222
222
1. I'm using an older version of MaraDNS
224
Upgrade to MaraDNS 1.4 or MaraDNS 2.0. MaraDNS 1.4 is compatible
225
with older versions of MaraDNS, with the relatively few changes
226
need to upgrade documented.
228
Use MaraDNS 2.0 if there are any issues using MaraDNS 1.4 to
229
recursively resolve records (via recursive_acl); the recursive
230
resolver in MaraDNS 1.4 is deprecated and only critical security
231
issues are fixed with it. MaraDNS 2.0 uses the separate daemon
232
Deadwood to recursively resolve records.
224
Upgrade to MaraDNS 1.4. MaraDNS 1.4 is compatible with older
225
versions of MaraDNS, with the relatively few changes need to
234
228
MaraDNS 1.0 and 1.2 are only supported for critical security
235
229
updates, and will no longer be supported on December 21, 2010.
236
230
MaraDNS 1.3 is also only supported for critical security
237
231
updates, and support will stop on December 21, 2012. MaraDNS 1.4
238
and MaraDNS 2.0 are both fully supported (security and other
239
important bug fixes) for the foreseeable future.
232
will be fully supported (security and other important bug fixes)
233
for the foreseeable future, alongside MaraDNS 2.0 when and if it
241
236
2. How do I try out MaraDNS?
316
311
intervention of an ISP, being able to control reverse DNS
317
312
lookups for those IPs requires ISP intervention.
319
8. I am on a slow network, and Deadwood can not process recursive
314
8. I am on a slow network, and MaraDNS can not process recursive
322
Deadwood, by default, only waits two seconds for a reply from a
317
MaraDNS, by default, only waits two seconds for a reply from a
323
318
remote DNS server. This default can be increased by adding a
324
319
line like this in the mararc file:
365
360
12. Why does MaraDNS use a multi-threaded model?
367
MaraDNS 2.0 no longer uses threads.
369
The multi-threaded model was the simplest way to write a
370
functioning recursive DNS server for MaraDNS 1.0. There is a
371
reason why MaraDNS, pdnsd, and BIND 9 all use the multi-threaded
374
It took me nearly three years to rewrite MaraDNS' recursive
375
resolver as a separate non-threaded daemon. This has been done,
376
and now all recursion is done with Deadwood which does not need
362
The multi-threaded model is, plain and simple, the simplest way
363
to write a functioning recursive DNS server. There is a reason
364
why MaraDNS, pdnsd, and BIND 9 all use the multi-threaded model.
366
MaraDNS 2.0, when and if it is released, will not use threads.
379
368
13. I feel that XXX feature should be added to MaraDNS
381
There are no plans to add new features to MaraDNS or Deadwood at
370
The only thing that will convince me to implement a given
371
feature for MaraDNS is cold, hard cash. If you want me to keep a
372
given feature proprietary, you better have lots of cold hard
375
The only feature I will implement for free is to finish up full
376
recursion in Deadwood, including IPv6 support. I have no
377
plans to implement DNS curve, nor DNSsec, Geo IP, or
378
whatever feature you want me to implement for fun and for free.
380
Keep in mind that both the BIND and NSD name servers were
381
developed by having the programmers paid to work on the
382
programs. PowerDNS was originally commercial software with the
383
author only reluctantly made GPL after seeing that the market
384
for a commercial DNS server is very small. All of the other DNS
385
servers which have been developed as hobbyist projects (Posadis,
386
Pdnsd, and djbdns) are no longer being actively worked on by the
384
389
14. I feel that MaraDNS should use another documentation format
429
434
The zoneserver program serves zones so that other DNS servers
430
435
can be secondaries for zones which MaraDNS serves. This is a
431
separate program from the maradns server, which processes
432
authoritative UDP DNS queries, and Deadwood which processes
433
recursive DNS queries.
436
separate program from the maradns server, which processes both
437
authoritative and recursive UDP DNS queries.
435
439
See the DNS master document in the MaraDNS tutorial for
448
452
A recursive DNS server is a DNS server that is able to contact
449
453
other DNS servers in order to resolve a given domain name label.
450
454
This is the kind of DNS server one points to in
451
/etc/resolve.conf. MaraDNS uses the Deadwood daemon to process
452
recursive DNS queries.
454
457
An authoritative DNS server is a DNS server that a recursive
455
458
server contacts in order to find out the answer to a given DNS
456
query. The maradns daemon processes authoritative DNS queries.
458
461
19. The fetchzone client isn't allowing me to add certain hostnames to
541
544
26. I am having problems setting upstream_servers
543
upstream_servers is only supported by Deadwood, and is no longer
544
supported in MaraDNS 2.0. The upstream_servers dwood3rc variable
546
The upstream_servers mararc variable is set thusly:
547
548
upstream_servers["."] = "10.3.28.79, 10.2.19.83"
550
Note the ["."]. The reason for this is so future versions of
551
MaraDNS may have more fine-grained control over the
552
upstream_servers and root_servers values.
551
554
Note that the upstream_servers variable needs to be initialized
552
555
before being used via upstream_servers = {} (the reason for this
553
is so that a dwood3rc file has 100% Python-compatible syntax). A
554
complete dwood3rc file that uses upstream_servers may look like
556
is so that a mararc file has 100% Python-compatible syntax). A
557
complete mararc file that uses upstream_servers may look like
557
560
ipv4_bind_addresses = "127.0.0.1"
667
670
31. I have a NS delegation, and MaraDNS is doing strange things.
669
This is only an issue in MaraDNS 1.4. MaraDNS 2.0 does not allow
670
the same IP to both authoritatively and recursively resolve
672
In the case of there being a NS delegation, MaraDNS handles
673
recursive queries and non-recursive DNS queries differently.
674
Basically, unless you use askmara with the -n option, dig with
675
the +norecuse option, or nslookup with the -norec option,
676
MaraDNS will try to recursively resolve the record that is
679
The thinking is this: A normal recursive DNS query is usually
680
one where one wants to know the final DNS output. So, if MaraDNS
681
delegates a given record to another DNS server, and gets a
682
recursive request for said query, MaraDNS will recursively
683
resolve the query for you.
685
For example, let us suppose we have a mararc file that looks
688
chroot_dir = "/etc/maradns"
689
ipv4_bind_addresses = "10.1.2.3"
690
chroot_dir = "/etc/maradns"
691
recursive_acl = "127.0.0.1/8, 10.0.0.0/8"
693
csv2["example.com."] = "db.example.com"
695
And a db.example.com file that looks like this:
697
www.example.com. 10.1.2.3
698
joe.example.com. NS ns.joe.example.com.
699
ns.joe.example.com. A 10.1.2.4
701
Next, you are trying to find out why www.joe.example.com is not
702
resolving. If you naively send a query to 10.1.2.3 for
703
www.joe.example.com as askmara Awww.joe.example.com. 10.1.2.3 or
704
as dig @10.1.2.3 www.joe.example.com. or as nslookup
705
www.joe.example.com. 10.1.2.3, you will not get any information
706
that will help you solve the problem, since 10.1.2.3 will try to
707
contact 10.1.2.4 to resolve www.joe.example.com.
709
The solution is to run your DNS query client thusly:
711
* Askmara would be run thusly:
713
askmara -n Awww.joe.example.com. 10.1.2.3
715
* Dig would be run thusly:
717
dig +norecurse @10.1.2.3 www.joe.example.com
719
* Nslookup would be run thusly:
721
nslookup -norec www.joe.example.com 10.1.2.3
723
This will allow you to see that packets MaraDNS actually sends
724
to a recursive DNS server.
726
As an aside, this particular problem will not happen if MaraDNS
727
is run only as an authoritative nameserver.
673
729
32. I am transferring a zone from another server, but the NS records
674
730
are these strange "synth-ip" records.
717
773
33. Where is the root.hints file?
719
MaraDNS (actually, Deadwood), unlike BIND, does not need a
720
complicated root.hints file in order to have custom root
721
servers. In order to change the root.hints file, add something
722
like this to your dwood3rc file:
775
MaraDNS, unlike BIND, does not need a complicated root.hints
776
file in order to have custom root servers. In order to change
777
the root.hints file, add something like this to your mararc
724
780
root_servers["."] = "131.161.247.232,"
725
781
root_servers["."] += "208.185.249.250,"
894
952
domain with AFNIC using MaraDNS as your DNS server, the
895
953
following steps need to be followed:
897
* MaraDNS version 1.4 or 2.0 needs to be used; if you're using
898
an older version of MaraDNS, upgrade.
899
* It is necessary to have recursion disabled, if using MaraDNS
900
1.4, either by compiling MaraDNS without recursive support
955
* MaraDNS version 1.4 needs to be used; if you're using an
956
older version of MaraDNS, upgrade.
957
* It is necessary to have recursion disabled. This can be done
958
either by compiling MaraDNS without recursive support
901
959
(./configure --authonly ; make), or by making sure MaraDNS
902
960
does not have recursion enabled (by not having recursive_acl
903
set in one's MaraDNS 1.4 mararc file)
961
set in one's mararc file)
905
963
If one wishes to both register domains with AFNIC and use
906
MaraDNS 1.4 as a recursive DNS server, it is required to have
907
the recursive server be a separate instance of MaraDNS on a
908
separate IP. It is not possible to have the same DNS server both
909
send DNS packets in a way that both makes AFNIC happy and allows
964
MaraDNS as a recursive DNS server, it is required to have the
965
recursive server be a separate instance of MaraDNS on a separate
966
IP. It is not possible to have the same DNS server both send DNS
967
packets in a way that both makes AFNIC happy and allows
910
968
recursive queries.
912
970
Note also: AFNIC gives warnings about reverse DNS lookups; more
919
977
43. I can't see the full answers for subdomains I have delegated
921
To have the subdomains be visible to MaraDNS 1.4 recursive
922
nameservers, add the following to your mararc file:
979
To have the subdomains be visible to recursive nameservers, add
980
the following to your mararc file:
924
982
recurse_delegation = 1
926
984
44. MaraDNS 1 has a problem resolving a domain
928
This issue should be fixed in MaraDNS 2.0.
986
This issue should be fixed when I release MaraDNS 2.0.
930
988
Here's what happening: I have rewritten the recursive resolver
931
989
for MaraDNS. The old code was always designed to be a
932
990
placeholder until I wrote a new recursive resolver.
934
992
The new recursive resolver is called "Deadwood"; right now it's
935
fully functional and part of MaraDNS 2.0. More information is
993
fully functional and undergoing beta-testing. More information
938
996
http://maradns.blogspot.com/search/label/Deadwood
942
1000
Since the old recursive code is a bit difficult to maintain, and
943
1001
since I in the process of rewriting the recursive code, my rule
944
1002
is that I will only resolve security issues with MaraDNS 1.0's
1003
recursive resolver without getting paid.
1005
If resolving a given domain with MaraDNS' code is an urgent
1006
issue for you, please consider helping beta-test Deadwood, or
1009
http://www.maradns.org/products.html
947
1011
45. MaraDNS 1.2 has issues with NXDOMAINS and case sensitivity.
953
1017
a mail transport agent asks for a name in all caps.
955
1019
If this is an issue for your organization, please upgrade to a
956
newer version of MaraDNS; MaraDNS 1.4 and 2.0 do not have this
957
bug. If you want to see this bug fixed in MaraDNS 1.2, please
958
help sponsor MaraDNS.
1020
newer version of MaraDNS; MaraDNS 1.4 does not have this bug. If
1021
you want to see this bug fixed in MaraDNS 1.2, please help
960
1024
46. Can MaraDNS offer protection from phishing and malicious sites?
1124
1188
while the file will parse, any errors in the file will be
1125
1189
reported as being on line 1.
1191
The maximum allowed number of threads is 5000.
1127
1193
The system startup script included with MaraDNS assumes that the
1128
1194
only MaraDNS processes running are started by the script; it
1129
1195
stops all MaraDNS processes running on the server when asked to
1198
When a resolver asks for an A record, and the A record is a
1199
CNAME which points to a list of IPs, MaraDNS' recursive resolver
1200
only returns the first IP listed along with the CNAME. This is
1201
somewhat worked around by having a CNAME record only stay in the
1202
recursive cache for 15 minutes.
1204
When a resolver asks for an A record, and the A record is a
1205
CNAME that points to another CNAME (and possibly a longer CNAME
1206
chain), while MaraDNS returns the correct IP (as long as the
1207
glueless level is not exceeded), MaraDNS will incorrectly state
1208
that the first CNAME in the chain directly points to the IP.
1210
If a NS record points to a list of IPs, and the NS record in
1211
question is a "glueless" record (MaraDNS had to go back to the
1212
root servers to find out the IP of the machine in question),
1213
MaraDNS' recursive resolver only uses the first listed IP as a
1216
When MaraDNS' recursive resolver receives a "host not there"
1217
reply, instead of using the SOA minimum of the "host not there"
1218
reply as the TTL (Look at RFC1034 §4.3.4), MaraDNS uses the TTL
1221
MaraDNS keeps referral NS records in the cache for one day
1222
instead of the TTL specified by the remote server.
1132
1224
MaraDNS needs to use the zoneserver program to serve DNS records
1133
1225
over TCP. See zoneserver(8) for usage information.
1135
1227
MaraDNS does not use the zone file ("master file") format
1136
specified in chapter 5 of RFC1035; however bind2csv2.py can
1137
convert the majority of such zone files.
1228
specified in chapter 5 of RFC1035.
1139
1230
MaraDNS default behavior with star records is not RFC-compliant.
1140
1231
In more detail, if a wildcard MX record exists in the form
1159
1250
20 seconds; TTLs which are more than 63072000 (2 years) long are
1160
1251
given a TTL of 2 years.
1253
MaraDNS' recursive resolver's method of deleting not recently
1254
accessed records from the cache when the cache starts to fill up
1255
can deleted records from the cache before they expire. Some
1256
people consider this undesirable behavior; I feel it is
1257
necessary behavior if one wishes to place a limit on the memory
1258
resources a DNS server may use.
1260
MaraDNS' recursive resolver stops resolving when it finds an
1261
answer in the AR section. This is a problem in the case where a
1262
given host name and IP is registered with the root name servers,
1263
and the registered IP is out of date. When this happens, a
1264
server "closer" to the root server will give an out-of-date IP,
1265
even though the authoritative DNS servers for the host in
1266
question have the correct IP. Note that resolving this will
1267
result in increased DNS traffic.
1162
1269
MaraDNS, like every other known DNS implementation, only
1163
1270
supports a QDCOUNT of 0 or 1.
1272
MaraDNS spawns a new thread for every single recursive DNS
1273
request when the data in question is not in MaraDNS' cache; this
1274
makes MaraDNS an excellent stress tester for pthread
1275
implementations. Many pthread implementations can not handle
1276
this kind of load; symptoms include high memory usage and
1277
termination of the MaraDNS process.
1279
MaraDNS does not handle the case of a glueless in-bailiwick NS
1280
referral very gracefully; this usually causes the zone pointed
1281
to by the offending NS record to be unreachable by MaraDNS, even
1282
if other DNS servers for the domain have correct NS referrals.
1165
1284
UNIMPLEMENTED FEATURES
1167
1286
These are features which I do not plan to implement in MaraDNS.
1287
If you wish to see these features, consider sponsoring MaraDNS
1169
1290
MaraDNS does not have a disk-based caching scheme for
1170
1291
authoritative zones.
1180
1301
or for host names to resolve differently, depending on the IP
1181
1302
querying the host name.
1304
MaraDNS 1.4 only has authoritative-only support for IPv6.
1305
Deadwood, however, has full IPv6 support.
1183
1307
MaraDNS only allows wildcards at the beginning or end of a host
1184
1308
name. E.g. names with wildcards like "foo.*.example.com".
1185
1309
"www.*" will work, however, if a default zonefile is set up.
1186
Likewise, MaraDNS does not have regular expression hostname
1189
1311
MaraDNS does not have support for MRTG or any other SNMP-based
1190
1312
logging mechanism.