D. J. Bernstein
Internet publication
djbdns

How to run an external cache in place of an existing BIND cache, strategy 1

These instructions assume that your network already has a computer using BIND to find addresses of Internet hosts (BIND as a ``DNS cache'') and to publish addresses of your own hosts (BIND as a ``DNS server''). Here is how to use dnscache instead of BIND to find addresses of Internet hosts.

These instructions assume that you can easily change /etc/resolv.conf on all your client machines. If you can't, use strategy 2 or strategy 3 instead.

For concreteness, let's say you have four servers, and any number of client computers:
NameIP addressCurrently runningThe plan
wobbly1.8.7.33BIND cache+serverBIND server
shaky1.8.7.55BIND cache+serverBIND server
lion1.8.7.91nothingdnscache
tiger1.8.7.92nothingdnscache
All your computers have nameserver 1.8.7.33 and nameserver 1.8.7.55 in /etc/resolv.conf.

These instructions assume that you have already installed daemontools and djbdns, and that svscan is already running, on both lion and tiger.

1. On lion, as root, create UNIX accounts named Gdnscache and Gdnslog. Repeat on tiger.

2. On lion, as root, create an /etc/dnscache service directory for IP address 1.8.7.91, and tell svscan about the new service:

     dnscache-conf Gdnscache Gdnslog /etc/dnscache 1.8.7.91
     ln -s /etc/dnscache /service/dnscache
Repeat on tiger with the IP address 1.8.7.92.

3. On lion, as root, create entries in /etc/dnscache/root/ip showing which client IP addresses are authorized to use this cache. For example,

     touch /etc/dnscache/root/ip/1.8.7
authorizes all clients with IP address 1.8.7.* to use this cache. You can add or remove addresses later. Repeat on tiger.

4. On one of your client computers, as root, put

     nameserver 1.8.7.91
     nameserver 1.8.7.92
into /etc/resolv.conf, replacing the previous nameserver lines.

5. Check whether that computer can look up addresses of some Internet hosts:

     dnsip www.cnn.com
     dnsip www.fsf.org
Then try surfing the web. If you want to see what dnscache is doing behind the scenes, read /service/dnscache/log/main/current on lion and tiger.

6. Repeat steps 4 and 5 on your other client computers.

7. Optionally, disable BIND's caching features: On wobbly and shaky, as root, put

     options {
       recursion no;
       fetch-glue no;
     };
into named.conf, and restart BIND. You can skip this step if you're going to eliminate BIND anyway, switching to tinydns to publish information about your own hosts.

8. Set up a public web page saying that your DNS cache is powered by djbdns, so that a Google search for powered djbdns will find your page in a few months. These public statements will encourage other people to deploy djbdns, provide djbdns support services, and develop djbdns-related tools. Please also consider making a donation to the Bernstein Writing Fund.