413 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			HTML
		
	
	
	
			
		
		
	
	
			413 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			HTML
		
	
	
	
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 | |
| <html>
 | |
|   <head>
 | |
|     <title>The pdnsd FAQ</title>
 | |
|     <meta http-equiv="Content-type" content="text/html; charset=ISO-8859-1">
 | |
|     <style type="text/css">
 | |
|       <!--
 | |
|       .small { font-family:helvetica; font-size:small; text-align:center; }
 | |
|       // -->
 | |
|     </style>
 | |
|   </head>
 | |
| 
 | |
|   <body bgcolor="#EEEEEE">
 | |
|     <!--notext(-->
 | |
|     <table width="100%">
 | |
|       <tr>
 | |
| 	<td> <span class="small">
 | |
| 	    <a href="index.html">pdnsd Homepage</a>
 | |
| 	  </span></td>
 | |
| 	<td> <span class="small">
 | |
| 	    <a href="faq.html">pdnsd FAQ</a>
 | |
| 	  </span></td>
 | |
| 	<td> <span class="small">
 | |
| 	    <a href="doc.html">Documentation</a>
 | |
| 	  </span></td>
 | |
| 	<td> <span class="small">
 | |
| 	    <a href="../../COPYING">GNU GPL (pdnsd's License)</a>
 | |
| 	  </span> </td>
 | |
| 	<td><span class="small">
 | |
| 	    <a href="dl.html">Download Section</a>
 | |
| 	  </span></td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <!--)notext-->
 | |
|     <h1>The pdnsd FAQ</h1>
 | |
|     <a name="q001"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  There are complete and well-tested name servers around, such as the BIND.
 | |
| 	  These do also perform caching. Why should I use pdnsd?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  pdnsd does not aim to be a complete name server implementation, such as the
 | |
| 	  BIND. It is optimized for caching, and you can only specify a small subset of all
 | |
| 	  dns record types pdnsd knows in your local "zone" definitions.
 | |
| 	  This of course reduces the code size drastically, and such the memory footprint.
 | |
| 	  There are some features especially interesting for dialin networks, ordinary
 | |
| 	  (non-server) internet hosts and computers that are often not connected to
 | |
| 	  to their network, e.g. notebooks (I originally wrote this program for use
 | |
| 	  with my notebook).
 | |
| 	  These features are:
 | |
| 	  <ul>
 | |
| 	    <li> permanent disk cache (useful for frequent power-offs/reboots)
 | |
| 	    <li> usually smaller memory footprint (depends on cache size) (see next question)
 | |
| 	    <li> offline-detection prevents hangs (e.g. the typical hang on startup of some
 | |
| 	      Netscape Navigator versions if not dialled in)
 | |
| 	    <li> better control about timeouts (also to prevent hangs)
 | |
| 	    <li> better control over the cache
 | |
| 	    <li> better run-time control
 | |
| 	  </ul>
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q002"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  When I look at the process size with ps, top, gtop, or a similar tool, I see
 | |
| 	  some processes with a total size well above 3.5 MB. This is much more than
 | |
| 	  e.g. BIND named (about 1.4 MB). Why?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  Really, it is not.
 | |
| 	  pdnsd uses multithreading, not multiprocessing. That means that the processes
 | |
| 	  share most of their process space. In the LinuxThreads library
 | |
| 	  or NPTL (Native Posix Thread Libary),
 | |
| 	  which are used by pdnsd on Linux, in fact the total process address space is shared
 | |
| 	  (although the processes have different stacks, these are in one process
 | |
| 	  address space). You may check this by looking at the at the process sizes of
 | |
| 	  the  pdnsd threads: all should be the same. The effective size that pdnsd
 | |
| 	  occupies is thus the size of any of the processes, not the sum of those.
 | |
| 	  So, pdnsd with empty cache occupies about 800 kB, and the maximum size
 | |
| 	  should be about the cache size plus this size (in fact, ca 5-10% more).
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q003"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  What do I need the status control (option -s) for?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  It enables you to do some things you might or might not need. With it, you can:
 | |
| 	  <ul>
 | |
| 	    <li> query pdnsd's settings at runtime to debug configuration files and
 | |
| 	      see which servers are regarded to be available
 | |
| 	    <li> mark servers as available or unavailable, or force a status retest - very
 | |
| 	      handy if you want to control which servers pdnsd queries, e.g for muliple
 | |
| 	      dial-up accounts
 | |
| 	    <li> delete, invalidate or add DNS records - useful e.g. when you want to build
 | |
| 	      records for dynamically assigned IP addresses or domain names
 | |
| 	    <li> reload pdnsd's configuration file without restarting pdnsd
 | |
| 	    <li> print information about the contents of pdnsd's cache.
 | |
| 	  </ul>
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q004"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  What do I need local records (rr- and source-sections in the config file) for?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  Some resolver programs, e.g. nslookup, want to look up the name of the
 | |
| 	  server they are using before doing anything else. This option is for defining
 | |
| 	  a PTR record for your IP such that those programs get an answer even if the
 | |
| 	  name server you are caching is not available or does not offer these records.
 | |
| 	  By extension, you may also define A and SOA records. This allows you to build
 | |
| 	  very small zones without having to use a "big" name server. It is NOT
 | |
| 	  intended to replace such a complete server in anything but VERY small
 | |
| 	  networks. Alternatively, you may start a named on another host or on the
 | |
| 	  same host on another port and cache it with pdnsd in addition to other (more
 | |
| 	  distant) name servers.
 | |
| 	  <br>
 | |
| 	  The <code>source</code> section allows you to let pdnsd read in your
 | |
| 	  <code>/etc/hosts</code> file on startup and serve its contents. This file is used by your local
 | |
| 	  resolver before it even  tries the name servers and usually contains
 | |
| 	  fully-qualified domain names (FQDNs) for all of the internet addresses your host has.
 | |
| 	  If you source this file, you usually won't need any additional <code>rr</code> sections. Sourcing it also allows
 | |
| 	  other hosts (eg. in your local network) to access the names defined in your
 | |
| 	  hosts file. You can of course just add other hosts in your local network to the
 | |
| 	  servers <code>hosts</code> file, thus making them known to your server's resolver
 | |
| 	  and pdnsd (if you sourced that file).
 | |
| 	  <br>
 | |
| 	  If you don't know what this answer was all about, you should just take the
 | |
| 	  source section in the sample config file that comes with pdnsd, copy it
 | |
| 	  into your config file and forget about it.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q005"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  When compiling, I get an error message like <br><i>Please define __BYTE_ORDER to
 | |
| 	  be __LITTLE_ENDIAN or __BIG_ENDIAN</i><br> What's up?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  Normally, this macros should be defined in your C library's header files.
 | |
| 	  There are two different methods, most C libraries support both (and pdnsd
 | |
| 	  honors both): either <code>__BYTE_ORDER</code> is set to <code>__LITTLE_ENDIAN</code>
 | |
| 	  or <code>__BIG_ENDIAN</code>, or <code>__LITTLE_ENDIAN</code> or <code>__BIG_ENDIAN</code>
 | |
| 	  are directly defined as macros.
 | |
| 	  <br>
 | |
| 	  Linux glibc, for example, does set those macros correctly. Never mind. You just have to know
 | |
| 	  whether your machine is little-endian or big-endian, this means wheter your
 | |
| 	  machine saves the least significant byte of a word or double-word first in memory (little-endian) or
 | |
| 	  the most significant first (big-endian).
 | |
| 	  All intel x86 and Alpha machines are little-endian, for example, while SPARC
 | |
| 	  and PowerPC architectures are big-endian.
 | |
| 	  If your machine is little-endian, add the following line to your config.h:
 | |
| 	  <br><code>
 | |
| 	    #define __BYTE_ORDER __LITTLE_ENDIAN
 | |
| 	  </code><br>
 | |
| 	  Likewise, if your machines byte order is big-endian:
 | |
| 	  <br><code>
 | |
| 	    #define __BYTE_ORDER __BIG_ENDIAN
 | |
| 	  </code><br>
 | |
| 	  Pathological byte orders like pdp-endian are not yet supported really;
 | |
| 	  However, for the place the endianess is needed, <code>__LITTLE_ENDIAN</code> should do
 | |
| 	  (it deals only with 16 bits; for all other occurances, ntoh[sl]/hton[sl] is used).
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q007"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  At startup, I get a warning saying:<br>
 | |
| 	  <i>
 | |
| 	    Uptest command [...] will implicitly be executed as root
 | |
| 	  </i> <br>
 | |
| 	  What does that mean?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  This warning only occurs if you use the <code>uptest=exec</code> option in your
 | |
| 	  configuration. It means that the uptest command is run as root
 | |
| 	  because pdnsd is running as root, and this was not explicitely specified.
 | |
| 	  The idea is that it may introduce security holes (in the programs being run)
 | |
| 	  when they run as root, and so they shouldn't do that if possible.
 | |
| 	  You can specify the user that shall run the command by appending its name
 | |
| 	  comma-separated as string to the <code>uptest_cmd</code> line: <br>
 | |
| 	  <code>
 | |
| 	    uptest_cmd="<your command>","<user>";
 | |
| 	  </code> <br>
 | |
| 	  If it is correctly running as root, just append the user string <code>"root"</code> to
 | |
| 	  the command and the warning will not occur again.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q008"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  I cannot run my <code>uptest_cmd</code> command as root (it says <i>permission denied</i>),
 | |
| 	  although the pdnsd executable is setuid root. Why?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  pdnsd will drop privileges gained through setuid/setgid before executing the
 | |
| 	  uptest commands (you shouldn't set the pdnsd executable setuid/setgid anyway).
 | |
| 	  The reason is clear: if you install the pdnsd
 | |
| 	  executable as setuid root and this wouln't be done, any user could execute
 | |
| 	  shellcode with root privileges using that option!
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q009"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  At startup, I get an error saying:<br>
 | |
| 	  <i>
 | |
| 	    Bad config file permissions: the file must be only writeable by the user
 | |
| 	  </i><br>
 | |
| 	  Why is that?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  pdnsd has an option (<code>uptest=exec</code>) that allows the execution of arbitrary
 | |
| 	  shell code (for testing whether an interface is up). This must be
 | |
| 	  of course secured against unauthorized use. One of these
 | |
| 	  protection is the one that produces the error message: if you routinely run
 | |
| 	  pdnsd, e.g. at system startup, and your config file is editable for others,
 | |
| 	  someone could change it and insert shell code that is executed in the next
 | |
| 	  pdnsd run -- with your user privileges! To prevent this, pdnsd will exit if the config file is writeable
 | |
| 	  by others than the owner.
 | |
| 	  To get rid of this message, just do <br>
 | |
| 	  <code>
 | |
| 	    chmod go-w <filename>
 | |
| 	  </code><br>
 | |
| 	  on your config
 | |
| 	  file (for the default file: <code>chmod go-w /etc/pdnsd.conf</code>).
 | |
| 	  You should also check that the ownership is set correct.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q010"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  <code>serve_aliases</code> does not seem to work.
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  Some resolvers (e.g. of the glibc 2.1) seem sometimes not to look up unmodified names, but the names with
 | |
| 	  an entry of the search path already appended. Since pdnsd will serve short names with this
 | |
| 	  option anyway, you can delete the search an domain options from your /etc/resolv.conf. This is reported to
 | |
| 	  work in some cases.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q011"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|      <tr>
 | |
|         <td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  Some queries for domains that have many records (e.g. www.gmx.de) fail mysteriously.
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  pdnsd versions prior to 1.1.0 had the tcp server thread disabled by default. Most resolvers
 | |
| 	  repeat their query using tcp when they receive a truncated answer (the answer is truncated
 | |
| 	  when it exceeds a length of 512 bytes). You need to recompile pdnsd with the option
 | |
| 	  <code>--enable-tcp-server</code> to fix this.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q012"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|      <tr>
 | |
|         <td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  I am behind some kind of firewall. In the configuration file
 | |
| 	  I have only listed addresses of name servers on the local (ISP's) network,
 | |
| 	  but pdnsd is slow and DNS queries frequently time out.
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  In some cases pdnsd will not consider the answer of the local name server
 | |
| 	  authoritative enough, and will try to get answers from the name servers listed in the
 | |
| 	  authority section of the reply message. If pdnsd is behind a firewall that blocks the
 | |
| 	  UDP reply packets from remote name servers, pdnsd will wait in vain for a reply.
 | |
| 	  One solution is to set <a href="doc.html#proxyonly"><code>proxy_only=on</code></a>
 | |
| 	  in the servers sections of the configuration file.
 | |
| 	  This will prevent pdnsd from querying name servers that are not listed in the configuration
 | |
| 	  file.
 | |
| 	  Another solution that can be tried is specifying
 | |
| 	  <a href="doc.html#querymethod"><code>query_method=tcp_only</code></a>
 | |
| 	  in the global section of the configuration file, because a firewall that blocks
 | |
| 	  UDP packets from outside might still allow outgoing TCP connections to port 53.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
|     <hr>
 | |
|     <a name="q013"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|      <tr>
 | |
|         <td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	  Is pdnsd vulnerable to DNS cache poisoning as described in
 | |
| 	  <a href="http://www.kb.cert.org/vuls/id/800113">CERT vulnerability note VU#800113</a>?
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	  Short answer: Yes.<br>
 | |
| 	  Somewhat longer answer: The problem is not so much that pdnsd's implementation is flawed
 | |
| 	  but rather that the DNS protocol currently being used is fundamentally flawed from
 | |
| 	  a security viewpoint. As long as a more secure protocol is not in place,
 | |
| 	  all that the developers of pdnsd can do is to try to tweak the current implementation
 | |
| 	  to make it as difficult as possible for an attacker to succeed.<br>
 | |
| 	  From version 1.2.7 onwards, the default for the <code>query_port_start</code> option
 | |
| 	  is 1024, which means that the pdnsd resolver will randomly select source ports
 | |
| 	  in the range 1024-65535. (In previous versions the default was to let the kernel select
 | |
| 	  the source ports, which will often result in a more or less predictable sequence of ports.)
 | |
| 	  It also helps to use a good quality source of random numbers. On platforms where this is
 | |
| 	  supported, it is preferable to configure with <code>--with-random-device=/dev/urandom</code>.
 | |
| 	  There is still more that can be done to make pdnsd less vulnerable, but this remains
 | |
| 	  (as of this writing) a work in progress.
 | |
| 	  <br>
 | |
| 	  Please note that pdnsd was designed for small (private) networks, and that it is generally
 | |
| 	  not recommended to let untrusted users access pdnsd.
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>
 | |
| <!--<hr>
 | |
|     <a name="q014"></a>
 | |
|     <table width="100%" cellspacing=1 cellpadding=7>
 | |
|      <tr>
 | |
|         <td bgcolor="#FFCCFF"><b>Q:</b></td>
 | |
| 	<td bgcolor="#CCFFFF">
 | |
| 	</td>
 | |
|       </tr>
 | |
|       <tr>
 | |
| 	<td bgcolor="#FFCCFF"><b>A:</b></td>
 | |
| 	<td bgcolor="#DDFFEE">
 | |
| 	</td>
 | |
|       </tr>
 | |
|     </table>-->
 | |
|     <hr>
 | |
|     <address><a href="mailto:tmoestl@gmx.net">Thomas Moestl</a>
 | |
|       and <a href="mailto:p.a.rombouts@home.nl">Paul Rombouts</a>
 | |
|     </address>
 | |
|     <br>
 | |
|     <p>
 | |
|       <i>Last revised: 18 August 2008 by Paul Rombouts</i>
 | |
|     </p>
 | |
|   </body>
 | |
| </html>
 | |
| 
 |