099
as the record is valid. The records defined with neg sections remain
1075
valid until they are explicitely invalidated or deleted by the user using
1100
valid until they are explicitly invalidated or deleted by the user using
1078
1103
This is useful if a certain application asks periodically for nonexisting hosts or
1236
1261
This man page was automatically generated from the html documentation for \fBpdnsd\fP,
1237
1262
using a customized Perl script written by Paul Rombouts.
1239
Last revised: 04 September 2008 by Paul Rombouts
1264
Last revised: 24 December 2009 by Paul Rombouts