Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
dqcache(8)		    System Manager's Manual		    dqcache(8)

NAME
       dqcache - DNS cache with	DNSCurve support

DESCRIPTION
       dqcache	  is	recursive    DNS    server   derived   from   dnscache
       (https://cr.yp.to/djbdns/dnscache.html)

CONFIGURATION
       dqcache runs chrooted in	the directory specified	by the $ROOT  environ-
       ment variable, under the	uid and	gid specified by the $UID and $GID en-
       vironment variables.

       dqcache	listens	for incoming UDP packets and TCP connections addressed
       to port 53 of $IP. Typically $IP	is 127.0.0.1, but it can  also	be  an
       externally accessible IP	address.

       dqcache	accepts	 connections  from localhost (127.0.0.0/8 or ::1/128).
       For external connections	dqcache	has file-style accesslist.
	   e.g.	for IPv4 address 1.2.3.4 dqcache allows	connection when	sees a file named:
	   ip4/1.2.3.4 or
	   ip4/1.2.3 or
	   ip4/1.2 or
	   ip4/1
	   e.g.	for IPv6 address 2a02:598:7000:101:12dd:b1ff:fede:3476 dqcache allows connection when sees a file named:
	   ip6/2a02:598:7000:101:12dd:b1ff:fede:3476 or
	   ip6/2a02:598:7000:101:12dd:b1ff:fede	or
	   ip6/2a02:598:7000:101:12dd:b1ff or
	   ip6/2a02:598:7000:101:12dd or
	   ip6/2a02:598:7000:101 or
	   ip6/2a02:598:7000 or
	   ip6/2a02:598	or
	   ip6/2a02
       when environment	variable $OKCLIENT is set, dqcache accepts all connec-
       tions.

       Warning , dqcache encrypts DNS packets and should run on	 client's  ma-
       chine.  If  You	run  dqcache on	external IP (not on localhost),	You're
       probably	doing it wrong.

       dqcache sends outgoing IPv4 packets from	high ports of $IPSEND4.	 Typi-
       cally $IPSEND4 is 0.0.0.0, meaning the machine's	primary	IPv4 address.

       dqcache	sends outgoing IPv6 packets from high ports of $IPSEND6. Typi-
       cally $IPSEND6 is ::, meaning the machine's primary IPv6	address.

       If $HIDETTL is set, dqcache always uses a TTL of	0 in its responses

       dqcache reads a list of root servers as an anchor, one record per line,
       from servers/@.	The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY}
       e.g.:
	   servers/@:
	   198.41.0.4
	   2001:503:ba3e::2:30
	   192.228.79.201
	   2001:500:84::b
	   etc.

       dqcache also scans the servers directory	for anchors for	other domains,
       one record per line.  The record	has format {IP}	or  {IP}|{DNSCURVEPUB-
       LICKEY} e.g.:
	    servers/dnscurve.cz:
	    185.66.36.55|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
	    37.157.196.86|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
	    2a02:2b88:2:1::127d:1|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
	    2a03:1e20:0:5::2|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq

       dqcache	supports  forward-only	mode.  If $FORWARDONLY is set, dqcache
       treats servers/@	as a list of IP	addresses for other caches,  not  root
       servers.	It forwards queries to those caches the	same way that a	client
       does,  rather  than  contacting	a  chain  of  servers  according to NS
       records.

       dqcache uses a fixed-size cache,	as controlled by the $CACHESIZE	 envi-
       ronment variable. Typically $CACHESIZE is 10000000 (10MB).

       dqcache	typically generates new	secret key at start of program.	If en-
       vironment variable $SECRETKEY is	set, then dqcache  loads  this	secret
       key. $SECRETKEY must be safely generated	using dqcache-makekey(8).

       Note that dqcache uses internally two secret keys, one used as the dis-
       crete  logarithm	of the public key (256bit DNSCurve key)	and one	to en-
       crypt the nonce (128bit TEA symmetric key). Both	of these keys are  ac-
       tually derived from $SECRETKEY using crypto_stream_salsa20().

       dqcache	also  supports nonce-separation	via environment	variable $NON-
       CESTART.	This means that	several	caches share a key  but	 use  separate
       nonces:
	 e.g.:
	 NONCESTART=100	... the	first of four caches is	configured to use top bits 100
	 NONCESTART=101	... the	second is configured to	use top	bits 101
	 NONCESTART=110	... the	third is configured to use top bits 110
	 NONCESTART=111	... and	the fourth is configured to use	top bits 111.
	 etc.

       dqcache	typically  supports  DNSCurve  in 'combined mode' (meaning: if
       Streamlined query fails,	dqcache	tries also  TXT	 query).   Environment
       variable	$DNSCURVETYPE selects specific DNSCurve	type.
	 DNSCURVETYPE=1	... Streamlined	only DNSCurve
	 DNSCURVETYPE=2	... TXT	only DNSCurve

       dqcache	caches	records	 for  at least $MINTTL seconds,	when MINTTL is
       set. It's limited <0-300> seconds. Use only if  you  really  know  what
       you're doing.

       dqcache	sends only IPv4	queries, when DISABLEIPV6 is set.  Use only if
       you really know what you're doing.

SEE ALSO
       dqcache-makekey(8), dq(1), dnscache(8)

       https://mojzis.com/software/dq
       https://dnscurve.org/
       https://cr.yp.to/djbdns/dnscache.html

								    dqcache(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dqcache&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help