dnscache — a caching proxy DNS server




dnscache is a proxy DNS server that speaks the DNS/UDP and DNS/TCP protocols. It accepts DNS queries from local programs (clients such as web browsers and mail transfer agents with DNS client libraries in them), sends queries of its own to hosts around the Internet, takes the responses that it receives and combines them into answers that it then sends back to the local clients. It caches the responses that it receieves, to save time later when it is asked the same or related questions again.

When it starts dnscache changes its root to the directory specified by the ROOT environment variable, and drops privileges to run as the user ID and group ID specified by the UID and GID environment variables. The latter can be set up with envuidgid(1).

Client-facing front end

Listening addresses

Normally dnscache is run via server programs such as udp-socket-listen and tcp-socket-listen to listen for DNS/UDP and DNS/TCP queries on an appropriate IP address. It understands the LISTEN_PID and LISTEN_FDS environment variable convention for having already-listening sockets passed to it by such programs, and uses the last open file descriptors in the list that refer to a UDP/IPv4 socket and a TCP/IPv4 socket. If no such open file descriptors are provided it falls back to opening its own UDP/IPv4 and TCP/IPv4 sockets, bound to port 53 of the IP address given by the value of the IP environment variable. If just one is provided, it falls back for the other.

Typically the IP address is a non-routable machine-local or link-local one such as It can also be a public IP address, providing this service to other machines. To control what other machines that is, there is an access control mechanism. dnscache discards UDP packets or TCP connections from IP address unless it sees a file named ip/ or ip/1.2.3 or ip/1.2 or ip/1. A proper firewall is a more efficient mechanism for preventing client access, especially for DNS/TCP, however.

Responses to clients

dnscache's responses are generally much smaller than BIND's responses. They do not include authority records (NS records of the source name servers and SOA records for negative answers) or additional records (A records relevant to NS or MX records). When the answer section is truncated by UDP length limits, it is eliminated entirely.

dnscache tries to prevent local users from snooping on other local users. It discards non-recursive queries; it discards inverse queries; and it discards zone-transfer requests. If the HIDETTL environment variable is set, dnscache always uses a TTL of 0 in its responses. Normally, it preserves the (current remaining) TTL, so that other proxies can use it as an upstream server.

According to RFC 1035, the AA bit "specifies that the responding name server is an authority for the domain name in question section". dnscache is not an authority for any domain names. dnscache never sets the AA bit (except in NXDOMAIN responses, as required by RFC 2308, to work around a common client bug).

Resources, query resoution, and caching

Resource use limits

dnscache uses a fixed-size table, under 256K, to keep track of as many as 200 simultaneous UDP queries and 20 simultaneous TCP connections. It also dynamically allocates memory, usually just a few bytes but occasionally much more, for each active query. If it runs out of memory handling a query, it discards that query.

dnscache asks the operating system to reserve a 128K buffer for bursts of incoming UDP queries. If a new UDP query arrives when dnscache is already handling 200 simultaneous UDP queries, dnscache drops the oldest query. If a new TCP connection arrives when dnscache is already handling 20 simultaneous TCP connections, dnscache drops the oldest connection.

dnscache uses a fixed-size cache, as controlled by the value of the CACHESIZE environment variable. Roughly 5% of the cache is used for a hash table. The rest is used for cache entries (including 8-byte Y2038-compliant expiration times):

A sets.

22 bytes plus 4 bytes per address plus the length of the owner name.

AAAA sets.

22 bytes plus 16 bytes per address plus the length of the owner name.

NS sets or PTR sets or CNAME sets.

22 bytes plus the length of the owner name and all the data names.

MX sets.

22 bytes plus 2 bytes per MX plus the length of all the names.

SOA sets.

22 bytes plus 20 bytes per SOA plus the length of all the names.

Other record sets.

22 bytes plus 2 bytes per record plus the length of all the data strings plus the length of the owner name.

Nonexistent domain or server failure.

22 bytes plus the length of the owner name.

Sets larger than 8192 bytes are not cached.

dnscache does not exit when it runs out of space in its cache; it simply removes the oldest entries to make more space.

Resolution and caching policies

dnscache relies on a configured list of root name servers. In contrast, some other servers start from a "hint file" listing (not necessarily root) name servers, and perform an intermediate extra step of asking those name servers where the root name servers are.

dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers.

dnscache does not bypass its cache to obtain glue from the additional section of a response. In particular, it will not use glue outside the server's bailiwick, or glue with TTL 0, or glue that violates other caching policies.

dnscache caches records for at most a week. It interprets TTLs above 2147483647 as 0, on the grounds that such excessive values are the results of unsigned arithmetic underflow.

dnscache does not cache SOA records. However, it does use SOA TTLs to determine cache times (up to an hour) for zero-record responses and nonexistent domains.

A server that returns a delegation response that (directly or indirectly) delegates back to itself is considered "lame". Responses from "lame" servers are logged, and what useful information they may contain, aside from the delegation, is cached (subject to the caching policies).

Special names

dnscache handles localhost internally, giving it an A record of and an AAAA record of ::1. dnscache handles internally, giving it a PTR record of localhost. dnscache handles internally, giving it a PTR record of localhost.

dnscache handles dotted-decimal domain names internally, giving (e.g.) the domain name an A record of

Back end

IP addresses and ports

dnscache sends outgoing requests from high ports of the IP address given by the value of the IPSEND environment variable. Typically IPSEND is, meaning the machine's primary IP address. The ports are picked at random, as are the message IDs in the requests. The random number generator is seeded from a seed value, up to 128 bytes, that dnscache reads from its standard input at startup. The seed does not need to be preserved across successive incarnations of dnscache, and merely needs to be unknown and unpredictable outwith the dnscache process. It can just be a 128-byte snapshot of the system's random number generator read with the dd(1) program.

At startup, dnscache reads a list of dotted-decimal root server IP addresses, one address per line, from servers/@. It also scans the servers/ directory for server IP addresses for other domains. If there are addresses listed in servers/, for example, then dnscache will send queries for to those addresses, and will not cache records for from outside servers such as the root servers. The list is capped at 16 IP addresses; the 17th and subsequent IP addresses being read, but discarded.

Forward only mode

If the FORWARDONLY environment variable is set, dnscache treats servers/@ as a list of IP addresses for other caching proxies, not for content servers. It forwards queries to those caches the same way that a client does, rather than contacting a chain of servers according to NS records. In this mode, it ignores referral responses, which it should never receive from a caching proxy in the first place and which the world at large has an unfortunate habit of making refer to IP addresses such as, which would cause a proxy loop if they were to be followed. It logs such occurrences.

For similar reasons, for correct operation the list in a servers/* file should not include:

  • the IP address on which dnscache is itself listening;

  • the IP address on which another proxy DNS server is listening; or

  • any IP addresses equivalent to those.

Repeated IP addresses

If a server sends dnscache a repeated IP address, dnscache passes the repeated IP address along to the client. The server's behavior violates RFC 2181, section 5.5, but there are reasonable uses of repeated IP addresses for load balancing, so dnscache does not go out of its way to remove repetitions when they occur. A previously widespread server bug used to unintentionally produce repeated IP addresses. Here is an example (since fixed):

% dnsq a

117 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 1
answer: 3600 A
authority: 3600 NS
authority: 3600 NS
additional: 3600 A
additional: 130768 A

This bug is the most common reason for users to see repeated IP addresses from dnscache.


dnscache was originally part of Daniel J. Bernstein's djbdns toolset in 2000.


Original code and documentation by Daniel J. Bernstein. Documentation modernizations by Jonathan de Boyne Pollard.