FAQTs - Knowledge Base - View Entry - How do I get tinydns or dnscache to listen on more than one IP address?

faqts : Computers : Internet : Domain Names : djbdns

+ Search

djbdns home, djbdns.org resources, Mailing list archives (MARC), Mailing list archive at GMANE,

Entry

How do I get tinydns or dnscache to listen on more than one IP address?

Dec 12th, 2003 20:29
Paul Theodoropoulos, Rob Mayoff, Brian Coogan,

First, figure out whether you really need to listen on multiple IP
addresses.  Just having multiple IP addresses on a host is not a good
reason.  Good reasons include needing to spread the dnscache workload,
needing to control which physical networks are used for DNS traffic, 
and having registered multiple IP addresses as authoritative 
nameservers.
Do NOT put 0.0.0.0 in env/IP.  This will not work reliably on machines 
with multiple IP addresses, because the server may send its response 
from a source address other than the address to which the query was 
sent.  For example, if the host has addresses 10.0.0.1 and 10.0.0.2, 
and a query comes in to 10.0.0.2, tinydns/dnscache might send the 
response with a source address of 10.0.0.1, and the client will (if it 
is secure) ignore the response from that address.  Andy Dustman 
relates his experience trying this:
<http://marc.theaimsgroup.com/?l=djbdns&m=101484873228883&w=2>
The correct approach, using unmodified versions of tinydns and 
dnscache, is simply to run one instance of the server on each 
address.  
For dnscache, pick one of the addresses and set up a dnscache with a
large CACHESIZE and a large DATALIMIT on that address.  Then set up a
dnscache with a small CACHESIZE and a small DATALIMIT on each of the
other addresses.  For each small dnscache, put a '1' in
env/FORWARDONLY ( "echo 1 > env/FORWARDONLY" ) and put the address of 
the large dnscache in root/servers/@ (removing all of the other 
addresses in that file).  You should end up with as many dnscaches as 
IP addresses, but with only one taking a significant amount of RAM.
You can read about Matt Simerson's experience with this approach on a
high-traffic site:
<http://marc.theaimsgroup.com/?l=djbdns&m=99498145100484&w=2>
Note that you can actually set up all of the small dnscaches to use the
same $ROOT, either by replacing all but one of their "root" directories
with symbolic links, or by putting the same path in each one's 
env/ROOT.
For tinydns, set up one tinydns on each IP address.  Set them all up to
use the same $ROOT, either by replacing all but one of their "root"
directories with symbolic links, or by putting the same path in each
one's env/ROOT.  You can read about several people successfully doing 
this:
<http://marc.theaimsgroup.com/?l=djbdns&m=96831113912458&w=2>
There are patches for both tinydns and dnscache to allow a single 
server instance to use multiple IP addresses; you can find links at
<http://www.djbdns.org/>.  However, using those patches will complicate
the process of upgrading or moving your DNS servers, and those patches
do not carry Prof. Bernstein's $500 security guarantee.