dan
/
tor-android
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
tor-android/jni/pdnsd/doc/txt/manual.txt

2018 lines
108 KiB
Plaintext
Raw Blame History

pdnsd Documentation
This is the "official" pdnsd documentation and reference written by Thomas
Moestl with revisions by Paul A. Rombouts.
This manual is a part of the pdnsd package, and may be distributed in original
or modified form under terms of the GNU General Public License, as published by
the Free Software Foundation; either version 3, or (at your option) any later
version.
You can find a copy of the GNU GPL in the file COPYING in the source or
documentation directory.
This manual is up-to-date for version 1.2.9b. For older documentation, please
refer to the doc directory of the respective pdnsd package.
If you want a quicker introduction to pdnsd, you can try some of the HOWTOs
available on the web. For Apple Mac users, Brian Wells has published a good
HOWTO at http://web.mac.com/brianwells/main/pdnsd.html.
0. Installation
0.1 Installing binary RPM's
To install a binary RPM, just do
rpm -i pdnsd-<version>.rpm
This should install pretty much everything automatically. The only thing left
for you to do is adapt your configuration file (stored in /etc/pdnsd.conf)
according to your needs (see below). In the Red Hat and SuSE RPMs, a start
script is also installed; read the section 0.4, Start at Boot Time about that.
0.2 Building RPM's
It is possible to build a binary RPM from a source package using the command
rpmbuild --rebuild pdnsd-<version>.src.rpm
or alternatively from a tarball using the command
rpmbuild -tb pdnsd-<version>.tar.gz
You can do this as root, but it is safer to build a binary package first as a
normal user, and then, when all has gone well, install the resulting binary
package as root as in the previous section. How to build an RPM package without
being root is described at http://www.ibm.com/developerworks/linux/library/
l-rpm1/.
Several pdnsd-specific options are available when building RPM packages:
--with isdn Has the same effect as --enable-isdn (see below).
--without poll Has the same effect as --disable-poll (see below).
--without nptl Has the same effect as --with-thread-lib=linuxthreads (
see below).
--with ipv6 Has the same effect as --enable-ipv6 (see below).
--without tcpqueries Has the same effect as --disable-tcp-queries (see below
).
--without debug Has the same effect as --with-debug=0 (see below).
--define "distro < Has the same effect as --with-distribution=<distro> (
distro>" see below).
--define "run_as_user Has the same effect as --with-default-id=<user> (see
<user>" below).
For RPMs the default <user> is "pdnsd".
If the user defined by the previous option does not
--define "run_as_uid < exist when the RPM is installed, the pre-install script
uid>" will try to create a new user with numerical id <uid>.
The default is to let the system choose the numerical
id at install time.
--define "cachedir < Has the same effect as --with-cachedir=<dir> (see below
dir>" ).
You can also configure which compiler flags will be used by setting the
environment variable CFLAGS. Using a bash shell, you can do that on the command
line like this: CFLAGS="-O1 -Wall" rpmbuild ...
This is useful if you prefer a different level of optimization, for instance.
0.3 Installing from pure sources (tar archives or git repositories)
0.3.1 Setting up the source code tree
Source code is available in the form of snapshots (tarballs) or a git
repository with the very latest development code and a (nearly) complete
history of all the revisions. Cloning a git repository is useful if you need a
recent fix or feature that is not yet contained in a main release or you want
to participate in pdnsd development. Otherwise you will probably find the
tarballs more convenient because they are much more compact.
0.3.1.1 Unpacking a tar archive
The pdsnsd snapshot releases come in the form of a gzip'ed tar archive. To
decompress it (using a modern tar) do
tar -xzf pdnsd-<version>.tar.gz
If your tar doesn't do this, use:
gzip -dc pdnsd-<version>.tar.gz | tar -xf -
0.3.1.2 Cloning a git repository
To clone a git repository you need to install, if not already installed, the
git version control system, which is available as a package in most modern
Linux distributions. Then run the command:
git clone git://gitorious.org/pdnsd/pdnsd.git pdnsd
In rare cases, if you are behind some kind of firewall, the special git
protocol can't be used and you will need to fall back to the http protocol. See
the gitorious.org website or git documentation for more information.
0.3.2 Configuring the source
Change into the pdnsd source directory and run configure. It takes the
following command line options (if you do not specify an option, defaults will
be used):
Specify the prefix directory. The pdnsd files are
installed in subdirectories of the prefix, the
--prefix=dir pdnsd and pdnsd-ctl executables are for example
installed in the sbin subdirectory of the prefix.
The default for this is /usr/local; you might want
to set this to /usr (using --prefix=/usr).
Specify the config directory. pdnsd expects its
pdnsd.conf file to reside there if the -c option is
--sysconfdir=dir not given at startup. The default for this is the
etc subdirectory of your prefix, e.g. /usr/local/
etc if you did not specify a prefix. To set this
e.g. to /etc, use --sysconfdir=/etc.
--with-distribution= Specify target distribution (default=Generic;
distro others: RedHat, SuSE, Debian)
See below for the effect of these settings.
Change compilation target platform (default:
autodetect; others: Linux, BSD, Cygwin).
autodetect will attempt to detect whether you are
--with-target=platform using Linux, *BSD or Cygwin and should normally be
sufficient. If this does not work, try specifying
your system manually (for the Darwin platform
(Apple Mac OS X) specify BSD here).
Default directory for pdnsd cache (default=/var/
--with-cachedir=dir cache/pdnsd)
This setting can be changed via config file
settings when pdnsd has been built.
Number of hash buckets to use (default=1024). The
default should be sufficient for most purposes, but
if you want to store a large number of names in the
--with-hash-buckets=num cache, cache lookups may be faster if the number of
hash buckets is comparable to the number of names
stored in the cache. The number actually used is
the smallest power of two greater or equal to the
number specified here.
Enable ISDN support
This option will work only on Linux and may cause
--enable-isdn problems with 2.0.x or old 2.2.x kernels. You will
need it for a proper if uptest under Linux for ISDN
ppp devices.
--disable-ipv4 Disable IPv4 networking support (default=enabled)
Enable IPv6 networking support.
--enable-ipv6 If your OS does support IPv6 properly, you should
be able to serve also IPv4 queries using this.
Normally, this is disabled and you won't need it.
--disable-ipv4-startup Disable IPv4 on pdnsd startup by default (default=
enabled)
Enable IPV6 on pdnsd startup by default (default=
IPv4). These options are only defaults, you can
--enable-ipv6-startup specify on the command line or in the config files
which IP version will really be used. Normally, you
won't need to change these.
--disable-udp-queries Disable UDP as query method. You shouldn't need to
change this.
Disable TCP as query method. This only effects the
querying of name servers by pdnsd, not the ability
of pdnsd to answer TCP queries from clients. TCP
queries are slower than UDP queries, but can be
--disable-tcp-queries more secure against certain types of attacks and
are able to handle large answers. For normal use
this can be disabled. (Note that the default has
changed: TCP-query support is now compiled in by
default, but it still depends on the run-time
options whether it is actually used.)
Specify the query method (default=udponly, others:
tcponly, tcpudp, udptcp). If you have enabled both
UDP and TCP queries, this lets you control which
query method pdnsd will use by default. tcpudp will
try TCP first and fall back to UDP if TCP is not
--with-query-method=qm supported by the server; udptcp will try UDP first
and, if the answer was truncated, will repeat the
query using TCP. udponly and tcponly should be
clear. Note that this only effects the compiled-in
default; the query method can still be changed
using command-line options or options in the
configuration file.
Disable the TCP server. In this case pdnsd will not
--disable-tcp-server be able to respond to TCP queries from clients.
This may cause problems with very large answers.
Disable the UDP source address discovery.
You need this only if you have trouble with
--disable-src-addr-disc messages saying "could not discover udp source
address".
For the Cygwin target, this option is disabled by
default.
--disable-poll Disable poll(2) and use select(2) (default=enabled)
You will normally not need this.
Since version 1.2.9 this option is obsolete and
ignored. It is now possible to configure for each
--disable-new-rrs RR type separately whether it is cacheable by pdnsd
by editing the file src/rr_types.in. The comments
in this file explain how to do this.
Enforce strict RFC 2181 compliance.
This will cause pdnsd to reject DNS answers with
--enable-strict-rfc2181 incorrect timestamp settings (multiple RRs of the
same type and for the same domain with different
TTLs). Normally not needed.
This option is obsolete. Since version 1.2, pdnsd
--enable-underscores places no restrictions on the types of characters
in domain names (there are still a few restrictions
for locally defined names, though).
Specify random device; default: C Library random()
PRNG
pdnsd uses (pseudo-) random numbers as query IDs
for security reasons (this makes forging DNS
answers more difficult). This option controls where
pdnsd gets these from. The default is the C library
random() function, which is relatively weak. You
can specify a device like /dev/urandom here if you
--with-random-device= like; pdnsd will read random numbers from it
device 16-bit-wise. /dev/urandom is present under Linux
and most BSD derivates. You should not use /dev/
random - it is more secure, but may block and delay
pdnsd's answers for a long time.
You can specify arc4random to use the BSD
arc4random() library function (default for FreeBSD
target), which is considered safe.
You can also specify random as device to use the C
Library random() function (described above).
Specify default user for pdnsd (default=nobody).
This is the user that will be entered for the
--with-default-id=user run_as option in the config file (see below) that
will be installed during make install. You can
change this any time in your config file.
Specify debugging level. Normally you can safely
switch debugging off by setting the level to 0.
This will increase speed (although only marginally)
and save space in the executable (only about 12kB).
However, more significant may be the savings in
stack space, especially if pdnsd is put under heavy
load and there are many simultaneous running
threads.
Presently the only defined debug levels are in the
range 0 - 9. Setting the level to 9 enables hex
--with-debug=level dumps of the queries and replies pdnsd receives and
should normally not be needed. Debug output will
only be generated if you turn on special switches;
it might be useful for debugging your config files,
so I recommend using the default (1). However, if
you use pdnsd under heavy load, a better strategy
may be to compile one version of pdnsd without
debug support (configured with --with-debug=0) for
production use, and one version with with debug
support (e.g. --with-debug=9) for diagnostic
purposes.
--with-verbosity=level Specify default message verbosity. The default
should be ok.
Enable RCS IDs in executables (default=disabled).
--enable-rcsids For personal use, there is no need to do this. If
you build rpm's, it might have advantages.
Enable subsequent tcp queries. The DNS protocol
standard requires that servers must be capable of
answering multiple subsequent queries that are sent
over the same tcp connection, and that the server
may only close the connection by himself after a
certain timeout. This feature is rarely used, but
--enable-tcp-subseq may make denial-of-service attacks easier, as it
allows for an attacker to hold a connection open a
long time (although the attacker's IP is most
likely revealed then). For full standard
compliance, you should use this option. If you do
not use --enable-tcp-server, is option is not
honored.
Specify default tcp query timeout after which the
connection is closed if no full query has been
--with-tcp-qtimeout=secs received. The default is 30s. You can also change
this option at run time using the tcp_qtimeout
config file option. If you do not use
--enable-tcp-server, is option is not honored.
Specify the default number of queries that can be
executed in parallel. You can also change this
--with-par-queries=num option at run time using the par_queries config
file option. See the description of that option for
an explanation of what it really does.
The default for this option is 2.
New in version 1.2.9b: Specify the maximum number
of IP addresses that can be used per nameserver
obtained from NS records (when resolving names
recursively). Just one IP address per nameserver is
sufficient in the vast majority of cases (and this
--with-max-nameserver-ips was the strategy used by pdnsd in previous
=num versions), but in rare cases this will cause
unnecessary resolve failures if the address chosen
for each nameserver happens to be unreachable while
the other addresses would lead to successful
resolution.
The default for this option is 3.
Added by Paul Rombouts: Use this option if you
experience problems with signal handling under
Linux. The usual symptom is that pdnsd fails to
save the cache to disk, and /var/cache/pdnsd/
pdnsd.cache remains empty. If you experience this
kind of trouble, try reconfiguring with different
values for the --with-thread-lib option. The
allowable values are linuxthreads (or lt for
short), linuxthreads2 (or lt2 for short), and nptl.
By default the configure script tries to detect
--with-thread-lib=lib automatically whether linuxthreads or nptl is more
appropriate for your system, but the method used is
not foolproof. Look for the line: checking if this
is an NPTL-based system...
If the automatic test mistakenly indentifies the
thread library on your system as NPTL based, you
should reconfigure with --with-thread-lib=lt and
recompile. If the result of the automatic test is
"no" or if --with-thread-lib=lt does not have the
desired effect, try again using --with-thread-lib=
lt2 .
Normally, you will need only --prefix, --sysconfdir and --with-distribution. If
you specify your distribution using --with-distribution, this has the following
effects:
* An rc script is copied in the appropriate localtion, which enables pdnsd to
start at machine boot time (see 0.4)
* Distribution-specific portions might be included in the generated
pdnsd.spec file (only important if you want to build rpm archives
yourself).
If you choose Generic, no rc script is installed, and a generic spec file is
generated.
Further instructions are in the INSTALL document in the pdnsd source directory.
./configure --help will give you a list of all supported command line options.
Note added by Paul Rombouts: Some people may want change the compiler
optimization flag. I use the -O2 flag, but it might be safer to use a lower
level of optimization or no optimization at all. In that case prefix the
configure command with the desired compiler flags like this (assuming you're
using a bash shell):
CFLAGS="-O1 -Wall" ./configure ...
0.3.3 Building & installing
Type make in the source directory. Should work by now.
To install, type make install or do the installation by hand (see 0.3.4).
make install will do the following ($prefix is the prefix directory; see
above):
1. copies pdnsd to $(prefix)/sbin/
2. copies pdnsd-ctl to $(prefix)/sbin/
3. copies docs/pdnsd.conf.sample (a sample configuration) to the pdnsd config
directory.
4. creates your cache directory if it is not there. After installation, you
should check the file permissions and create or edit /etc/pdnsd.conf to fit
your needs (see below). If you use the run_as option, please make sure that
your cache directory is owned by the user you specified with this option!
You must be root for this installation!
Security notes: never make the pdnsd cache directory writeable for untrusted
users, or you will get several security holes: the users might modify the cache
contents, or plant dangerous links.
If you use a pidfile, you should be aware that you introduce security problems
if you place the pidfile in a directory in a NFS filesystem that is writeable
for untrusted users. Generally, the pidfile directory (typically /var/run)
should not be writeable for untrusted users.
0.3.4 Manual installation
For a manual installation, you need to do the following steps:
1. Copy pdnsd and pdnsd-ctl from your build directory to an appropriate
location (e.g. /usr/sbin).
2. Copy docs/pdnsd.conf into the directory you want it to reside (/etc by
default, and change it according to your needs (see below).
3. Create your caching directory; default is /var/cache/pdnsd (you may change
this in your pdnsd.conf); Permissions should be at max rwxr-xr-x (if you
want to protect your cache and status socket, make it rwx------).
Thats it!
0.4 Start at boot time
In the src/rc folder of the pdnsd distribution are start scripts for pdnsd
designed for different Linux distros. There are scripts for SuSE, Redhat,
Debian, Arch Linux and Slackware now.
The start scripts are automatically installed during RPM install, and also
during make install if you specified your distro.
For Slackware Linux there is a start-up script contributed by Nikola Kotur, but
presently it must be installed manually. See src/rc/README and src/rc/Slackware
/rc.pdnsd for details.
0.4.1 SuSE Linux startup
rc/SuSE/pdnsd is a start script for SuSE Linux. It was tested for 6.? but
should run on some versions below. You can do make install as root in the rc/
SuSE directory to install it, or you can install manually:
manual installation
For manual installation, copy rc/SuSE/pdnsd into /sbin/init.d/, go to /sbin/
init.d/rc2.d/ and create there the following two symlinks:
S11pdnsd to ../pdnsd (do ln -s ../pdnsd S11pdnsd in that dir)
K34pdnsd to ../pdnsd (do ln -s ../pdnsd K34pdnsd in that dir)
The numbers dictate the order different services are started and might need to
be modified. Then edit your /etc/rc.config file and add the line START_PDNSD=
yes to start pdnsd at boot time.
If you used the make install command, START_PDNSD=yes has been appended to your
/etc/rc.config file, causing pdnsd to be started at boot time. If you don't
want that, change the yes into no.
This start script was created from /sbin/init.d/skeleton by me, so the most is
copyrighted by SuSE. They put it under the GPL, however, so the license stated
in COPYING also applies to this script. There is NO WARRANTY OF ANY KIND on
these scripts. This is no official SuSE script, and SuSE naturally does NO
support for it.
0.4.2 Red Hat Linux startup
rc/Redhat/pdnsd is a start script for Red Hat Linux. It was contibuted by
Torben Janssen.
This was tested for 6.1 but should run on 5.0+. You can do make install as root
in the rc/Redhat directory to install it, or you can install manually:
manual installation
For manual installation, copy rc/Redhat/pdnsd into /etc/rc.d/init.d/
Then go to /etc/rc.d/rc3.d and create there the following symlink:
S78pdnsd -> ../init.d/pdnsd (do ln -f -s ../init.d/pdnsd S78pdnsd in that dir)
Then go to /etc/rc.d/rc0.d and create there the following symlink:
K78pdnsd -> ../init.d/pdnsd (do ln -f -s ../init.d/pdnsd K78pdnsd in that dir)
Then go to /etc/rc.d/rc6.d and create there the following symlink:
K78pdnsd -> ../init.d/pdnsd (do ln -f -s ../init.d/pdnsd K78pdnsd in that dir)
This script is also covered by license stated in COPYING. Again, there is NO
WARRANTY OF ANY KIND on these scripts. This is no offical Redhat script, and
Redhat naturally does NO support for it
0.5 Notes for FreeBSD users
The special handling of ISDN ppp devices is only supported on Linux. It is not
needed in FreeBSD, the normal device handling also works fine with isdn4bsd
devices.
When compiled for FreeBSD, pdnsd as a small RFC compatability issue: RFC2181
demands answers on dns querys to be sent with the same source address the query
packet went to. In seldom cases, this will not be the case, because the kernel
selects the source address depending on the interface that was used for sending
the answer.
Setting the source address currently does not work for IPv4. I have written a
kernel patch that will provide an easy way to program this. We'll see if or
when it gets commited.
1 Invocation
When invoking pdnsd, you can specify various options at the command line.
Command line options always override config file options. The various --noX
options are present to override config file options.
pdnsd --help (or -h) gives you an overview of the pdnsd command line options.
pdnsd --version (or -V for short) prints licence and version information.
To start pdnsd as background daemon, specifiy --daemon (or -d for short) on the
command line. Diagnostic and error messages after the actual daemon start will
be printed to the syslog instead of the console. --nodaemon will disable this.
When starting pdnsd as a daemon, the -p option may be helpful: It writes the
pid of the server process to the file of the name given as argument to this
option.
Example: pdnsd -d -p /var/run/pdnsd.pid
If you want to specify a configuration file other than /etc/pdnsd.conf, specify
-c or --config-file on the command line, followed by a filename.
If pdnsd was compiled with debugging support, you may specify -g or --debug on
the command line. This will cause extra diagnostic messages to be printed. When
pdnsd runs in daemon mode, the messages will be written to the pdnsd.debug file
in your cache directory. --nodebug disables debugging.
pdnsd -vn sets the verbosity level of pdnsd. n is normally a digit from 0 to 3,
where 0 means normal operation, while 3 will most verbose. Level 9 can be used
in combination with the --debug option for very extensive debug information.
Note: The current implementation mostly ignores the verbosity level, so you may
not notice much difference between the various levels.
The option -s or --status enables the status control socket. This is a named
socket in the cache directory called pdnsd.status. This socket allows run-time
configuration of pdnsd using the utility pdnsd-ctl. See below for more details
about pdnsd-ctl. --nostatus disables status control. See also the configuration
option status_ctl in the global section.
The option --notcp disables the seldom needed TCP server thread, which may save
you some resources. -t or --tcp will enable it. See also the tcp_server
configuration option.
Using the -m option, you can select the method pdnsd uses to query other name
servers. Following methods are supported (see also the query_method
configuration option):
-muo: pdnsd will use UDP only. This is the fastest method, and should be
supported by all name servers on the Internet.
-mto: pdnsd will use TCP only. TCP queries usually take longer time than UDP
queries, but are more secure against certain attacks, where an attacker tries
to guess your query id and to send forged answers. TCP queries are not
supported by some name servers.
-mtu: pdnsd will try to use TCP, and will fall back to UDP if its connection is
refused or times out.
-mut: New in version 1.2.5: pdnsd will try to use UDP, and will repeat the
query using TCP if the UDP reply was truncated (i.e. the tc bit is set). This
is the behaviour recommended by the DNS standards.
The -4 option switches to IPv4 mode, providing pdnsd was compiled with IPv4
support.
The -6 option switches to IPv6 mode, providing pdnsd was compiled with IPv6
support.
The -a option is only available when pdnsd was compiled with both IPv4 and IPv6
support. With this option, pdnsd will try to detect automatically if a system
supports IPv6, and fall back to IPv4 otherwise.
With -i prefix or --ipv4_6_prefix=prefix you can set the prefix pdnsd uses
(when running in IPv6 mode) to map IPv4 addresses in the configuration file to
IPv6 addresses. There is also a corresponding option for the config file, see
below. Must be a valid IPv6 address. The default is ::ffff:0.0.0.0
2 The configuration file
This section describes the layout of the configuration file and the available
configuration options. The default location of the file is /etc/pdnsd.conf.
This may be changed with the -c command line option. An example pdnsd.conf
comes with the pdnsd distribution in the docs directory and will be installed
to /etc/ by make install.
2.1 Layout
The configuration file is divided into sections. Each section is prefixed with
the section name and opening curlies ({) and closed with closing curlies (}).
In each section, configuration options can be given in the form
option_name=option_value;
Option value may be a string literal, a number, a time specification or a
constant. In previous versions of pdnsd strings had to be enclosed in quotes
("), but since version 1.1.10 this is no longer necessary, unless a string
contains a special character such as whitespace, a token that normally starts a
comment, or one of ",;{}\". Since version 1.2.9 a backslash (\) inside a string
is interpreted as an escape character, so it is possible to include special
characters in strings (both quoted or unquoted) by preceding them with a
backslash. Some escape sequences are in interpreted as in the C programming
language, e.g. \t becomes a tab, \n becomes a new-line control char.
A time specification consists a sequence of digits followed by a one-letter
suffix. The following suffixes are recognized: s (seconds), m (minutes), h
(hours), d (days) and w (weeks). If the suffix is missing, seconds are assumed.
If several time specifications are concatenated, their values are added
together; e.g. 2h30m is interpreted as 2*60*60 + 30*60 = 9000 seconds.
Some options take more than one value; in this case, the values are separated
with commas.
If you may supply one of a set of possible values to an option, this is noted
in the documentation as (option1|option2|option3|...)
The constants true|false and yes|no are accepted as synonyms for the constants
on|off.
Comments may be enclosed in /* and */, nested comments are possible. If the #
sign or two slashes (//) appear in the configuration file, everything from
these signs to the end of the current line is regarded as a comment and
ignored.
There are examples for nearly all options in the sample config file.
2.1.1 global Section
The global section specifies parameters that affect the overall behaviour of
the server. If you specify multiple global sections, the settings of those
later in the file will overwrite the earlier given values.
These are the possible options:
perm_cache=(number|off);
Switch the disk cache off or supply a maximum cache size in kB. If the disk
cache is switched off, 8 bytes will still be written to disk. The memory cache
is always 10kB larger than the file cache. This value is 2048 (2 MB) by
default.
cache_dir=string;
Set the directory you want to keep the cache in. The default is "/var/cache/
pdnsd" (unless pdnsd was compiled with a different default).
server_port=number;
Set the server port. This is especially useful when you want to start the
server and are not root. Note that you may also not specify uptest=ping in the
server section as non-root.
The default port is 53, the RFC-standard one. Note that you should only use
non-standard ports when you only need clients on your machine to communicate
with the server; others will probably fail if the try to contact the server on
the basis of an NS record, since the A record that supplies the address for
(among others) name servers does not have a port number specification.
server_ip=string;
or
interface=string;
Set the IP address pdnsd listens on for requests. This can be useful when the
host has several interfaces and you want pdnsd not to listen on all interfaces.
For example, it is possible to bind pdnsd to listen on 127.0.0.2 to allow pdnsd
to be a forwarder for BIND. The default setting for this option is server_ip=
any, which means that pdnsd will listen on all of your local interfaces.
Presently you can only specify one address here; if you want pdnsd to listen on
multiple interfaces but not all you will have to specify server_ip=any and use
firewall rules to restrict access.
The IP address used to need quotation marks around it, but since version 1.1.10
this is no longer necessary.
If pdnsd has been compiled with both IPv4 and IPv6 support, and you want to
specify an IPv6 address here, then unless pdnsd was compiled to start up in
IPv6 mode by default, you will need to use the -6 command-line option or set
run_ipv4=off first (see below) in order to ensure that the IPv6 address is
parsed correctly.
If pdnsd is running in IPv6 mode and you specify an IPv4 address here, it will
automatically be mapped to an IPv6 address.
New in version 1.2: You may also give the name of an interface such as "lo" or
"eth0" here, instead of an IP address (this has been tested on Linux, and may
or may not work on other platforms). pdnsd will not bind to the interface name,
but will look up the address of the interface at start-up and listen on that
address. If the address of the interface changes while pdnsd is running, pdnsd
will not notice that. You will need to restart pdnsd in that case.
outgoing_ip=string;
or
outside_interface=string;
New in version 1.2.9: Set the IP address of the interface used by pdnsd for
outgoing queries. This can be useful when the host has several interfaces and
you want pdnsd to send outgoing queries via only one of them. For example, if
pdnsd is running on a host with one interface with IP address 192.168.1.1
connected to the local network, and another with IP address 123.xxx.yyy.zzz
connected to the internet, you may specify server_ip=192.168.1.1 and
outgoing_ip=123.xxx.yyy.zzz to enforce that pdnsd only responds to queries
received from the local network, and only sends outgoing queries via the
interface connected to the internet.
The default setting for this option is any, which means that the kernel is free
to decide which interface to use. Like with the server_ip option, you may also
give the name of an interface here, instead of an IP address.
linkdown_kluge=(on|off);
This option enables a kluge that some people might need: when all servers are
marked down, with this option set the cache is not even used when a query is
received, and a DNS error is returned in any case. The only exception from this
is that local records (as specified in rr and source sections are still served
normally. In general, you probably want to get cached entries even when the
network is down, so this defaults to off.
max_ttl=timespec;
This option sets the maximum time a record is held in cache. All dns resource
records have a time to live field that says for what period of time the record
may be cached before it needs to be requeried. If this is more than the value
given with max_ttl, this time to live value is set to max_ttl. This is done to
prevent records from being cached an inappropriate long period of time, because
that is almost never a good thing to do. Default is 604800s (one week).
min_ttl=timespec;
This option sets the minimum time a record is held in cache. All dns resource
records have a time to live field that says for what period of time the record
may be cached before it needs to be requeried. If this is less than the value
given with min_ttl, this time to live value is set to min_ttl. Default is 120
seconds.
neg_ttl=timespec;
This option sets the time that negatively cached records will remain valid in
the cache if no time to live can be determined. This is always the case when
whole domains are being cached negatively, and additionally when record types
are cached negatively for a domain for which no SOA record is known to pdnsd.
If a SOA is present, the ttl of the SOA is taken.
neg_rrs_pol=(on|off|auth|default);
This sets the RR set policy for negative caching; this tells pdnsd under which
circumstances it should cache a record type negatively for a certain domain.
off will turn the negative caching of record types off, on will always add a
negative cache entry when a name server did not return a record type we asked
it for, and auth will only add such entries if the answer came from an
authoritative name server for that domain.
New in version 1.2.8: The default setting will add a negatively cached record
if either the answer was authoritive or the answer indicated the name server
had "recursion available" while the query explicitly requested such recursion.
The preset is "default" (used to be auth).
neg_domain_pol=(on|off|auth);
This is analogue to neg_rrs_pol for whole domain negative caching. It should be
safe to set this on, because I have not seen a caching server that will falsely
claim that a domain does not exist.
The default is auth.
run_as=string;
This option allows you to let pdnsd change its user and group id after
operations that needed privileges have been done. This helps minimize security
risks and is therefore recommended. The supplied string gives a user name whose
user id and primary group id are taken.
A little more details: after reading the config file, becoming a daemon (if
specified) and starting the server status thread, the main thread changes its
gid and uid, as do all newly created threads thereafter. By taking another uid
and gid, those threads run with the privileges of the specified user. Under
Linux and FreeBSD, the server status thread runs with the original privileges
only when the strict_setuid option is set to off (see below, on by default),
because these may be needed for exec uptests. The manager thread also retains
its original privileges in this case. You should take care that the user you
specify has write permissions on your cache file and status pipe (if you need a
status pipe). You should look out for error messages like "permission denied"
and "operation not permitted" to discover permission problems.
strict_setuid=(on|off);
When used together with the run_as option, this option lets you specify that
all threads of the program will run with the privileges of the run_as user.
This provides higher security than the normal run_as option, but is not always
possible. See the run_as option for further discussion.
This option is on by default.
Note that this option has no effect on Non-Linux systems.
paranoid=(on|off);
Normally, pdnsd queries all servers in recursive mode (i.e. instructs servers
to query other servers themselves if possible, and to give back answers for
domains that may not be in its authority), and accepts additional records with
information for servers that are not in the authority of the queried server.
This opens the possibility of so-called cache poisoning: a malicious attacker
might set up a dns server that, when queried, returns forged additional
records. This way, he might replace trusted servers with his own ones by making
your dns server return bad IP addresses. This option protects you from cache
poisoning by rejecting additional records that do not describe domains in the
queried servers authority space and not doing recursive queries any more. An
exception to this rule are the servers you specify in your config file, which
are trusted.
The penalty is a possible performance decrease, in particular, more queries
might be necessary for the same operation.
You should also notice that there may be other similar security problems, which
are essentially problems of the DNS, i.e. any "traditional" server has them
(the DNS security extensions solve these problems, but are not widely
supported). One of this vulnerabilities is that an attacker may bombard you
with forged answers in hopes that one may match a query you have done. If you
have done such a query, one in 65536 forged packets will be succesful (i.e. an
average packet count of 32768 is needed for that attack). pdnsd can use TCP for
queries, which has a slightly higher overhead, but is much less vulnerable to
such attacks on sane operating systems. Also, pdnsd chooses random query ids,
so that an attacker cannot take a shortcut. If the attacker is able to listen
to your network traffic, this attack is relatively easy, though.
This vulnerability is not pdnsd's fault, and is possible using any conventional
name server (pdnsd is perhaps a little more secured against this type of
attacks if you make it use TCP).
The paranoid option is off by default.
ignore_cd=(on|off);
New in version 1.2.8: This option lets you specify that the CD bit of a DNS
query will be ignored. Otherwise pdnsd will reply FORMERR to clients that set
this bit in a query. It is safe to enable this option, as the CD bit refers to
'Checking Disabled' which means that the client will accept non-authenticated
data.
This option is on by default. Turn it off if you want the old behaviour (before
version 1.2.8).
scheme_file=string;
In addition to normal uptests, you may specify that some servers shall only be
queried when a certain pcmcia-cs scheme is active (only under linux). For that,
pdnsd needs to know where the file resides that holds the pcmcia scheme
information. Normally, this is either /var/lib/pcmcia/scheme or /var/state/
pcmcia/scheme.
status_ctl=(on|off);
This has the same effect as the -s command line option: the status control is
enabled when on is specified.
Added by Paul Rombouts: Note that pdnsd-ctl allows run-time configuration of
pdnsd, even the IP addesses of the name servers can be changed. If you're not
using pdnsd-ctl and you want maximum security, you should not enable this
option. It is disabled by default.
daemon=(on|off);
This has the same effect as the -d command line option: the daemon mode is
enabled when on is specified.
Default is off.
tcp_server=(on|off);
tcp_server=on has the same effect as the -t or --tcp command-line option: it
enables TCP serving. Similarly, tcp_server=off is like the --notcp command-line
option.
Default is on.
pid_file=string;
This has the same effect as the -p command line option: you can specify a file
that pdnsd will write its pid into when it starts in daemon mode.
verbosity=number;
This has the same effect as the -v command line option: you can set the
verbosity of pdnsd's messages with it. The argument is a number between 0 (few
messages) to 3 (most messages).
query_method=(tcp_only|udp_only|tcp_udp|udp_tcp);
This has the same effect as the -m command line option. Read the documentation
for the command line option on this. tcp_only corresponds to the to, udp_only
to the uo, tcp_udp to the tu and udp_tcp to the ut argument of the command line
option.
If you use query_method=tcp_udp, it is recommended that you also set the global
timeout option to at least twice the longest server timeout.
run_ipv4=(on|off);
This has the same effect as the -4 or -6 command line option: if on is
specified, IPv4 support is enabled, and IPv6 support is disabled (if
available). If off is specified, IPv4 will be disabled and IPv6 will be
enabled. For this option to be meaningful, pdnsd needs to be compiled with
support for the protocol you choose. If pdnsd was compiled with both IPv4 and
IPv6 support, and you want to include IPv6 addresses in the configuration file,
you will probably need to specify run_ipv4=off first to ensure that the IPv6
addresses are parsed correctly.
debug=(on|off);
This has the same effect as the -g command line option: the debugging messages
are enabled when on is specified.
ctl_perms=number;
This option allows you to set the file permissions that the pdnsd status
control socket will have. These are the same as file permissions. The owner of
the file will be the run_as user, or, if none is specified, the user who
started pdnsd. If you want to specify the permissions in octal (as usual),
don't forget the leading zero (0600 instead of 600!). To use the status
control, write access is needed. The default is 0600 (only the owner may read
or write).
Please note that the socket is kept in the cache directory, and that the cache
directory permissions might also need to be adjusted. Please ensure that the
cache directory is not writeable for untrusted users.
proc_limit=number;
With this option, you can set a limit on the pdnsd threads that will be active
simultaneously. If this number is exceeded, queries are queued and may be
delayed some time. See also the procq_limit option.
The default for this option is 40.
procq_limit=number;
When the query thread limit proc_limit is exceeded, connection attempts to
pdnsd will be queued. With this option, you can set the maximum queue length.
If this length is also exceeded, the incoming queries will be dropped. That
means that tcp connections will be closed and udp queries will just be dropped,
which will probably cause the querying resolver to wait for an answer until it
times out.
See also the proc_limit option. A maximum of proc_limit+procq_limit query
threads will exist at any one time (plus 3 to 6 threads that will always be
present depending on your configuration).
The default for this option is 60.
tcp_qtimeout=timespec;
This option sets a timeout for tcp queries. If no full query has been received
on a tcp connection after that time has passed, the connection will be closed.
The default is set using the --with-tcp-qtimeout option to configure.
par_queries=number;
This option used to set the maximum number of remote servers that would be
queried simultaneously, for every query that pdnsd receives.
Since version 1.1.11, the meaning of this option has changed slightly. It is
now the increment with which the number of parallel queries is increased when
the previous set of servers has timed out. For example, if we have a list
server1, server2, server3, etc. of available servers and par_queries=2, then
pdnsd will first send queries to server1 and server2, and listen for responses
from these servers.
If these servers do not send a reply within their timeout period, pdnsd will
send additional queries to server3 and server4, and listen for responses from
server1, server2, server3 and server4, and so on until a useful reply is
received or the list is exhausted.
In the worst case there will be pending queries to all the servers in the list
of available servers. We may be using more system resources this way (but only
if the first servers in the list are slow or unresponsive), but the advantage
is that we have a greater chance of catching a reply. After all, if we wait
longer anyway, why not for more servers.
See also the explanation of the global timeout option below.
1 or 2 are good values for this option. The default is set at compile time
using the --with-par-queries option to configure.
timeout=timespec;
This is the global timeout parameter for dns queries. This specifies the
minimum period of time pdnsd will wait after sending the first query to a
remote server before giving up without having received a reply. The timeout
options in the configuration file are now only minimum timeout intervals.
Setting the global timeout option makes it possible to specify quite short
timeout intervals in the server sections (see below). This will have the effect
that pdnsd will start querying additional servers fairly quickly if the first
servers are slow to respond (but will still continue to listen for responses
from the first ones). This may allow pdnsd to get an answer more quickly in
certain situations.
If you use query_method=tcp_udp it is recommended that you make the global
timeout at least twice as large as the largest server timeout, otherwise pdnsd
may not have time to try a UDP query if a TCP connection times out.
Default value is 0.
randomize_recs=(on|off);
If this option is turned on, pdnsd will randomly reorder the cached records of
one type when creating an answer. This supports round-robin DNS schemes and
increases fail safety for hosts with multiple IP addresses, so this is usually
a good idea.
On by default.
query_port_start=(number|none);
If a number is given, this defines the start of the port range used for queries
of pdnsd. The value given must be >= 1024. The purpose of this option is to aid
certain firewall configurations that are based on the source port. Please keep
in mind that another application may bind a port in that range, so a stateful
firewall using target port and/or process uid may be more effective. In case a
query start port is given pdnsd uses this port as the first port of a specified
port range (see query_port_end) used for queries. pdnsd will try to randomly
select a free port from this range as local port for the query.
To ensure that there are enough ports for pdnsd to use, the range between
query_port_start and query_port_end should be adjusted to at least (par_queries
* proc_limit). A larger range is highly recommended for security reasons, and
also because other applications may allocate ports in that range. If possible,
this range should be kept out of the space that other applications usually use.
The default for this option is 1024. Together with the default value of
query_port_end, this makes it the hardest for an attacker to guess the source
port used by the pdnsd resolver. If you specify none here, pdnsd will let the
kernel choose the source port, but this may leave pdnsd more vulnerable to an
attack.
query_port_end=number;
Used if query_port_start is not none. Defines the last port of the range
started by query_port_start used for querys by pdnsd. The default is 65535,
which is also the maximum legal value for this option. For details see the
description of query_port_start.
delegation_only=string;
Added by Paul Rombouts: This option specifies a "delegation-only" zone. This
means that if pdnsd receives a query for a name that is in a subdomain of a
"delegation-only" zone but the remote name server returns an answer with an
authority section lacking any NS RRs for subdomains of that zone, pdnsd will
answer NXDOMAIN (unknown domain). This feature can be used for undoing the
undesired effects of DNS "wildcards". Several "delegation-only" zones may be
specified together. If you specify root servers in a server section it is
important that you set root_server=on in such a section.
Example:
delegation_only="com","net";
This feature is off by default. It is recommended that you only use this
feature if you actually need it, because there is a risk that some legitimate
names will be blocked, especially if the remote name servers queried by pdnsd
return answers with empty authority sections.
ipv4_6_prefix=string;
This option has the same effect as the -i command-line option. When pdnsd runs
in IPv6 mode, this option specifies the prefix pdnsd uses to convert IPv4
addresses in the configuration file (or addresses specified with pdnsd-ctl) to
IPv6-mapped addresses. The string must be a valid IPv6 address. Only the first
96 bits are used. Note that this only effects the parsing of IPv4 addresses
listed after this option.
The default is "::ffff.0.0.0.0".
use_nss=(on|off);
If this option is turned on, pdnsd will call initgroups() to set up the group
access list, whenever pdnsd changes its user and group id (see run_as option).
There is a possible snag, though, if initgroups() uses NSS (Name Service
Switch) and NSS in turn uses DNS. In such a case you may experience lengthy
timeouts and stalls. By setting use_nss=off, you can disable the initgroups()
call (only possible in versions 1.2.5 and later).
This option was contributed by Jan-Marek Glogowski.
On by default.
udpbufsize=number;
New in version 1.2.9: This option sets the upper limit on the size of UDP DNS
messages. The default is 1024.
See also the edns_query server option below.
2.1.2 server Section
Each server section specifies a set of name servers that pdnsd should try to
get resource records or authoritative name server information from. The servers
are queried in the order of their appearance (or parallel to a limited extend).
If one fails, the next one is taken and so on.
You probably want to specify the dns server in your LAN, the caching dns
servers of your internet provider or even a list of root servers in one or more
server sections.
The supported options in this section are:
label=string;
Specify a label for the server section. This can be used to refer to this
section when using pdnsd-ctl, the pdnsd control utility.
You can give several server sections the same label, but if you want to change
the addresses of a server section (see ip option below) during run-time with
"pdnsd-ctl server label up dns1,dns2,...", the label must be unique.
ip=string;
Give the IP (the address, not the host name) of the server.
Multiple IP addresses can be given per server section. This can be done by
entering multiple lines of the form ip=string; or a single line like this:
ip=string,string,string;
IP addresses do not have to be specified in the configuration file. A server
section without IP addresses will remain inactive until it is assigned one or
more addresses with pdnsd-ctl, the pdnsd control utility.
If pdnsd has been compiled with both IPv4 and IPv6 support, any IPv6 addresses
you specify here will be skipped with a warning message, unless pdnsd is
running in IPv6 mode. Thus, unless pdnsd was compiled to startup in IPv6 mode
by default, you need to use the command-line option -6 or set run_ipv4=off
first (see global section) in order to ensure that IPv6 addresses are parsed
correctly.
If pdnsd is running in IPv6 mode and you specify an IPv4 address here, it will
automatically be mapped to an IPv6 address.
file=string;
New in version 1.2: This option allows you to give the name of a
resolv.conf-style file. Of the lines beginning with the nameserver keyword, the
second field will be parsed as an IP address, as if it were specified with the
ip= option. The remaining lines will be ignored. If the contents of the file
changes while pdnsd is running, you can make pdnsd aware of the changes through
the use of pdnsd-ctl, the pdnsd control utility. This is usually most
conveniently done by placing the command "pdnsd-ctl config" in a script that is
automatically run whenever the DNS configuration changes.
For example, suppose you have a ppp client that writes the DNS configuration
for your ISP to the file /etc/ppp/resolv.conf and runs the script /etc/ppp/
ip-up when a new connection is established. One way of ensuring that pdnsd is
automatically reconfigured is to add a server section in the config file with
file=/etc/ppp/resolv.conf and to add the command "pdnsd-ctl config" to /etc/ppp
/ip-up.
port=number;
Give the port the remote name server listens on. Default is 53 (the official
dns port)
uptest=(ping|none|if|dev|diald|exec|query);
Determine the method to check whether the server is available. Currently
defined methods are:
* ping: Send an ICMP_ECHO request to the server. If it doesn't respond within
the timeout, it is regarded to be unavailable until the next probe.
* none: The availability status is not changed, only the time stamp is
updated.
* if: Check whether the interface (specified in the interface= option) is
existent, up and running. This currently works for all "ordinary" network
interfaces, interfaces that disappear when down (e.g. ppp?), and
additionally for Linux isdn interfaces (as of kernel 2.2). Note that you
need a /dev/isdninfo device file (major#45, minor#255), or the isdn uptest
will always fail.
* dev and diald: Perform an if uptest, and, if that was succesful,
additionally check whether a program is running that has locked a given
(modem-) device. The needed parameters are an interface (specified as for
the if uptest, e.g. "ppp0") and a device relative to /dev (e.g. "modem" for
/dev/modem specified using the device= option. pdnsd will then look for a
pid file for the given interface in /var/lock (e.g. /var/run/ppp0.pid) and
for a lockfile for the given device (e.g. /var/lock/LCK..modem), and then
test whether the locking process is the process that created the pid file
and this process is still alive. If this is the case, the normal if uptest
is executed for the given interface.
The dev option is for pppd dial-on-demand, diald is the same for diald
users.
* exec: Executes a given command in the /bin/sh shell (as /bin/sh -c
<command>) and evaluates the result (the return code of the last command)
in the shell's way of handling return codes, i.e. 0 indicates success, all
other indicate failure. The shell's process name will be uptest_sh. The
command is given with the uptest_cmd option (see below). For secuity
issues, also see that entry.
* query: New in version 1.2: This works like the ping test, except it sends
an (empty) DNS query to the remote server. If the server sends a
well-formed response back within the timeout period (except SERVFAIL), it
will be regarded as available. This test is useful if a remote server does
not respond to ICMP_ECHO requests at all, which unfortunately is quite
common these days. It can also happen that a remote server is online but
ignores empty DNS queries. Then you will need the set the query_test_name
option (see below). In many cases this test will be a more reliable
indicator of availability than the ones mentioned before.
The default value is none.
NOTE: If you use on-demand dialing, use none, if, dev, diald or exec, since
ping or query will send packets in the specified interval and the interface
will thus frequently dial!
ping_timeout=number;
Sets the timeout for the ping test in tenths of seconds (this unit is used for
legacy reasons; actually the current implementation is only accurate to a
second).
The default is 600 (one minute).
ping_ip=string;
The IP address for the ping test. The default is the IP of the name server.
query_test_name=string;
New in version 1.2.9: Sets the name to be queried when using uptest=query
availability test. If the string is the unquoted constant none, an empty query
is used (this the default), otherwise a query of type A will be sent for the
domain name specified here. It is not necessary for the domain name to exist or
have a record of type A in order for the uptest to succeed.
If the the remote server ignores empty queries, you will probably want to set
query_test_name="." (the root domain).
uptest_cmd=string,string;
or
uptest_cmd=string;
Sets the command for the uptest=exec function to the first string. If the
second string is given, it specifies a user with whose user id and primary
group id the command is executed.
This is especially useful if you are executing the server as root, but do not
want the uptest to be performed with root privileges. In fact, you should never
execute the uptest as root if you can help it.
If the server is running setuid or setgid, the privileges thus gained are
attempted to be dropped even before changing identity to the specified user to
prevent setuid/gid security holes (otherwise, any user might execute commands
as root if you setuid the executable).
Note that this is not always possible, and that pdnsd should never be installed
as setuid or setgid. The command is executed using /bin/sh, so you should be
able to use shell builtin commands.
interval=(timespec|onquery|ontimeout);
Sets the interval for the server up-test. The default is 900 seconds; however,
a test is forced when a query times out and the timestamp is reset then.
If you specify onquery instead of a timeout, the interface will be tested
before every query. This is to prevent automatically dialing interfaces (diald/
pppd or ippp) to dial on dns queries. It is intended to be used in connection
with an interface-testing uptest ;-)
Note that using uptest=exec, you might run into performance problems on slow
machines when you use that option. DON'T use onquery with uptest=ping or uptest
=query, as it may cause delays if the server does not answer (btw, it doesn't
make sense anyway). Note also that using onquery is no guarantee that the
interface will not be used. When another (reachable) dns server tells pdnsd to
query a third dns server for data, pdnsd will do that and has no means of
checking whether this will dial up the interface or not. This however should be
a rare situation.
New in version 1.2.3: A third possibility is to specify interval=ontimeout. In
this case the server is not tested at startup/reconfiguration, nor at regular
intervals, but only after a DNS query to a server times out. Certain types of
network problems such as a refused connection will also cause the server to be
considered unavailable. However, once a server is declared dead it is never
considered again unless it is revived using a pdnsd-ctl config or server
command. The idea behind this option is to minimize uptests by assuming all
servers are available until there is reason to believe otherwise.
interface=string;
The network interface (or network device, e.g. "eth0") for the uptest=if
option. Must be specified if uptest=if is given.
device=string;
The (modem-) device that is used for the dev uptest. If you use this for a
dial-on-demand ppp uptest (together with uptest=dev), you need to enter the
device you are using for your pppd here, e.g. modem for /dev/modem.
Must be specified if uptest=dev is given.
timeout=timespec;
Set the timeout for the dns query. The default is 120 seconds. You probably
want to set this lower.
Timeouts specified in the configuration file are only treated as the minimum
period of time to wait for a reply. A queries to a remote server are not
canceled until a useful reply has been received, or all the other queries have
timed out or failed.
If you have also set the global timeout option, you may consider setting a
fairly small value here. See the explanation of the timeout option in the
global section for what that means.
purge_cache=(on|off);
In every fetched dns record, there is a cache timeout given, which specifies
how long the fetched data may be cached until it needs to be reloaded. If
purge_cache is set to off, the stale records are not purged (unless the cache
size would be exceeded, in this case the oldest records are purged). Instead,
they are still served if they cannot succesfully be updated (e.g. because all
servers are down).
Default is off.
caching=(on|off);
Specifies if caching shall be performed for this server at all. Default is on.
lean_query=(on|off);
Specifies whether to use the "lean" query mode. In this mode, only the
information actually queried from pdnsd is resolved and cached. This has the
advantage that usually less cache space is used and the query is usually
faster. In 90% of the cases, only address (A) records are needed anyway. If
switched off, pdnsd will always cache all data about a host it can find and
will specifically ask for all available records (well, at least it is a good
approximation for what it really does ;-) This will of course increase the
answer packet sizes.
Some buggy name servers may not deliver CNAME records when not asked for all
records. I do not know if such servers are around, but if you have trouble
resolving certain host names, try turning this option off.
A last note: If you use multiple pdnsd's that access each other, turning this
option on is probably a big win.
This on by default.
edns_query=(on|off);
New in version 1.2.9: Specifies whether to use EDNS (Extension mechanisms for
DNS) for outgoing queries. Currently this is only useful for allowing UDP
message sizes larger than 512 bytes. Note that setting this option on can give
problems in combination with some legacy systems or software, including,
embarrassingly enough, previous versions of pdnsd.
The default is off, but if your network can handle UDP payloads significantly
larger than 512 bytes, the recommended value is on.
Note that this option only effects outgoing queries. If pdnsd receives a query
using EDNS, it will reply using EDNS regardless of the value of this option.
See also the udpbufsize option above.
scheme=string;
You can specify a pcmcia-cs scheme that is used in addition to the uptests. If
you specify a scheme here, the server this section is for will only be queries
if the given scheme is active. Shell wildcards (* and ?) are allowed in the
string under their special meanings. You need to use the scheme_file option on
the global section to make this option work.
preset=(on|off);
This allows you to specify the initial state of a server before any uptest is
performed. on specifies that the server is regarded available. The default is
on. This is especially useful when you set uptest=none; and want to change the
status of a server only via pdnsd-ctl.
proxy_only=(on|off);
When this option is set to on, answers given by the servers are always
accepted, and no other servers (as, for example, specified in the NS records of
the query domain) are queried. If you do not turn this option on, pdnsd will do
such queries in some cases (in particular when processing ANY queries).
This option is useful when you do not want pdnsd to make connections to outside
servers for some reasons (e.g. when a firewall is blocking such queries).
I recommend that you turn on lean_query when using this option.
Default is off.
root_server=(on|off|discover);
Set this option to on if the servers specified in a section are root servers. A
root server will typically only give the name servers for the top-level domain
in its reply. Setting root_server=on will cause pdnsd to try to use cached
information about top-level domains to reduce to number of queries to root
servers, making the resolving of new names more efficient. You can get a list
of available root servers by running the command "dig . ns".
This option is also necessary if you use the delegation_only option.
New in version 1.2.8: This option may also be set to "discover". This will
cause pdnsd to query the servers provided with the ip= option to obtain the
full list of root servers. The root-server addresses will replace the addresses
specified with the ip= option. This will only be done once on startup, or after
a "pdnsd-ctl config" command. In this case the name servers specified with the
ip= option don't have to be root servers, they just have to know the names and
addresses of the root servers. After root-server discovery pdnsd will behave
just as if root_server=on had been specified.
Default is off.
randomize_servers=(on|off);
New in version 1.2.6: Set this option to on to give each name server in this
section an equal chance of being queried. If this option is off, the name
servers are always queried starting with the first one specified. Even with
this option on, the query order is not truly random. Only the first server is
selected randomly; the following ones are queried in consecutive order,
wrapping around to the beginning of the list when the end is reached. Note that
this option only effects the order within a section. The servers in the first
(active) section are always queried before those in the second one, etc.
The default is off, but if you are resolving from root servers setting this
option on is highly recommended. If root_server=on this option also effects the
query order of the name servers for the top-level domains.
reject=string;
New in version 1.2.6: This option can be used to make pdnsd reject replies that
contain certain IP addresses. You can specify a single IP address, which will
be matched exactly, or a range of addresses using an address/mask pair. The
mask can be specified as a simple integer, indicating the number of initial 1
bits in the mask, or in the usual IP address notation. IP addresses may be
either IPv4 or IPv6 (provided there is sufficient support in the C libraries
and support for AAAA records was not disabled). When addresses in the reject
list are compared with those in a reply, only the bits corresponding to those
set in the netmask are significant, the rest are ignored.
Multiple addresses or address/mask pairs may be specified; this can be done by
entering multiple lines of the form reject=string; or a single line like this:
reject=string,string,string;
How pdnsd reacts when an address in the reply matches one in the reject list,
depends on the reject_policy option, see below.
reject_policy=(fail|negate);
New in version 1.2.6: This option determines what pdnsd does when an address in
the reply from a name server matches the reject list (see above). If this
option is set to fail, pdnsd will try another server, or, if there no more
servers to try, return the answer SERVFAIL. If this option is set to negate,
pdnsd will immediately return the answer NXDOMAIN (unknown domain) without
querying additional servers. The fail setting is useful if you don't always
trust the servers in this section, but do trust the servers in the following
section. The negate setting can be used to completely censor certain IP
addresses. In this case you should put the same reject list in every server
section, and also set the reject_recursively option (see below) to true.
The default is fail.
reject_recursively=(on|off);
New in version 1.2.6: Normally pdnsd checks for addresses in the reject list
(see above) only when the reply comes directly from a name server listed in the
configuration file. With this option set to on, pdnsd will also do this check
for name servers that where obtained from NS records in the authority section
of a previous reply (which was incomplete and non-authoritative).
Default is off.
policy=(included|excluded|simple_only|fqdn_only);
pdnsd supports inclusion/exclusion lists for server sections: with include= and
exclude= (see below) you can specify domain names for which this server will be
used or will not be used. The first match counts (i.e., the first include or
exclude rule in a server section that matches a domain name is applied, and the
search for other rules is terminated). If no rule matched a given domain name,
the policy= option determines whether this server is used for the lookup for
that domain name; when included is given, the server will be asked, and when
excluded is given, it will not. If simple_only is given the server will be used
if the name to lookup is a simple (single-label) domain name, on the other hand
if fqdn_only is given the server will be used only for names consisting of two
or more labels (i.e. the name has at least one dot in-between).
If no server is available for a queried domain, pdnsd will return an error
message to the client that usually will stop the client's attempts to resolve a
specific domain from this server (the libc resolver will e.g. return an error
to the application that tried to resolve the domain if no other servers are
available in the resolv.conf). This may be of use sometimes.
Note: the simple_only and fqdn_only constants were added by Paul Rombouts. They
are useful for controlling which name servers (if any) will be used by pdnsd
for resolving simple (single-label) host names. fqdn_only used to stand for
"fully qualified domain name only", but this is actually a misnomer. The names
in queries received by pdnsd are always considered to be fully qualified. If
you do not exactly understand what the options simple_only and fqdn_only are
good for, you are probably better off not using them.
The default for this option is included.
include=string;
This option adds an entry to the exclusion/inclusion list. If a domain matches
the name given as string, the server is queried if this was the first matching
rule (see also the entry for policy).
If the given name starts with a dot, the whole subdomain of the given name
including the one of that name is matched, e.g. ".foo.bar." will match the
domain names a.foo.bar., a.b.c.foo.bar. and foo.bar.
If it does not start in a dot, only exactly the given name (ignoring the case,
of course) will be matched (hint: if you want to include all subdomains, but
not the domain of the given name itself, place an exact-match exclude rule
before the include rule, e.g: exclude="foo.bar."; include=".foo.bar.";
Previous versions of pdnsd required that names given with this and the next
option ended in a dot, but since version 1.1.8b1-par8, pdnsd automatically adds
a dot at the end if it is missing.
pdnsd now also accepts a more compact notation for adding several "include"
entries in one line, e.g.:
include=".foo",".bar",".my.dom";
exclude=string;
This option adds an entry to the exclusion/inclusion list. If a domain matches
the name given as string, the server is not queried if this was the first
matching rule (see also the entry for policy).
If the given name starts with a dot, the whole subdomain of the given name
including the one of that name is matched, e.g. ".foo.bar." will match the
domain names a.foo.bar., a.b.c.foo.bar. and foo.bar.
If it does not start in a dot, only exactly the given name (ignoring the case,
of course) will be matched (hint: if you want to exclude all subdomains, but
not the domain of the given name itself, place an exact-match include rule
before the exclude rule, e.g: include="foo.bar."; exclude=".foo.bar.";
pdnsd now also accepts a more compact notation for adding several "exclude"
entries in one line, e.g.:
exclude=".foo",".bar",".my.dom";
2.1.3 rr Section
Every rr section specifies a dns resource record that is stored locally. It
allows you to specify own dns records that are served by pdnsd in a limited
way. Only A, PTR, CNAME, MX, NS and SOA records are implemented.
This option is intended to allow you to define RRs for 1.0.0.127.in-addr.arpa.
and localhost. (and perhaps even one or two hosts) without having to start an
extra named if your cached name servers do not serve those records. It is NOT
intended and not capable to work as a full-featured name server.
name=string;
Specifies the name of the resource records, i.e. the domain name of the
resource the record describes. This option must be specified before any a, ptr,
cname, mx, ns or soa records. Names are interpreted as absolute domain names
(i.e. pdnsd assumes they end in the root domain). For this and all following
arguments that take domain names, you need to specify domain names in dotted
notation (example venera.isi.edu.).
Previous versions of pdnsd required that domain names given in the
configuration file ended in a dot, but since version 1.1.8b1-par8, pdnsd
automatically assumes a dot at the end if it is missing.
New in version 1.2: It is also possible to specify a name starting with the
label *. Such a name is called a wildcard. The * in a wildcard can match one or
more labels in a queried name, but only whole labels. Any other * characters in
a wildcard, apart from the leading one, will only match a literal *.
For example, *.mydomain will match a.mydomain or www.a.mydomain, but not
mydomain. *.a*.mydomain will match www.a*.mydomain, but not www.ab.mydomain.
*a.mydomain will only match itself.
Before you can specify an rr section with name=*.mydomain you must define some
records for mydomain, typically NS and/or SOA records. Example:
rr {
name = mydomain;
ns = localhost;
soa = localhost, root.localhost, 42, 86400, 900, 86400, 86400;
}
rr {
name = *.mydomain;
a = 192.168.1.10;
}
In this example, www.mydomain and ftp.mydomain will resolve to the numeric
address 192.168.1.10 (unless you add rr sections explicitly specifying
different addresses for www.mydomain or ftp.mydomain). If you want mydomain
also to resolve to a numeric address, add an A record to the first rr section.
ttl=timespec;
Specifies the ttl (time to live) for all resource records in this section after
this entry. This may be redefined. The default is 86400 seconds (=1 day).
authrec=(on|off);
If this is turned on, pdnsd will create authoritative local records for this rr
section. This means that pdnsd flags the domain record so that records of this
domain that are not present in the cache are treated as non-existent, i.e. no
other servers are queried for that record type, and an response containing none
of those records is returned. This is most time what people want: if you add an
A record for a host, and it has no AAAA record (thus no IPv6 address), you
normally don't want other name servers to be queried for it.
This is on by default.
Please note that this only has an effect if it precedes the name option!
reverse=(on|off);
New in version 1.2: If you want a locally defined name to resolve to a numeric
address and vice versa, you can achieve this by setting reverse=on before
defining the A record (see below). The alternative is to define a separate PTR
record, but you will probably find this option much more convenient.
The default is off.
a=string;
Defines an A (host address) record. The argument is an IPv4 address in dotted
notation. pdnsd will serve this address for the host name given in the name
option.
Provided there is sufficient support in the C libraries and support for AAAA
records was not disabled, the argument string may also be an IPv6 address, in
which case an AAAA record will be defined.
This option be may used multiple times within an rr section, causing multiple
addresses to be defined for the name. However, if you put the different
addresses in different rr sections for the same name, the definition in the
last rr section will cancel the definitions in the previous ones.
ptr=string;
Defines a PTR (domain name pointer) record. The argument is a host name in
dotted notation (see name). The ptr record is for resolving adresses into
names. For example, if you want the adress 127.0.0.1 to resolve into localhost,
and localhost into 127.0.0.1, you need something like the following sections:
rr {
name = localhost;
a = 127.0.0.1;
owner = localhost;
soa = localhost, root.localhost, 42, 86400, 900, 86400, 86400;
}
rr {
name = 1.0.0.127.in-addr.arpa;
ptr = localhost;
owner = localhost;
soa = localhost, root.localhost, 42, 86400, 900, 86400, 86400;
}
The second section is for reverse resolving and uses the ptr option. Note that
you can get the same effect by specifying only the first rr section with
reverse=on.
There is something special about the name in the second section: when a
resolver wants to get a host name from an internet address, it composes an
address that is built of the IP address in reverse byte order (1.0.0.127
instead of 127.0.0.1) where each byte of the adress written as number
constitutes a sub-domain under the domain in-addr.arpa.
So, if you want to compose an adress for reverse resolving, take your ip in
dotted notation (e.g. 1.2.3.4), reverse the byte order (4.3.2.1) and append
in-addr.arpa. (4.3.2.1.in-addr.arpa.) Then, define an rr section giving this
address as name and the domain name corresponding to that ip in the ptr option.
cname=string;
Defines a CNAME (canonical name) record. The argument should be a
fully-qualified host name in dotted notation (see name). A CNAME is the DNS
equivalent of an alias or symbolic link.
A useful application for CNAMEs is giving short, easy to remember nicknames to
hosts with complicated names. For example, you might want the name "news" to
refer to your ISP's news server "nntp2.myisp.com". Instead of adding an A
record for "news" with the same address as "nntp2.myisp.com", you could put in
a CNAME pointing to "nntp2.myisp.com", so that if the IP address of the news
server changes, there is no need to update the record for "news".
To implement this with pdnsd, you could add the following section to your
configuration file:
rr {
name = news;
cname = nntp2.myisp.com;
owner = localhost;
}
mx=string,number;
Defines an MX (mail exchange) record. The string is the host name of the mail
server in dotted notation (see name). The number specifies the preference
level.
When you send mail to someone, your mail typically goes from your E-mail client
to an SMTP server. The SMTP server then checks for the MX record of the domain
in the E-mail address. For example, with joe@example.com, it would look for the
MX record for example.com and find that the name of mail server for that domain
is, say, mail.example.com. The SMTP server then gets the A record for
mail.example.com, and connects to the mail server.
If there are multiple MX records, the SMTP server will pick one based on the
preference level (starting with the lowest preference number, working its way
up).
Don't define MX records with pdnsd unless you know what you're doing.
owner=string;
or
ns=string;
Defines an NS (name server) record. Specifies the name of the host which should
be authoritative for the records you defined in the rr section. This is
typically the host pdnsd runs on.
Note: In previous versions of pdnsd this option had to be specified before any
a, ptr, cname, mx or soa entries. In version 1.2, the restrictions on this
option are same as the options just mentioned, and it must listed after the
name= option. This can be a pain if you want to use an old config file which
specifies owner= before name= (sorry about that). Apart from greater
consistency, the advantage is that you can now specify as many NS records as
you like (including zero).
soa=string,string,number,timespec,timespec,timespec,timespec;
This defines a soa (start of authority) record. The first string is the domain
name of the server and should be equal to the name you specified as owner.
The second string specifies the email address of the maintainer of the name
server. It is also specified as a domain name, so you will have to replace the
@ sign in the name with a dot (.) to get the name you have to specify here. The
next parameter (the first number) is the serial number of the record. You
should increment this number if you change the record.
The 4th parameter is the refresh timeout. It specifies after what amount of
time a caching server should attempt to refresh the cached record.
The 5th parameter specifies a time after which a caching server should attempt
to refresh the record after a refresh failure.
The 6th parameter defines the timeout after which a cached record expires if it
has not been refreshed.
The 7th parameter is the ttl that is specified in every rr and should be the
same as given with the ttl option (if you do not specify a ttl, use the default
86400).
txt=string,...,string;
New in version 1.2.9: Defines an TXT record. You can specify one or more
strings here.
2.1.4 neg Section
Every neg section specifies a dns resource record or a dns domain that should
be cached negatively locally. Queries for negatively cached records are always
answered immediatley with an error or an empty answer without querying other
hosts as long as the record is valid. The records defined with neg sections
remain valid until they are explicitely invalidated or deleted by the user
using pdnsd-ctl.
This is useful if a certain application asks periodically for nonexisting hosts
or RR types and you do not want a query to go out every time the cached record
has timed out. Example: Netscape Communicator will ask for the servers news and
mail on startup if unconfigured. If you do not have a dns search list for your
network, you can inhibit outgoing queries for these by specifying
neg {
name = news;
types = domain;
}
neg {
name = mail;
types = domain;
}
in your config file. If you have a search list, you have to repeat that for any
entry in your search list in addition to the entries given above!
In versions 1.1.11 and later, if you negate whole domains this way, all
subdomains will be negated as well. Thus if you specify
neg {name=example.com; types=domain;} in the config file, this will also negate
www.example.com, xxx.adserver.example.com, etc.
name=string;
Specifies the name of the domain for which negative cache entries are created.
This option must be specified before the types option. Names are interpreted as
absolute domain names (i.e. pdnsd assumes they end in the root domain). You
need to specify domain names in dotted notation (example venera.isi.edu.).
Previous versions of pdnsd required that domain names given in the
configuration file ended in a dot, but since version 1.1.8b1-par8, pdnsd
automatically assumes a dot at the end if it is missing.
ttl=timespec;
Specifies the ttl (time to live) for all resource records in this section after
this entry. This may be redefined. The default is 86400 seconds (=1 day).
types=(domain|rr_type[,rr_type[,rr_type[,...]]]);
Specifies what is to be cached negatively: domain will cache the whole domain
negatively; alternatively, you can specify a comma-separated list of RR types
which are to be cached negatively. You may specify multiple types options, but
domain and the RR types are mutually exclusive.
The RR types are specified using their official names from the RFC's in
capitals, e.g. A, CNAME, NS, PTR, MX, AAAA, ...
The command pdnsd-ctl list-rrtypes will give you a complete list of those
types. pdnsd-ctl is built along with pdnsd and will be installed in the same
directory as the pdnsd binary during make install.
2.1.5 source Section
Every source section allows you to let pdnsd read the records from a file in an
/etc/hosts-like format. pdnsd will generate records to resolve the entries
address from its host name and vice versa for every entry in the file. This is
normally easier than defining an rr for every of your addresses, since
localhost and your other FQDNs are normally given in /etc/hosts.
The accepted format is as follows: The #-sign initiates a comment, the rest of
the line from the first occurence of this character on is ignored. Empty lines
are tolerated.
The first entry on a line (predeceded by an arbitrary number of tabs and
spaces) is the IP in dotted notation, the second entry on one line (separated
by the first by an arbitrary number of tabs and spaces) is the FQDN (fully
qualified domain name) for that ip. The rest of the line is ignored by default
(in the original /etc/hosts, it may contain information not needed by pdnsd).
owner=string;
Specifies the name of the host pdnsd runs on and that are specified in dns
answers (specifically, nameserver records). Must be specified before any file
entries.
Names are interpreted as absolute domain names (i.e. pdnsd assumes they end in
the root domain). You need to specify domain names in dotted notation (example
venera.isi.edu.).
Previous versions of pdnsd required that domain names given in the
configuration file ended in a dot, but since version 1.1.8b1-par8, pdnsd
automatically assumes a dot at the end if it is missing.
ttl=timespec;
Specifies the ttl (time to live) for all resource records in this section after
this entry. This may be redefined. The default is 86400 seconds (=1 day).
file=string;
The string specifies a file name. For every file entry in a source section,
pdnsd will try to load the given file as described above. Failure is indicated
only when the file cannot be opened, malformed entries will be ignored.
serve_aliases=(on|off);
If this is turned on pdnsd will serve the aliases given in a hosts-style file.
These are the third entry in a line of a hosts-style file, which usually give a
"short name" for the host. This may be used to support broken clients without a
proper domain-search option. If no aliases are given in a line of the file,
pdnsd behaves as without this option for this line.
This feature was suggested by Bert Frederiks.
It is off by default.
authrec=(on|off);
If this is turned on, pdnsd will create authoritative local records with the
data from the hosts file. Please see the description of the option of the same
name in the rr section for a closer description of what this means. Please note
that this only has an effect for files sourced with file options subsequent to
this option.
This is on by default.
2.1.6 include Section
A configuration file may include other configuration files. However, only the
top-level configuration file may contain global and server sections, thus
include files are effectively limited to sections that add local definitions to
the cache.
Include sections currently only have one type of option, which may be given
multiple times within a single section.
file=string;
The string specifies a file name. For every file option in an include section,
pdnsd will parse the given file as described above. The file may contain
include sections itself, but as a precaution pdnsd checks that a certain
maximum depth is not exceeded to guard against the possibility of infinite
recursion.
3 pdnsd-ctl
pdnsd-ctl allows you to configure pdnsd at run time. To make this work, you
have to start pdnsd with the -s option (or use the status_ctl option in the
config file). You also should make sure that you have appropriate permissions
on the control socket (use the ctl_perms option to make this sure) and of your
pdnsd cache directory (pdnsd keeps its socket there). Please make sure the
pdnsd cache directory is not writeable for untrusted users!
pdnsd-ctl accepts two command-line options starting with a dash.
-c may be used to specify the cache directory (and takes this as argument). The
default for this setting is the pdnsd default cache directory (specified at
compile time). The cache directory for pdnsd-ctl must be the same pdnsd uses!
-q can be used to make the output of pdnsd-ctl less verbose.
The following table lists the commands that pdnsd-ctl supports. The command
must always be the first command-line option (not starting with a dash), the
arguments to the command must follow in the given order.
In the following table, keywords are in a normal font, while placeholders are
in italics.
Alternatives are specified like (alt1|alt2|alt3). Optional arguments are placed
between square brackets [].
Command Arguments Description
help Print a command summary.
version Print version and license info.
status Print a description of pdnsd's cache status, thread status
and configuration. Also shows which remote name servers
are assumed to be available.
server (index|label) (up| Set the status of the server with the given index or label
down|retest) [dns1[, (where the given label matches the one given with the
dns2[,...]]] label option in the respective server section in the
config file) to up or down, or force a retest. The index
is assigned in the order of definition in pdnsd.conf
starting with 0. Use the status command to view the
indices and labels. You can specify all instead of an
index or label to perform the action for all servers
registered with pdnsd. Example:
pdnsd-ctl server 0 retest
An optional third argument consisting of a list of IP
addresses (separated by commas or white-space characters)
can be given. This list will replace the previous list of
addresses of name servers used by pdnsd in the specified
section of the config file. For example in the /etc/ppp/
ip-up script called by pppd you could place the following
line:
pdnsd-ctl server isplabel up $DNS1,$DNS2
If white space is used to separate addresses the list will
have to be quoted. Spurious commas and white-space
characters are ignored. The last argument may also be an
empty string, in which case the existing IP addresses are
removed and the corresponding server section becomes
inactive.
record name (delete| Delete or invalidate the records of the given domain name
invalidate) if it is in the cache. Invalidation means that the records
are marked as timed out, and will be reloaded if possible
(if purge_cache is set to on, they will be deleted in any
case).
For local records (i.e., records that were given in the
config file using a rr section, records read from a
hosts-style file and records added using pdnsd-ctl),
invalidation has no effect. Deletion will work, though.
Example:
pdnsd-ctl record localhost. delete
source fn owner [ttl] [(on Load a hosts-style file. Works like using the pdnsd source
|off)] [noauth] configuration section. owner and ttl are used as in the
source section. ttl has a default of 900 (it does not need
to be specified). The next to last argument corresponds to
the serve_aliases option, and is off by default (i.e. if
it is not specified). noauth is used to make the domains
non-authoritative - please see the description of the
authrec config file options for a description of what that
means. fn is the filename. The file must be readable by
pdnsd! Example:
pdnsd-ctl source /etc/hosts localhost. 900 off
add a addr name [ttl]
[noauth]
Add a record of the given type to the pdnsd cache,
replacing existing records for the same name and type. The
add aaaa addr name [ttl 2nd argument corresponds to the value of the option in the
] [noauth] rr section that is named like the first argument: a is a
record for hostname-to-address mapping, aaaa is the same
thing for IPv6 addresses, and ptr is for
add ptr host name [ttl] address-to-hostname mapping. See the documentation for the
[noauth] rr section for more details. In case of A and AAAA
records, the addr argument may be a list of IP addresses,
separated by commas or white space, causing multiple
add cname host name [ addresses to be defined for the same name. The ttl is
ttl] [noauth] optional, the default is 900 seconds. noauth is used to
make the domains non-authoritative - please see the
description of the authrec config file options for a
add mx host name pref description of what that means. If you want no other
[ttl] [noauth] record than the newly added in the cache, do
pdnsd-ctl record name delete before adding records. This
is also better when overwriting local records. Example:
add ns host name [ttl] pdnsd-ctl add a 127.0.0.1 localhost. 900
[noauth]
neg name [type] [ttl] Add a negatively cached record to pdnsd's cache, replacing
existing records for the same name and type. If no type is
given, the whole domain is cached negatively. For
negatively cached records, errors are immediately returned
on a query, without querying other servers first. The ttl
is optional, the default is 900 seconds.
You can get a list of all types you can pass to this
command using pdnsd-ctl list-rrtypes. The type is treated
case-sensitive! Example:
pdnsd-ctl neg foo.bar A 900
pdnsd-ctl neg foo.baz 900
config [filename] Reload pdnsd's configuration file.
The config file must be owned by the uid that pdnsd had
when it was started, and be readable by pdnsd's run_as
uid. If no file name is specified, the config file used at
start-up is reloaded.
Note that some configuration changes, like the port or IP
address pdnsd listens on, cannot be made this way and you
will receive an error message. In these cases, you will
have to restart pdnsd instead.
include filename Parse the given file as an include file, see the
documentation on include sections for a description what
this file may contain.
This command is useful for adding definitions to the cache
without reconfiguring pdnsd.
eval string Parse the given string as if it were part of pdnsd's
configuration file. The string should hold one or more
complete configuration sections. However, global and
server sections are not allowed, just as in include files.
If multiple strings are given, they will be joined using
newline chars and parsed together.
This command is useful for adding records interactively to
the cache that cannot be defined using the "pdnsd-ctl add"
command, (e.g. soa records).
empty-cache [[+|-]name ...] If no arguments are provided, the cache will be completely
emptied, freeing all existing entries. Note that this also
removes local records, as defined by the config file. To
restore local records, run "pdnsd-ctl config" or
"pdnsd-ctl include filename" immediately afterwards.
The "pdnsd-ctl empty-cache" command now accepts additional
arguments; these are interpreted as include/exclude names.
If an argument starts with a '+' the name will be
included. If an argument starts with a '-' it will be
excluded. If an argument does not begin with '+' or '-', a
'+' is assumed. If the domain name of a cache entry ends
in one of the names in the list, the first match will
determine what happens. If the matching name is to be
included, the cache entry is deleted, otherwise not. If
there are no matches, the default action is not to delete.
Note that if you want to delete exactly one name and no
others, you should use "pdnsd-ctl record name delete",
this is also much more efficient.
Examples:
pdnsd-ctl empty-cache
This command will remove all cache entries.
pdnsd-ctl empty-cache microsoft.com msft.net
This will remove all entries ending in microsoft.com or
msft.net.
pdnsd-ctl empty-cache -localdomain -168.192.in-addr.arpa .
This will remove all entries except those ending in
localdomain or 168.192.in-addr.arpa. Note that '.' is the
root domain which matches any domain name.
dump [name] Print information stored in the cache about name. If name
begins with a dot and is not the root domain, information
about the names in the cache ending in name (including
name without the leading dot) will be printed. If name is
not specified, information about all the names in the
cache will be printed.
For each RR record the time and date that this record has
been added to the cache will be printed in the form mm/dd
HH:MM:SS (locally defined records are printed without a
time stamp). After that the type of record is printed with
the data. For the more common types of RR records the data
will be printed in human readable form, the remaining ones
in a hexadecimal representation.
This command is mainly useful for diagnostic purposes.
Note that if you pipe the output of this command through
an application that reads only part of the output and then
blocks (such as more or less), pdnsd will not be able to
add new entries to the cache until the pipe is closed. It
is preferable to capture the output in a file in such a
case.
list-rrtypes List available rr types for the neg command. Note that
those are only used for the neg command, not for add!
4 contrib/
The contrib directory in the pdnsd distribution contains useful
user-contributed scripts.
So far, there are scripts contributed by Marko Stolle and Paul Rombouts that
make pdnsd usable in a DHCP setup. Please take a look into the README file in
the contrib directory for further information.
5 Problems...
If you have problems with configuring or running pdnsd, be sure to read the FAQ
. If this does not help you, pdnsd crashes or you find bugs, please mail one of
the authors.
Note added by Paul A. Rombouts: Thomas Moestl no longer maintains the code. I
have revised the code and added new features. See README.par and the ChangeLog
in the source directory (or /usr/share/doc/pdnsd-<version> if you have
installed a binary package) for more details. If you have questions about my
modifications, you can find my email address at the end of README.par.
6 Hacking
Here comes some information you might find useful for hacking pdnsd.
6.1 Source files
Makefile.am, autoconf/automake/autoheader scripts. Makefile.am's are in
configure.in, most subdirectories.
acconfig.h
pdnsd.spec.in A template from which configure generates a spec file for
building rpm's for various distributions.
version Contains only the program version string. Needed for
several templates.
src/rc/* rc (start-up) scripts for various linux distributions.
The pdnsd cache subsystem(s) as defined in src/cache.h.
src/cache.c This is the "traditional" pdnsd system which keeps the
cache in memory and uses hash tables for accesses. Sourav
K. Mandal is working on a system using gdbm.
src/pdnsd-ctl/* Contains the code for pdnsd-ctl, a program that allows you
to control pdnsd at run time.
The lex/flex source file for the config file lexer. This is
src/conf-lex.l.in a template because there might be inserted "%option
yylineno" for proper flex support. (obsolete, superseded by
src/conf-parser.c)
This is automatically generated by configure from
src/conf-lex.l conf-lex.l.in. It may be overwritten in any make, so never
modify this, but conf-lex.l.in instead! (obsolete,
superseded by src/conf-parser.c)
src/conf-parse.y The yacc/bison source of the config file parser. (obsolete,
superseded by src/conf-parser.c)
src/conf-parser.c, The config file parser written purely in C (versions
src/conf-parser.h, 1.1.10-par and later).
src/conf-keywords.h
src/conff.c, src/ The configuration handler functions and their prototypes.
conff.h The parser is called from here.
src/consts.h Some constants used by the parser, config file handler
functions and in the server status thread, among others.
Define dns message structures, constants, and some common
src/dns.c, src/dns.h dns data handlers. dns.h contains gcc-specific code (in
praticular, "__attribute__((packed))").
src/dns_answer.c, Define functions that answer incoming dns queries.
src/dns_answer.h
src/dns_query.c, src Define functions to manage outgoing dns queries.
/dns_query.h
src/error.c, src/ Functions for error output to stderr or the syslog, and
error.h debug output to stderr or pdnsd.debug.
src/hash.c, src/ Contains the code for storing and looking up cache entries
hash.h in the hash table.
src/helpers.c, src/ Define miscellaneous helper functions.
helpers.h
src/icmp.c, src/ Define a function for performing a ping test. This contains
icmp.h OS-specific code.
src/main.c Contains main(), which holds the command line parser,
performs initialisations and signal handling.
Contains the code for the executable make_hashconvtable,
src/ which is only run once, during build time, to generate the
make_hashconvtable.c file hashconvtable.h, used by src/hash.c (versions
1.1.10-par and later). (obsolete since version 1.2)
A perl script for generating src/rr_types.h, a C header
src/ file containing macro definitions and tables needed for
make_rr_types_h.pl handling the RR types known to pdnsd, from the text file
src/rr_types.in.
src/rr_types.c, src/ These define tables and macros needed for handling the RR
rr_types.h, src/ types known to pdnsd. Since version 1.2.9, rr_types.h is an
rr_types.in automatically generated file, see make_rr_types_h.pl.
src/netdev.c, src/ Define functions for network device handling. OS-specific.
netdev.h
src/servers.c, src/ Define functions for the server status thread that performs
servers.h the periodical uptests.
src/status.c, src/ Define functions for the status control thread. This is
status.h pdnsd's interface to pdnsd-ctl.
-------------------------------------------------------------------------------
Copyright (C) 2000, 2001 Thomas Moestl
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2012 Paul A. Rombouts
Last revised: 19 April 2012 by Paul A. Rombouts
Reference in New Issue View Git Blame Copy Permalink