dnscache
dnscache is enabled to do the following:
Purpose
dnscache is a DNS none-authoritative cache server, forwarder, and recurser. It supports UDP and TCP queries over IPv4 and IPv6 both for the requesting client as well as for the receiving name servers (NS). EDNS0 support is provided for ingress DNS messages. It is able to encrypt DNS queries and decrypt DNS responses using the DNSCurve format in the 'streamline' as well as in the 'txt' format. dnscache however, does not support DNSSec neither for querying nor for validation. dnscache can simultaneously bind to IPv4 and IPv6 network addresses and supports 'reverse IPv6-anycasting'.
Programs
System Setup
It is preferrable to install D.J. Bernsteins's daemontools or Bruce Guenter's daemontools-encore. Further alternatives are Gerrit Pape's runit though in principal systemd and any of its derivates or the s6 toolbox to manage Unix services will do.
Given the first two, dnscache-conf can be successfully applied to setup dnscache.
dnscache runs chrooted under a particular user, typically dnscache. while located usually at /etc/dnscache.
The run script for dnscache looks like:
Here, envdir is used to source
dnscache's
./env directory and populating the required
environment variables, while softlimit may be used to
restrict the heap memory (used for TCP only).
Prior of calling
dnscache
some random seed needs to become available.
dnscache logs to STDOUT which shall be managed by multilog with a dedicated systems user and rotation capability.
A run script for multilog can be very generic:
It should be noted, that dnscache writes condensed log lines without a timestamp while appending this to the current file. Thus, it is advisable to restrict the logfile size.
systemd Setup
systemd needs a little tweaking to make it work with dnscache. Here is a two tier approach:
- Install daemontools to have the required additional modules available (in particular envuidgid).
- Now, you can use the above run script to invoke dnscache (at first manually).
- This run scripts needs to be called by systemd in a particular unit file called dnscache.service describing dependencies and invocation.
Certainly, some changes here are required (eg. SysLogFacility). This unit file has be placed into your systemd's configuration directory. Now, you can start dnscache by means of systemctl start dnscache.
Note: It is strongly adviced to disable systemd's own DNS cache service! Consider to include dnscache listing IP address into /etc/resolv.conf! However, entries in here are potentically subject of overwriting by DHCP services!
Service Configuration
dnscache can run in two different operational modes:
- As forwarder: Recursive DNS queries are simply (unaltered) forwarded to the given upstream DNS cache servers. Set $FORWARDONLY to achieve this mode.
- As recurser: Turning the recursive queries into iterative queries while contacting the authoritative DNS servers.
In both cases though, the DNS responses are cached. In recursion mode, encryption of the DNS messges is automatically facilitated in case the upstrean name server supports DNSCurve and the NS's name includes its public key.
The main dnscache configuration is provided in the directory ./env. Here one defines in particular files:
- IP: The IP addreses dnscache listens to.
- IPSEND: The IP address for sending to upstream NS.
- CACHESIZE: The size of its cache (in byte).
- ROOT: The path to the 'root' directory (could be on a ram disk).
- UZ5FALLBACK: The value here should stay at 2.
- USETXTFORMAT: DNSCurve query package mode.
- FORWARDONLY: Setting dnscache in forward-only mode.
Client Qualification
Queries from clients are accepted by, dnscache if the sending IPv4 or IPv6 address is listed in the directory ./root/ip as file name given the most significant octetts. Exceptions are be defined by prepending a hash sign # for a given IP addresss here.
Name Server Qualification
Name Server (NS) qualification is achieved in two steps:
- Root servers or other DNS cache servers are given by their IP address in the 'hint file' ./root/servers/@. Any other domains can be listed here as file by name and including the IPs of their name servers. Reverse zones follow the same convention but now with the reverse IP name as file name.
- Given the content of the file ./env/FLAGEDSERVER equals one, particular NS can be 'blacklisted' providing their IP address in ./root/ip/ touching a file with their IP address as file name prepended with a percent sign %.
Content Configuration
dnscache uses the ./root/server directory to store information about the name servers to consult:
- The Internet's 13 DNS root server's IP addresses are given as hint file named '@'. Occasionally, new root servers (named [a-m].root-servers.net) need to be added here given their IP address and removing old entries.
- Delegation to own domains and name servers are possible by simply adding your domain name (zone) with this name (say 'example.com') and including the provided name servers with their IP addresses in here.
- Reverse zones can also be defined using their inverse IP name like 1.168.192.in-addr.arpa also including the IP addresses of name servers. For convenience, the reverse zone can simply realized as link to the zone file itself.
Invocation of dnscache-conf will look for a file /etc/dnsroots.global and will copy the content to @; otherwise it will complain and stop. An additional script is provided in djbdnscurve6's source ./scripts directory allowing to query the IPv4 and IPv6 addresses of the root name server (by different DNS tools) while setting up a tailored list for those.