dnscache — a caching proxy DNS server
dnscache is a proxy DNS server that speaks the DNS/UDP and DNS/TCP protocols. It accepts DNS queries from local programs (clients such as web browsers and mail transfer agents with DNS client libraries in them), sends queries of its own to hosts around the Internet, takes the responses that it receives and combines them into answers that it then sends back to the local clients. It caches the responses that it receieves, to save time later when it is asked the same or related questions again.
When it starts dnscache changes its root to the directory specified by the
ROOT environment variable, and drops privileges to run as the user ID and group ID specified by the
GID environment variables.
The latter can be set up with envuidgid(1).
Normally dnscache is run via server programs such as udp-socket-listen and tcp-socket-listen to listen for DNS/UDP and DNS/TCP queries on an appropriate IP address.
It understands the
LISTEN_FDS environment variable convention for having already-listening sockets passed to it by such programs, and uses the last open file descriptors in the list that refer to a UDP/IPv4 socket and a TCP/IPv4 socket.
If no such open file descriptors are provided it falls back to opening its own UDP/IPv4 and TCP/IPv4 sockets, bound to port 53 of the IP address given by the value of the
IP environment variable.
If just one is provided, it falls back for the other.
Typically the IP address is a non-routable machine-local or link-local one such as 127.0.0.1.
It can also be a public IP address, providing this service to other machines.
To control what other machines that is, there is an access control mechanism.
dnscache discards UDP packets or TCP connections from IP address 220.127.116.11 unless it sees a file named
A proper firewall is a more efficient mechanism for preventing client access, especially for DNS/TCP, however.
dnscache's responses are generally much smaller than BIND's responses. They do not include authority records (NS records of the source name servers and SOA records for negative answers) or additional records (A records relevant to NS or MX records). When the answer section is truncated by UDP length limits, it is eliminated entirely.
dnscache tries to prevent local users from snooping on other local users.
It discards non-recursive queries; it discards inverse queries; and it discards zone-transfer requests.
HIDETTL environment variable is set, dnscache always uses a TTL of 0 in its responses.
Normally, it preserves the (current remaining) TTL, so that other proxies can use it as an upstream server.
According to RFC 1035, the AA bit "specifies that the responding name server is an authority for the domain name in question section". dnscache is not an authority for any domain names. dnscache never sets the AA bit (except in NXDOMAIN responses, as required by RFC 2308, to work around a common client bug).
dnscache uses a fixed-size table, under 256K, to keep track of as many as 200 simultaneous UDP queries and 20 simultaneous TCP connections. It also dynamically allocates memory, usually just a few bytes but occasionally much more, for each active query. If it runs out of memory handling a query, it discards that query.
dnscache asks the operating system to reserve a 128K buffer for bursts of incoming UDP queries. If a new UDP query arrives when dnscache is already handling 200 simultaneous UDP queries, dnscache drops the oldest query. If a new TCP connection arrives when dnscache is already handling 20 simultaneous TCP connections, dnscache drops the oldest connection.
dnscache uses a fixed-size cache, as controlled by the value of the
CACHESIZE environment variable.
Roughly 5% of the cache is used for a hash table.
The rest is used for cache entries (including 8-byte Y2038-compliant expiration times):
22 bytes plus 4 bytes per address plus the length of the owner name.
22 bytes plus 16 bytes per address plus the length of the owner name.
22 bytes plus the length of the owner name and all the data names.
22 bytes plus 2 bytes per MX plus the length of all the names.
22 bytes plus 20 bytes per SOA plus the length of all the names.
22 bytes plus 2 bytes per record plus the length of all the data strings plus the length of the owner name.
22 bytes plus the length of the owner name.
Sets larger than 8192 bytes are not cached.
dnscache does not exit when it runs out of space in its cache; it simply removes the oldest entries to make more space.
dnscache relies on a configured list of root name servers. In contrast, some other servers start from a "hint file" listing (not necessarily root) name servers, and perform an intermediate extra step of asking those name servers where the root name servers are.
dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned.
foo.dom, for example, are accepted only from the root servers, the
dom servers, and the
dnscache does not bypass its cache to obtain glue from the additional section of a response. In particular, it will not use glue outside the server's bailiwick, or glue with TTL 0, or glue that violates other caching policies.
dnscache caches records for at most a week. It interprets TTLs above 2147483647 as 0, on the grounds that such excessive values are the results of unsigned arithmetic underflow.
dnscache does not cache SOA records. However, it does use SOA TTLs to determine cache times (up to an hour) for zero-record responses and nonexistent domains.
A server that returns a delegation response that (directly or indirectly) delegates back to itself is considered "lame". Responses from "lame" servers are logged, and what useful information they may contain, aside from the delegation, is cached (subject to the caching policies).
localhost internally, giving it an A record of 127.0.0.1 and an AAAA record of ::1.
18.104.22.168.in-addr.arpa internally, giving it a PTR record of
22.214.171.124.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa internally, giving it a PTR record of
dnscache handles dotted-decimal domain names internally, giving (e.g.) the domain name
126.96.36.199 an A record of 188.8.131.52.
dnscache sends outgoing requests from high ports of the IP address given by the value of the
IPSEND environment variable.
IPSEND is 0.0.0.0, meaning the machine's primary IP address.
The ports are picked at random, as are the message IDs in the requests.
The random number generator is seeded from a seed value, up to 128 bytes, that dnscache reads from its standard input at startup.
The seed does not need to be preserved across successive incarnations of dnscache, and merely needs to be unknown and unpredictable outwith the dnscache process.
It can just be a 128-byte snapshot of the system's random number generator read with the dd(1) program.
At startup, dnscache reads a list of dotted-decimal root server IP addresses, one address per line, from
It also scans the
servers/ directory for server IP addresses for other domains.
If there are addresses listed in
servers/moon.af.mil, for example, then dnscache will send queries for
to those addresses, and will not cache records for
from outside servers such as the root servers.
The list is capped at 16 IP addresses; the 17th and subsequent IP addresses being read, but discarded.
FORWARDONLY environment variable is set, dnscache treats
servers/@ as a list of IP addresses for other caching proxies, not for content servers.
It forwards queries to those caches the same way that a client does, rather than contacting a chain of servers according to NS records.
In this mode, it ignores referral responses, which it should never receive from a caching proxy in the first place and which the world at large has an unfortunate habit of making refer to IP addresses such as 127.0.0.1, which would cause a proxy loop if they were to be followed.
It logs such occurrences.
For similar reasons, for correct operation the list in a
servers/ file should not include:
the IP address on which dnscache is itself listening;
the IP address on which another proxy DNS server is listening; or
any IP addresses equivalent to those.
FORWARDFIRST environment variable is set, dnscache permits back-end services that it contacts to be either caching proxies or content servers.
It behaves exactly as in normal mode, except that back-end queries have the "recursion desired" bit set to on instead of to off.
This causes caching proxies to respond with fully resolved responses, whilst still performing query resolution locally if they do not.
Forward first mode is overridden by forward only mode.
If a server sends dnscache a repeated IP address, dnscache passes the repeated IP address along to the client. The server's behavior violates RFC 2181, section 5.5, but there are reasonable uses of repeated IP addresses for load balancing, so dnscache does not go out of its way to remove repetitions when they occur. A previously widespread server bug used to unintentionally produce repeated IP addresses. Here is an example (since fixed):
% dnsq a ns-ext.vix.com ns-ext.vix.com
117 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 1 ns-ext.vix.com
answer: ns-ext.vix.com 3600 A 184.108.40.206
authority: vix.com 3600 NS ns-ext.vix.com
authority: vix.com 3600 NS ns1.gnac.com
additional: ns-ext.vix.com 3600 A 220.127.116.11
additional: ns1.gnac.com 130768 A 18.104.22.168
This bug is the most common reason for users to see repeated IP addresses from dnscache.