D. J. Bernstein
Internet publication
djbdns

How to run an external cache in place of an existing BIND cache, strategy 1

These instructions assume that your network already has a computer using BIND to find addresses of Internet hosts (BIND as a ``DNS cache'') and to publish addresses of your own hosts (BIND as a ``DNS server''). Here is how to use dnscache instead of BIND to find addresses of Internet hosts.

These instructions assume that you can easily change /etc/resolv.conf on all your client machines. If you can't, use strategy 2 or strategy 3 instead.

For concreteness, let's say you have four servers, and any number of client computers:

Name IP address Currently running The plan

wobbly 1.8.7.33 BIND cache+server BIND server

shaky 1.8.7.55 BIND cache+server BIND server

lion 1.8.7.91 nothing dnscache

tiger 1.8.7.92 nothing dnscache

All your computers have nameserver 1.8.7.33 and nameserver 1.8.7.55 in /etc/resolv.conf.

Name	IP address	Currently running	The plan
wobbly	1.8.7.33	BIND cache+server	BIND server
shaky	1.8.7.55	BIND cache+server	BIND server
lion	1.8.7.91	nothing	dnscache
tiger	1.8.7.92	nothing	dnscache

These instructions assume that you have already installed daemontools and djbdns, and that svscan is already running, on both lion and tiger.

1. On lion, as root, create UNIX accounts named Gdnscache and Gdnslog. Repeat on tiger.

2. On lion, as root, create an /etc/dnscache service directory for IP address 1.8.7.91, and tell svscan about the new service:

     dnscache-conf Gdnscache Gdnslog /etc/dnscache 1.8.7.91
     ln -s /etc/dnscache /service/dnscache

Repeat on tiger with the IP address 1.8.7.92.

3. On lion, as root, create entries in /etc/dnscache/root/ip showing which client IP addresses are authorized to use this cache. For example,

     touch /etc/dnscache/root/ip/1.8.7

authorizes all clients with IP address 1.8.7.* to use this cache. You can add or remove addresses later. Repeat on tiger.

4. On one of your client computers, as root, put

     nameserver 1.8.7.91
     nameserver 1.8.7.92

into /etc/resolv.conf, replacing the previous nameserver lines.

5. Check whether that computer can look up addresses of some Internet hosts:

     dnsip www.cnn.com
     dnsip www.fsf.org

Then try surfing the web. If you want to see what dnscache is doing behind the scenes, read /service/dnscache/log/main/current on lion and tiger.

6. Repeat steps 4 and 5 on your other client computers.

7. Optionally, disable BIND's caching features: On wobbly and shaky, as root, put

     options {
       recursion no;
       fetch-glue no;
     };

into named.conf, and restart BIND. You can skip this step if you're going to eliminate BIND anyway, switching to tinydns to publish information about your own hosts.

8. Set up a public web page saying that your DNS cache is powered by djbdns, so that a Google search for powered djbdns will find your page in a few months. These public statements will encourage other people to deploy djbdns, provide djbdns support services, and develop djbdns-related tools. Please also consider making a donation to the Bernstein Writing Fund.