Upon sending iterative queries dnscache will use the received FQDN of authoritive name servers to evalute their potential usage for encryption in case the hostname starts with uz5. Subsequently dnscache will automatically encrypt queries to those servers identified to be DNSCurve capable. Now, both queries and responses are encrypted using either the propriatory DNSCurve stream format, or if the environment variable $USETXTFORMAT is set, the less performant TXT format to cope with deep packet inspecting Firewalls analysing DNS traffic and expecting a standard DNS header.
In case the name server does not respond to encrypted UDP queries, dnscache falls back to unencrypted queries.
dnscache may be used in a forward only mode.
dnscache runs chrooted in the directory specified by the $ROOT environment variable, under the uid and gid specified by the $UID and $GID environment variables. In case $USETEXTFORMAT is set, dnscache will send queries even for DNSCurve enabled name servers using standard DNS TXT headers.
dnscache can be adviced to go to unencrypted fallback mode, if hostname of the name server starts with uz5 but don't respond to encrypted UDP queries for this lookup. This behavior can be changed using the environment variable UZ5FALLBACK=n. A value like n=1 might impact correctly behaving DNSCurve name servers which do not respond to the initial query, while larger values like n=3 delays name resolution for those name servers significantly. Setting UZ5FALLBACK=0 disables fallback mode, which is the default.
The value UZ5FALLBACK=2 is initally set-up by dnscache-conf.
Given a host scope, one typically uses the addresses 127.0.0.1, ::1, or fe80::1%lo0. In those cases, dnscache serves the own host only.
Setting up dnscache on a private network requires private IPv4 addresses; while for IPv6 ULA and LLU addresses can be used. Examples: 10.10.10.53, fd00::53, fe80::53%eth0.
dnscache is able to serve all existing IP addresses on the host (multi-homing). For IPv4 specify 0.0.0.0 and for IPv6 set :: within env/IP.
In case of :: dnscache additionally supports reverse anycasting for IPv6. Now, dnscache will accept IPv6 packets from every available interface, even if dynamically allocated.
dnscache forces simultaneous bind to IPv4 and IPv6 addresses in case a 'pseudo' IP address is specified as :0. However, this will not trigger reverse anycasting support.
dnscache sends outgoing packets from high ports of $IPSEND. Typically $IPSEND is 0.0.0.0 or :: meaning the machine's primary IP address covering both IPv4 and IPv6. However, a specific sending IP address can be used, which might be destinct from the receiving ones.
dnscache
will reject packets or connections
from IP addresses marked as 'commented out':
ip/#2001::fec,
ip/#192.168.1.
Rejections have precedence over acceptance.
Note: In any case, the delimiter
(either '.' or ':') shall not be used as last character.
In case $IP4 is set, dnscache will contact only nameserves given their IPv4 address.
dnscache reads a list of root server given as dotted-decimal IPv4 and/or compactified IPv6 addresses one per line from the file servers/@.
A total of 32 names servers is handled, which are specified in dotted-decimal IPv4 or compactified IPv6 format. Name severs specified by their IPv6 LLU addresses need to include the interface name via those they are reachable.
dnscache also scans the servers directory for server IP addresses for other domains. If there are addresses listed in servers/moon.af.mil, for example, then dnscache will send queries for anything.moon.af.mil to those addresses, and will not cache records for anything.moon.af.mil from outside servers such as the root servers.
dnscache asks the operating system to reserve a 128K buffer for bursts of incoming UDP queries. If a new UDP query arrives when dnscache is already handling 400 simultaneous UDP queries, dnscache drops the oldest query. If a new TCP connection arrives when dnscache is already handling 40 simultaneous TCP connections, dnscache drops the oldest connection.
dnscache uses a fixed-size cache, as controlled by the $CACHESIZE environment variable. Roughly 5% of the cache is used for a hash table. The rest is used for cache entries (including 8-byte Y2038-compliant expiration times):
Sets larger than 8192 bytes are not cached.
dnscache does not exit when it runs out of space in its cache; it simply removes the oldest entries to make more space.
dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers.
dnscache does not bypass its cache to obtain glue from the additional section of a response. In particular, it will not use glue outside the server's bailiwick, or glue with TTL 0, or glue that violates other caching policies.
dnscache caches records for at most a week. It interprets TTLs above 2147483647 as 0.
dnscache does not cache SOA records. However, it does use SOA TTLs to determine cache times (up to an hour) for zero-record responses and nonexistent domains.
dnscache tries to prevent local users from snooping on other local users. It discards non-recursive queries; it discards inverse queries; and it discards zone-transfer requests. If $HIDETTL is set, dnscache always uses a TTL of 0 in its responses.
According to RFC 1035, the AA bit ``specifies that the responding name server is an authority for the domain name in question section.''
dnscache is not an authority for any domain names.
dnscache never sets the AA bit (except in NXDOMAIN responses, as required by RFC 2308, to work around a common client bug). In contrast, BIND often sets AA for positive responses even when it is not an authority for the domain name.
dnscache handles dotted-decimal domain names internally, giving (e.g.) the domain name 192.48.96.2 an A record of 192.48.96.2.