http:// / djbdns / mkservers.shtml

Single-File dnscache root overrides

I have written another page describing how to configure dnscache to use a "poison server" to block certain domain names. This involves creating a file in the /service/dnscache/root/servers directory for each domain, which overrides dnscache's normal "start from the root servers" behaviour.

A user recently posted on the djbdns mailing list saying that he was going to do the same thing, but with thousands of domain names. He asked if it were possible to use a cdb file to make administering the process easier. While it is possible to use a cdb file to hold the list of "root servers" for each domain, it could slow down the process of resolving names.

I have written a perl script which allows the user to maintain a single text file. The script writes out the actual files in the root/servers directory based on the contents of root/servers.txt. An additional (optional) "Makefile" allows the user to run the script and restart dnscache with a single "make" command (instead of typing two commands.)

It may be possible to write a patch which would make dnscache read this text file (or a cdb file) directly, but I haven't had the time to look into it, and I"m not convinced it would really be much of a speed boost to start with, since on a busy nameserver the operating system would have the contents of the root/servers directory held in cache.


The dnscache program allows you to specify "replacement root servers" for certain domain names, bypassing the standard behavior of resolving every query from the root nameservers.

You would normally do this if you also run the authoritiative nameserver for the domain name in question, and want to bypass the whole "start from the root servers" routine for performance reasons. You may also have domains which are only visible "inside" your network, and need to have one dnscache server which is capable of resolving these "private" names along with "real" names from the Intenret.

You may also want to do this to "block" certain domain names from working, for example domains whose only function is to provide "banner ads" for web pages, or domains which send SPAM. (See this page for information on how to set up "blocking" for individual domain names.)

This "root override" behaviour is controlled by files in the root/servers directory under your /service/dnscache directory.


File: mkservers
Size: 3,381 bytes
Date: 2003-07-23 00:16:48 +0000
MD5: 4958468c6f7116bc50937d49f050ca26
SHA-1: d9e7f0d471839b33d858ada39566502ca88068a0
RIPEMD-160: 1675d4b1d97b39725d978f40136966a15eb1d596
PGP Signature: mkservers.asc
File: mkservers-Makefile (optional)
Size: 74 bytes
Date: 2008-02-11 16:46:16 +0000
MD5: 3c4e95f44921dc6ada4061e8f17c6598
SHA-1: 3d580e1213aa13ead0227c0c7a153c5cdf3539d0
RIPEMD-160: 830710e942d438c5e05817720376f33444056e26
PGP Signature: mkservers-Makefile.asc


Text File Format

The file must be root/servers.txt within your dnscache service directory. The permissions aren't currently important since the script needs to run as root in order to restart the server, but when I write the patch for dnscache to read the file directly, it will need to be readable but not writable to the userid which dnscache runs as.

The format is very simple. Each line corresponds to one file in the stock root/servers/* directory. Each line begins with the domain name, a colon, and then a list of one or more IP addresses, separated by colons, which should be considered "root servers" for that domain. The real "root servers" should be listed on a line, either with no domain name, or with "@" as the domain name.

The sample file below shows what the file should look like.

File: servers.txt (sample)
Size: 1,830 bytes
MD5: 15e9f3942a6b95854cd74462d81b601a
SHA-1: 08604528529faa3cf12977a06cac5d261ba5414b
RIPEMD-160: 7d300c6c173b0d6c8b9176e1e5407f2647bb2e75
PGP Signature: servers.txt.asc