1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
.TH dqcache 8
.SH NAME
dqcache \- DNS cache with DNSCurve support
.SH DESCRIPTION
.B dqcache
is recursive DNS server derived from
.B dnscache
(https://cr.yp.to/djbdns/dnscache.html)
.SH CONFIGURATION
.B dqcache
runs chrooted in the directory specified by the $ROOT environment variable, under the uid and gid specified by the $UID and $GID environment variables.
.sp
.B dqcache
listens for incoming UDP packets and TCP connections addressed to port 53 of $IP. Typically $IP is 127.0.0.1, but it can also be an externally accessible IP address.
.sp
.B dqcache
accepts connections from localhost (127.0.0.0/8 or ::1/128).
For external connections
.B dqcache
has file-style accesslist.
.RS 4
.nf
e.g. for IPv4 address 1.2.3.4 dqcache allows connection when sees a file named:
ip4/1.2.3.4 or
ip4/1.2.3 or
ip4/1.2 or
ip4/1
e.g. for IPv6 address 2a02:598:7000:101:12dd:b1ff:fede:3476 dqcache allows connection when sees a file named:
ip6/2a02:598:7000:101:12dd:b1ff:fede:3476 or
ip6/2a02:598:7000:101:12dd:b1ff:fede or
ip6/2a02:598:7000:101:12dd:b1ff or
ip6/2a02:598:7000:101:12dd or
ip6/2a02:598:7000:101 or
ip6/2a02:598:7000 or
ip6/2a02:598 or
ip6/2a02
.fi
.RE
when environment variable $OKCLIENT is set,
.B dqcache
accepts all connections.
.sp
.B
Warning
,
.B dqcache
encrypts DNS packets and should run on client's machine. If You run
.B dqcache
on external IP (not on localhost), You're probably doing it wrong.
.sp
.B dqcache
sends outgoing IPv4 packets from high ports of $IPSEND4. Typically $IPSEND4 is 0.0.0.0, meaning the machine's primary IPv4 address.
.sp
.B dqcache
sends outgoing IPv6 packets from high ports of $IPSEND6. Typically $IPSEND6 is ::, meaning the machine's primary IPv6 address.
.sp
If $HIDETTL is set,
.B dqcache
always uses a TTL of 0 in its responses
.sp
.B dqcache
reads a list of root servers as an anchor, one record per line, from servers/@.
The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY} e.g.:
.RS 4
.nf
servers/@:
198.41.0.4
2001:503:ba3e::2:30
192.228.79.201
2001:500:84::b
etc.
.fi
.RE
.sp
.B dqcache
also scans the servers directory for anchors for other domains, one record per line.
The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY} e.g.:
.RS 4
.nf
servers/dnscurve.cz:
185.66.36.55|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
37.157.196.86|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
2a02:2b88:2:1::127d:1|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
2a03:1e20:0:5::2|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
.fi
.RE
.sp
.B dqcache
supports forward-only mode. If $FORWARDONLY is set, dqcache treats servers/@ as a list of IP addresses for other caches, not root servers. It forwards queries to those caches the same way that a client does, rather than contacting a chain of servers according to NS records.
.sp
.B dqcache
uses a fixed-size cache, as controlled by the $CACHESIZE environment variable. Typically $CACHESIZE is 10000000 (10MB).
.sp
.B dqcache
typically generates new secret key at start of program. If environment variable $SECRETKEY is set, then
.B dqcache
loads this secret key. $SECRETKEY must be safely generated using
.BR dqcache-makekey (1).
.sp
Note that
.B dqcache
uses internally two secret keys, one used as the discrete logarithm of the public key (256bit DNSCurve key) and one to encrypt the nonce (128bit TEA symmetric key). Both of these keys are actually derived from $SECRETKEY using crypto_stream_salsa20().
.sp
.B dqcache
also supports nonce-separation via environment variable $NONCESTART. This means that several caches share a key but use separate nonces:
.RS 2
.nf
e.g.:
NONCESTART=100 ... the first of four caches is configured to use top bits 100
NONCESTART=101 ... the second is configured to use top bits 101
NONCESTART=110 ... the third is configured to use top bits 110
NONCESTART=111 ... and the fourth is configured to use top bits 111.
etc.
.fi
.RE
.sp
.B dqcache
typically supports DNSCurve in 'combined mode' (meaning: if Streamlined query fails,
.B dqcache
tries also TXT query).
Environment variable $DNSCURVETYPE selects specific DNSCurve type.
.RS 2
.nf
DNSCURVETYPE=1 ... Streamlined only DNSCurve
DNSCURVETYPE=2 ... TXT only DNSCurve
.fi
.RE
.sp
.B dqcache
caches records for at least $MINTTL seconds, when MINTTL is set. It's limited <0-300> seconds. Use only if you really know what you're doing.
.RE
.sp
.B dqcache
sends only IPv4 queries, when DISABLEIPV6 is set. Use only if you really know what you're doing.
.SH SEE ALSO
.BR dqcache-makekey (1),
.BR dq (1),
.BR dnscache (8)
.sp
.nf
https://mojzis.com/software/dq
https://dnscurve.org/
https://cr.yp.to/djbdns/dnscache.html
.fi
|
