212
212
result in an error.
215
<h2>root_servers</h2>
217
root_servers: This is a special "dictionary" element that can
218
have multiple elements, where a given element points to either an
219
ip, or a pointer to an ipv4 alias. For example:
222
root_servers["."] = "list_of_servers"
225
In this example, "." indicates that this is a listing of root_servers
226
that will resolve any name not otherwise listed as a root_servers
229
list_of_servers is a list of root name servers in the exact same
230
format as ipv4_aliases.
233
The root_servers dictionary array can have multiple elements. Like csv2
234
elements, the names must be valid domain names that end with the
235
'.' character. When there are multiple root_servers elements, the
236
element with the most domain name labels that matches the end of
237
the hostname one is searching for is used.
240
For example, let us suppose we have the following root_servers entries:
243
root_servers["."] = "198.41.0.4"
244
root_servers["com."] = "192.5.6.30"
245
root_servers["example.net."] = "10.1.2.3,10.2.3.4"
248
In this example, we use use the name server with the IP 10.1.2.3 or
249
10.2.3.4 to start resolving "www.example.net", the name server with the
250
IP 192.5.6.30 to start resolving "www.google.com", and the name server
251
with the IP 198.41.0.4 to start resolving "www.maradns.org".
254
Note that, while ips in a listing of root name servers can have
255
netmasks, the netmask portion is ignored.
258
The root_servers should point to root servers. If one wishes to use
259
MaraDNS as a forwarding name server, which forwards DNS requests on to
260
another server, use the upstream_servers variable instead.
262
<h2>upstream_servers</h2>
264
This is identical to the root_servers variable (can have multiple
265
elements, the elements are a list of ipv4_addresses, the variable is a
266
dictionary variable, etc.), but is used
267
when one wishes to use MaraDNS to query other recursive servers, instead
268
of querying the actual root name servers for an answer.
271
Note that one can not have both root_servers and upstream_servers set
272
in a given mararc file; MaraDNS will return with a fatal error if one
276
Like root_servers, this is a dictionary variable that can have multiple
277
elements. For example:
280
upstream_servers["."] = "10.5.6.7"
281
upstream_servers["cl."] = "10.2.19.83"
284
Here, we use 10.2.19.83 to resolve host names that end in "cl", and
285
10.5.6.7 to resolve all other host names.
215
287
<h1>NORMAL VARIABLE FORMAT</h1>
217
289
Normal variables. These are variables that can only take
503
590
The default GID is 99.
592
<h2>maximum_cache_elements</h2>
593
maximum_cache_elements: The maximum number of elements we can have
594
in the cache of recursive queries.
597
This cache of recursive queries is used to store entries we have
598
previously obtained from recursive queries.
601
If we approach this limit, the "custodian" kicks in to effect.
602
The custodian removes elements at random from the cache (8 elements
603
removed per query) until we are at the 99% or so level again.
605
<p> The default value for this variable is 1024.
607
maxprocs: The maximum number of threads or processes that MaraDNS
608
is allowed to run at the same time.
611
This variable is used to minimize the impact on the server when
612
MaraDNS is heavily loaded. When this number is reached, it is
613
impossible for MaraDNS to spawn new threads/processes until the
614
number of threads/processes is reduced.
615
<p> The default value for this variable is 64.
617
The maximum value this can have is 500.
505
618
<h2>max_ar_chain</h2>
506
619
max_ar_chain: The maximum number of records to display if a record in
507
620
the additional section (e.g., the IP of a NS server
568
681
use, and in addition, to allocate 1536 bytes for each element we
569
682
can have in the cache or DNS record that we are authoritatively serving.
685
min_ttl: The minimum amount of time a resource record will stay in
686
MaraDNS' cache, regardless of the TTL the remote server specifies.
689
Setting this value changes the minimum amount of time MaraDNS'
690
recursive server will keep a record in the cache. The value is
694
The default value of this is 300 (5 minutes); the minimum value
695
for this is 180 (2 minutes).
697
<h2>min_ttl_cname</h2>
698
min_ttl_cname: The minimum amount of time a resource record
699
will stay in MaraDNS' cache, regardless of the TTL the remote server
703
Setting this value changes the amount of time a CNAME record stays
704
in the cache. The value is in seconds.
707
The default value for this is the value min_ttl has; the minimum value
708
for this is 180 (2 minutes).
571
710
<h2>min_visible_ttl</h2>
572
711
min_visible_ttl: The minimum value that we will will show as the TTL (time
573
712
to live) value for a resource record to other DNS servers and stub resolvers.
578
717
The value is in seconds. The default value for this is 30; the minimum
579
value this can have is 5.
718
value this can have is 5. People running highly loaded MaraDNS servers
719
may wish to increase this value to 3600 (one hour) in order to reduce the
720
number of queries recursively processed by MaraDNS.
582
723
As an aside, RFC1123 section 6.1.2.1 implies that zero-length TTL records
583
724
should be passed on with a TTL of zero. This, unfortunately, breaks some
584
725
stub resolvers (such as Mozilla's stub resolver).
729
This parameter, if set, causes MaraDNS' recursive resolver to return a
730
0-TTL synthetic IP for non-existent hostnames instead of a "this host does
731
not exist" DNS reply. The IP returned is the value for this parameter.
734
For example, if one wishes to send the IP 10.11.12.13 to clients whenever
735
MaraDNS' recursive resolver gets a "this host does not exist" reply, set
739
notthere_ip = "10.11.12.13"
742
If one also wishes to have this IP returned when there is no reply
743
from remote DNS servers, set handle_noreply thusly:
749
This parameter only affects the recursive resolver, and doesn't affect
750
authoritative zones that MaraDNS serves. This parameter only affects
751
A queries, and doesn't affect other DNS query types.
753
<h2>random_seed_file</h2>
754
random_seed_file: The file from which we read 16 bytes from to
755
get the 128-bit seed for the secure pseudo random number generator.
758
The location of this file is relative to the root of the
759
filesystem, not MaraDNS' chroot directory.
762
This is ideally a file which is a good source of random numbers
763
(e.g. /dev/urandom), but can also be a fixed file if your OS does not
764
have a decent random number generator. In that case, make sure the
765
contents of that file is random and with 600 perms, owned by root.
766
We read the file <b>before</b> dropping root privileges.
768
<h2>recurse_delegation</h2>
769
recurse_delegation: Whether to recurse in the case of us finding a NS
770
delegation record, but the user/stub resolver sent a query that
771
desires recursion. Before MaraDNS 1.3, this was the default behavior.
774
When recurse_delegation has a value of 1, we recurse in this case.
775
Otherwise, we do not.
778
This parameter has a default value of 0.
780
<h2>recurse_min_bind_port</h2>
781
MaraDNS, by default, binds to a UDP port with a value between 15000 and
782
19095 when making a recursive query. This variable, and the
783
recurse_number_ports variable, allow this value to be changed.
786
recurse_min_bind_port is the lowest port number that MaraDNS will bind
787
to when making recursive queries. The default value for this is 15000.
789
<h2>recurse_number_ports</h2>
790
This determines the size of the port range MaraDNS will bind to when
791
making recursive queries. MaraDNS, when making a recursive query, will
792
locally bind to a port number between recurse_min_bin_port and
793
recurse_min_bind_port + recurse_number_ports - 1.
796
This number must be a power of 2 between
797
256 and 32768. In other words, this must have the value 256, 512, 1024,
798
2048, 4096, 8192, 16384, or 32768. The default value for this is 4096.
801
The sum of the values for recurse_min_bind_port + recurse_number_ports must
802
fit within the 16-bit value used for UDP ports. In other words, these
803
two parameters, added together, can not be greater than 65534.
805
<h2>recursive_acl</h2>
806
recursive_acl: List of ips allowed to perform recursive queries with
807
the recursive portion of the MaraDNS server
810
The format of this string is identical to the format of an ipv4_alias
814
If this has a value of 1, a bogus SOA "not there" reply is sent whenever
815
an AAAA query is sent to MaraDNS. In other words, every time a program asks
816
MaraDNS for an IPv6 IP address, instead of trying to process the request,
817
when this is set to 1, MaraDNS pretends the host name in question does not
818
have an IPv6 address.
821
This is useful for people who aren't using IPv6 but use applications (usually
822
*NIX command like applications like "telnet") which slow things down trying
823
to find an IPv6 address.
826
If this has a value of 1, a bogus SOA "not there" reply is sent whenever
827
an PTR query is sent to MaraDNS. In other words, every time a program asks
828
MaraDNS for an IP-to-name mapping, instead of trying to process the request,
829
when this is set to 1, MaraDNS pretends the IP in question does not
833
This is useful for people who don't need this data but use applications
834
(usually *NIX command like applications like "telnet") which slow things
835
down trying to look up a host name for an IP.
586
837
<h2>remote_admin</h2>
587
838
remote_admin: Whether we allow <tt>verbose_level</tt> to be changed
588
839
after MaraDNS is started.
793
1107
# 3: All queries logged (but not very verbosely right now)
794
1108
verbose_level = 1
1110
# Initialize the IP aliases, which are used by the list of root name servers,
1111
# the ACL for zone transfers, and the ACL of who gets to perform recursive
1115
# Various sets of root name servers
1116
# Note: Netmasks can exist, but are ignored when specifying root name server
1118
# ICANN: the most common and most controversial root name server
1119
# http://www.icann.org
1120
# This list can be seen at http://www.root-servers.org/
1121
ipv4_alias["icann"] = "198.41.0.4, 192.228.79.201, 192.33.4.12, 128.8.10.90,"
1122
ipv4_alias["icann"] += "192.203.230.10, 192.5.5.241, 192.112.36.4,"
1123
ipv4_alias["icann"] += "128.63.2.53, 192.36.148.17, 192.58.128.30,"
1124
ipv4_alias["icann"] += "193.0.14.129, 199.7.83.42, 202.12.27.33"
1126
# OpenNIC: http://www.opennic.unrated.net/
1127
# Current as of 2005/11/30; these servers change frequently so please
1128
# look at their web page
1129
ipv4_alias["opennic"] = "157.238.46.24, 209.104.33.250, 209.104.63.249,"
1130
ipv4_alias["opennic"] += "130.94.168.216, 209.21.75.53, 64.114.34.119,"
1131
ipv4_alias["opennic"] += "207.6.128.246, 167.216.255.199, 62.208.181.95,"
1132
ipv4_alias["opennic"] += "216.87.153.98, 216.178.136.116"
1134
# End of list of root name server lists
796
1136
# Here is a ACL which restricts who is allowed to perform zone transfer from
797
1137
# the zoneserver program
803
1143
# by the "zoneserver" program.
804
1144
#zone_transfer_acl = "10.1.1.1/24, 10.100.100.100/255.255.255.224"
1146
# More complex: We create two aliases: One called "office" and another
1147
# called "home". We allow anyone in the office or at home to perform zone
1149
#ipv4_alias["office"] = "10.1.1.1/24"
1150
#ipv4_alias["home"] = "10.100.100.100/255.255.255.224"
1151
#zone_transfer_acl = "office, home"
1153
# More complex then the last example. We have three employees,
1154
# Susan, Becca, and Mia, whose computers we give zone transfer rights to.
1155
# Susan and Becca are system administrators, and Mia is a developer.
1156
# They are all part of the company. We give the entire company zone
1158
#ipv4_alias["susan"] = "10.6.7.8/32" # Single IP allowed
1159
#ipv4_alias["becca"] = "10.7.8.9" # also a single IP
1160
#ipv4_alias["mia"] = "10.8.9.10/255.255.255.255" # Also a single IP
1161
#ipv4_alias["sysadmins"] = "susan, becca"
1162
#ipv4_alias["devel"] = "mia"
1163
#ipv4_alias["company"] = "sysadmins, devel"
1164
# This is equivalent to the above line
1165
#ipv4_alias["company"] = "susan, becca, mia"
1166
#zone_transfer_acl = "company"
1168
# If you want to enable recursion on the loopback interface, uncomment
1169
# the relevant lines in the following section
1171
# Recursive ACL: Who is allowed to perform recursive queries. The format
1172
# is identical to that of "zone_transfer_acl", including ipv4_alias support
1174
#ipv4_alias["localhost"] = "127.0.0.0/8"
1175
#recursive_acl = "localhost"
1177
# Random seed file: The file from which we read 16 bytes from to get the
1178
# 128-bit random Rijndael key. This is ideally a file which is a good source
1179
# of random numbers, but can also be a fixed file if your OS does not have
1180
# a decent random number generator (make sure the contents of that file is
1181
# random and with 600 perms, owned by root, since we read the file *before*
1182
# dropping root privileges)
1184
#random_seed_file = "/dev/urandom"
1186
# The maximum number of elements we can have in the cache. If we have more
1187
# elements in the cache than this amount, the "custodian" kicks in to effect,
1188
# removing elements not recently accessed from the cache (8 elements removed
1189
# per query) until we are at the 99% level or so again.
1191
#maximum_cache_elements = 1024
1193
# It is possible to change the minimal "time to live" for entries in the
1194
# cache; this is the minimum time that an entry will stay in the cache.
1195
# Value is in seconds; default is 300 (5 minutes)
1197
# CNAME records generally take more effort to resolve in MaraDNS than
1198
# non-CNAME records; it is a good idea to make this higher then min_ttl
1199
# default value is to be the same as min_ttl
1200
#min_ttl_cname = 900
1202
# The root servers which we use when making recursive queries.
1204
# The following line must be uncommented to enable custom root servers
1205
# for recursive queries
1208
# You can choose which set of root servers to use. Current values (set above)
1209
# are: icann, osrc, alternic, opennic, pacificroot, irsc, tinc, and
1211
#root_servers["."] = "icann"
1213
# If you prefer to contact other recursive DNS servers instead of the ICANN
1214
# root servers, this is done with the upstream_servers mararc variable:
1215
#upstream_servers["."] = "192.168.0.1, 192.168.0.2"
1217
# You can tell MaraDNS to *not* query certain DNS servers when in recursive
1218
# mode. This is mainly used to not allow spam-friendly domains to resolve,
1219
# since spammers are starting to get in the habit of using spam-friendly
1220
# DNS servers to resolve their domains, allowing them to hop from ISP to
1221
# ISP. The format of this is the same as for zone_transfer_acl and
1224
# For example, at the time of this document (August 12, 2001), azmalink.net
1225
# is a known spam-friendly DNS provider (see doc/detailed/spammers/azmalink.net
1226
# for details.) Note that this is based on IPs, and azmalink.net constantly
1227
# changes IPs (as they constantly have to change ISPs)
1228
# 2002/10/12: Azmalink changed ISP again, this reflect their current ISP
1229
ipv4_alias["azmalink"] = "12.164.194.0/24"
1231
# As of September 20, 2001, hiddenonline.net is a known spam-friendly
1232
# DNS provider (see doc/detailed/spammers/hiddenonline for details).
1233
ipv4_alias["hiddenonline"] = "65.107.225.0/24"
1234
spammers = "azmalink,hiddenonline"
1236
# It is also possible to change the maximum number of times MaraDNS will
1237
# follow a CNAME record or a NS record with a glue A record. The default
1238
# value for this is ten.
1239
#max_glueless_level = 10
1240
# In addition, one can change the maximum number of total queries that
1241
# MaraDNS will perform to look up a host name. The default value is 32.
1242
#max_queries_total = 32
1243
# In addition, one can change the amount of time that MaraDNS will wait
1244
# for a DNS server to respond before giving up and trying the next DNS
1245
# server on a list. Note that, the larger this value is, the slower
1246
# MaraDNS will process recursive queries when a DNS server is not
1247
# responding to DNS queries. The default value is two seconds.
1248
#timeout_seconds = 2
1251
# And that does it for the caching at this point