32
32
This is a list of IPs that are allowed to make DNS-over-TCP queries. In
33
33
the case of using MaraDNS as an authoritative nameserver, this should
34
34
have a value of "0.0.0.0/0" (anyone on the internet can make TCP
35
DNS connections). If MaraDNS is being used as a recursive or upstream
36
server, this should have the same value that the <tt>recursive_acl</tt>
37
mararc variable has. In the case of MaraDNS being both a recursive and
38
authoritative DNS server, <tt>tcp_convert_acl</tt> should have a value
39
of "0.0.0.0/0"--this is not a security hazard since the zoneserver will
40
only send UDP packets that request recursion if the client that connects
41
to the TCP server is on the <tt>recursive_acl</tt> list.
85
This is what a recursive mararc file which provides recursive DNS over
86
TCP and UDP will look like:
89
ipv4_bind_addresses = "10.1.2.3"
90
chroot_dir = "/etc/maradns"
91
recursive_acl = "10.0.0.0/8"
92
tcp_convert_acl = "10.0.0.0/8"
93
tcp_convert_server = "10.1.2.3"
96
If both <tt>maradns</tt> and <tt>zoneserver</tt> are running, this
97
mararc file will provide recursive DNS for anyone with an IP starting
98
with the number "10" (this is a special network for private IPs)
99
on a machine with the IP 10.1.2.3.
103
81
<h2>Long packets</h2>
105
83
<tt>maradns</tt>, the UDP DNS server, in compliance with RFC1035
106
84
section 2.3.4, will not output a packet longer than 512 bytes long.
107
This is sufficient packet size for over 99% of the DNS traffic out there.
85
This is sufficient packet size for well over 99% of the DNS traffic out there.
120
Since these packets use extra memory to store in memory, they are only
121
enabled when MaraDNS is compiled as an authoritative-only DNS server.
125
To compile MaraDNS as an authoritative-only server:
128
<li>Compile MaraDNS as an authoritative-only nameserver:
130
./configure --authonly
133
<li>Install MaraDNS as an authoritative-only nameserver:
137
<li>Make sure any existing copy of maradns with recursive support has
141
rm /usr/local/sbin/maradns
143
(The authoritative-only binary has the name maradns.authonly)
146
At this point, one uses the <tt>long_packet_ipv4</tt> mararc variable to
147
tell <tt>maradns.authonly</tt> which IPs we will send long UDP packets to.
98
One uses the <tt>long_packet_ipv4</tt> mararc variable to
99
tell <tt>maradns</tt> which IPs we will send long UDP packets to.
148
100
This value is usually the same value as is set for
149
101
<tt>ipv4_bind_addresses</tt>.
153
<tt>long_packet_ipv4</tt> is a list of IPs <tt>maradns.authonly</tt> will send
105
<tt>long_packet_ipv4</tt> is a list of IPs <tt>maradns</tt> will send
154
106
RFC-violating long UDP packets to. When <tt>zoneserver</tt> listens for
155
107
a UDP reply from <tt>maradns</tt>, the <tt>zoneserver</tt> program will
156
108
be able to process long UDP packets, converting them in to
157
109
RFC-compliant TCP DNS packets.
160
Note that the <tt>zoneserver</tt> program, like the <tt>maradns</tt>
161
program, is changed when compiled after <tt>./configure --authonly</tt>.
162
These changes are needed for the zoneserver to accept long DNS packets.
166
113
This is what a <tt>mararc</tt> file which provides authoritative DNS over
167
114
TCP and UDP, sending long UDP packets to the TCP server to process,