FreeBSD Manual Pages
dqcache(8) System Manager's Manual dqcache(8) NAME dqcache - DNS cache with DNSCurve support DESCRIPTION dqcache is recursive DNS server derived from dnscache (https://cr.yp.to/djbdns/dnscache.html) CONFIGURATION dqcache runs chrooted in the directory specified by the $ROOT environ- ment variable, under the uid and gid specified by the $UID and $GID en- vironment variables. dqcache listens for incoming UDP packets and TCP connections addressed to port 53 of $IP. Typically $IP is 127.0.0.1, but it can also be an externally accessible IP address. dqcache accepts connections from localhost (127.0.0.0/8 or ::1/128). For external connections dqcache has file-style accesslist. e.g. for IPv4 address 1.2.3.4 dqcache allows connection when sees a file named: ip4/1.2.3.4 or ip4/1.2.3 or ip4/1.2 or ip4/1 e.g. for IPv6 address 2a02:598:7000:101:12dd:b1ff:fede:3476 dqcache allows connection when sees a file named: ip6/2a02:598:7000:101:12dd:b1ff:fede:3476 or ip6/2a02:598:7000:101:12dd:b1ff:fede or ip6/2a02:598:7000:101:12dd:b1ff or ip6/2a02:598:7000:101:12dd or ip6/2a02:598:7000:101 or ip6/2a02:598:7000 or ip6/2a02:598 or ip6/2a02 when environment variable $OKCLIENT is set, dqcache accepts all connec- tions. Warning , dqcache encrypts DNS packets and should run on client's ma- chine. If You run dqcache on external IP (not on localhost), You're probably doing it wrong. dqcache sends outgoing IPv4 packets from high ports of $IPSEND4. Typi- cally $IPSEND4 is 0.0.0.0, meaning the machine's primary IPv4 address. dqcache sends outgoing IPv6 packets from high ports of $IPSEND6. Typi- cally $IPSEND6 is ::, meaning the machine's primary IPv6 address. If $HIDETTL is set, dqcache always uses a TTL of 0 in its responses dqcache reads a list of root servers as an anchor, one record per line, from servers/@. The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY} e.g.: servers/@: 198.41.0.4 2001:503:ba3e::2:30 192.228.79.201 2001:500:84::b etc. dqcache also scans the servers directory for anchors for other domains, one record per line. The record has format {IP} or {IP}|{DNSCURVEPUB- LICKEY} e.g.: servers/dnscurve.cz: 185.66.36.55|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq 37.157.196.86|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq 2a02:2b88:2:1::127d:1|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq 2a03:1e20:0:5::2|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq dqcache supports forward-only mode. If $FORWARDONLY is set, dqcache treats servers/@ as a list of IP addresses for other caches, not root servers. It forwards queries to those caches the same way that a client does, rather than contacting a chain of servers according to NS records. dqcache uses a fixed-size cache, as controlled by the $CACHESIZE envi- ronment variable. Typically $CACHESIZE is 10000000 (10MB). dqcache typically generates new secret key at start of program. If en- vironment variable $SECRETKEY is set, then dqcache loads this secret key. $SECRETKEY must be safely generated using dqcache-makekey(8). Note that dqcache uses internally two secret keys, one used as the dis- crete logarithm of the public key (256bit DNSCurve key) and one to en- crypt the nonce (128bit TEA symmetric key). Both of these keys are ac- tually derived from $SECRETKEY using crypto_stream_salsa20(). dqcache also supports nonce-separation via environment variable $NON- CESTART. This means that several caches share a key but use separate nonces: e.g.: NONCESTART=100 ... the first of four caches is configured to use top bits 100 NONCESTART=101 ... the second is configured to use top bits 101 NONCESTART=110 ... the third is configured to use top bits 110 NONCESTART=111 ... and the fourth is configured to use top bits 111. etc. dqcache typically supports DNSCurve in 'combined mode' (meaning: if Streamlined query fails, dqcache tries also TXT query). Environment variable $DNSCURVETYPE selects specific DNSCurve type. DNSCURVETYPE=1 ... Streamlined only DNSCurve DNSCURVETYPE=2 ... TXT only DNSCurve dqcache caches records for at least $MINTTL seconds, when MINTTL is set. It's limited <0-300> seconds. Use only if you really know what you're doing. dqcache sends only IPv4 queries, when DISABLEIPV6 is set. Use only if you really know what you're doing. SEE ALSO dqcache-makekey(8), dq(1), dnscache(8) https://mojzis.com/software/dq https://dnscurve.org/ https://cr.yp.to/djbdns/dnscache.html dqcache(8)
NAME | DESCRIPTION | CONFIGURATION | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dqcache&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>