Pdnsd
From ArchWiki
pdnsd is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection.
Contents |
[edit] Installation
pdnsd is available in the community repository.
pacman -S pdnsd
[edit] Configuration
[edit] Initial preparation
The sample configuration file that comes with pdnsd needs a few changes before the daemon can start. First, copy the file to where pdnsd expects it to be.
cp /etc/pdnsd.conf.sample /etc/pdnsd.conf
[edit] Format
The pdnsd.conf file uses a fairly simple format, but it has some differences from most other configuration files you've likely encountered. It has a collection of sections of various types. A section is started with the name of the type of section and an opening curly bracket ({) and is ended by a closing curly bracket (}). Sections cannot be nested.
Inside each block is a series of options of the following format:
option_name=option_value;
Notice the semicolon at the end; unlike some formats, it is not optional.
Comments are started with either # or /*. The former goes to the end of the line, the latter continues until it reaches */.
[edit] DNS servers
pdnsd needs to know the address of at least one DNS server to collect DNS information from. This part of the setup differs depending on whether you have a broadband connection or dial-up. Broadband users should use the first server section as a starting point, dial-up users the second, leaving the other server sections commented out.
- label
- The label option is used to uniquely identify a server section. It's completely arbitrary, but one good choice is the name of your ISP.
- ip
- This option, used in the default broadband configuration, tells pdnsd the addresses of DNS servers to use. Multiple addresses should be separated by a single comma, with optional whitespace before or after the comma. You can just copy the addresses from /etc/resolv.conf.
- file
- The file option can be used instead of ip to specify a set of DNS server IPs. Its value is the path to a file with servers listed in resolv.conf format. The default dial-up configuration uses it because the PPP client writes /etc/ppp/resolv.conf with the addresses it gets from the PPP server. You shouldn't need to change it unless you want to use a different DNS server than your ISP gives you by default.
The rest of the server section will work without any more changes. For details on all the available options, see the pdnsd manual.
[edit] Security
The default configuration has a security flaw. The daemon runs as nobody, a standard account often used when you want to give a user as few permissions as possible. This is a bad idea with pdnsd, as the daemon needs read/write access to the DNS cache. If a malicious user finds a vulnerability in another process running as nobody, they may have the ability to inject false DNS data into the cache, leading to all sorts of possible problems.
To avoid this risk, you should run pdnsd as a separate user. First you need to create it.
groupadd pdnsd useradd -d /var/cache/pdnsd -g pdnsd -s /bin/false pdnsd
/var/cache/pdnsd was chosen for the home directory because that's where pdnsd stores its data.
Next, go back to pdnsd.conf. This time we'll be editing the global section at the top of the file. Change run_as from nobody to pdnsd. You should also add the strict_setuid option for extra security. Set it to on.
Now we've limited the server a little too much. It needs to write to a directory under /var/cache, but it can't, since it no longer has root privileges. Let's help it out a little.
mkdir /var/cache/pdnsd chown pdnsd:pdnsd /var/cache/pdnsd chmod 700 /var/cache/pdnsd
If you got hasty and tried starting the daemon before you got to this section, you already have a pdnsd.cache file, and it isn't owned by the pdnsd user. If that's the case, just delete it. It will be automatically regenerated.
[edit] Testing
You should now have a working pdnsd daemon. Fire it up and find out.
/etc/rc.d/pdnsd start
You can test it with the nslookup utility (from the dnsutils package).
nslookup www.google.com 127.0.0.1
If everything works, you should see a list of IP addresses associated with www.google.com.
[edit] System setup
Now it's time to point your system toward your brand-new DNS server.
If you use DHCP to configure your network settings, you need to take a brief detour into the /etc/conf.d/dhcpcd config file. Add -R to the string of options. This prevents it from overwriting /etc/resolv.conf. It should look something like this:
DHCPCD_ARGS="-t 10 -h $HOSTNAME -R"
Now just edit /etc/resolv.conf and replace the contents with this.
nameserver 127.0.0.1
All that's left is adding pdnsd to your daemons array in /etc/rc.conf. It should be immediately after network, as it depends on the network to run, and some daemons that use the network rely on working DNS.
Congratulations! You're done!
[edit] Extras
[edit] Shared server for your LAN
If you have several computers on your network, you may want to make pdnsd the DNS server for them all. This allows your entire network to share a single DNS cache, making repeated lookups much faster. To allow this, simply set server_ip in the global section to the name of your network interface (usually eth0). If you've set up a firewall, tell it to allow connections to port 53 from any address on your network.
Now you can configure the other computers on your network to use the computer running pdns as their primary dns server.
[edit] Name blocking
pdnsd allows you to specify hosts or domains that it should never return results for. This allows you to use it as a primitive ad or content blocker, among other things. Create a new neg section in pdnsd.conf. neg sections have two main options. name is the name of the host or domain you want to block. types can be set to domain to block all hosts in the given domain. The default pdnsd.conf gives an example that blocks all ads from doubleclick.net.
[edit] FAQs
- Q) It doesn't seem much faster to me. Why?
- A) The extra speed gained from running a local DNS cache is all in how long it takes to connect to a server. Throughput, what people normally think of as speed, will not be affected. The difference is most noticeable when browsing the web, as that typically involves small downloads from several servers. With slower connections, especially dial-up, throughput is the primary bottleneck, so there won't be as large a difference percentage-wise.
- Q) Why is it so much slower now than before?
- A) You almost certainly have the proxy_only option turned off in one of the server sections of pdnsd.conf. By default, pdnsd frequently asks several DNS servers about a domain to get the most accurate response possible. The proxy_only option disables this feature. It should be turned on if you use the DNS server provided by your ISP.