Difference between revisions of "Pdnsd"

From ArchWiki
Jump to: navigation, search
m (Testing)
m (i18n)
Line 1: Line 1:
[[Category:Daemons and system services (English)]]
[[Category:Daemons and system services (English)]]

Revision as of 17:03, 23 August 2010

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

pdnsd is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection. Compared to bind or dnsmasq it can remember its cache after a reboot, "p" stands for persistant.


pdnsd is available in the repositories:

# pacman -S pdnsd


Initial preparation

The sample configuration file that comes with pdnsd needs a few changes before the daemon can start. First, copy the file to where pdnsd expects it to be:

# cp /etc/pdnsd.conf.sample /etc/pdnsd.conf


The Template:Filename file uses a fairly simple format, but it has some differences from most other configuration files you have likely encountered. It has a collection of sections of various types. A section is started with the name of the type of section and an opening curly bracket ({) and is ended by a closing curly bracket (}). Sections cannot be nested.

Inside each block is a series of options of the following format:


Notice the semicolon at the end; unlike some formats, it is not optional.

Comments are started with either # or /*. The former goes to the end of the line, the latter continues until it reaches */.

DNS servers

pdnsd needs to know the address of at least one DNS server to collect DNS information from. This part of the setup differs depending on whether you have a broadband connection or dial-up. Broadband users should use the first server section as a starting point, dial-up users the second, leaving the other server sections commented out.

The Template:Codeline option is used to uniquely identify a server section. It is completely arbitrary, but one good choice is the name of your ISP.
This option, used in the default broadband configuration, tells pdnsd the addresses of DNS servers to use. Multiple addresses should be separated by a single comma, with optional whitespace before or after the comma. You can just copy the addresses from Template:Filename.
The Template:Codeline option can be used instead of Template:Codeline to specify a set of DNS server IPs. Its value is the path to a file with servers listed in Template:Filename format. The default dial-up configuration uses it because the PPP client writes Template:Filename with the addresses it gets from the PPP server. You should not need to change it unless you want to use a different DNS server than your ISP gives you by default.

The rest of the server section will work without any more changes. For details on all the available options, see the pdnsd manual.


The Template:Filename file comes with OpenDNS settings built in; you can simply remove (or comment out) the dialup and broadband sections above it (being careful not to remove the necessary global setup at the very top of the file), and then uncomment it to use OpenDNS resolution.

However, OpenDNS does some weird things to Google. You need to deny results from OpenDNS that return one of OpenDNS’s Google-proxy machines if you want to avoid this behaviour (for many people, it can increase Google requests from, say, 15ms, to 75ms+). The exact servers’ IPs change, but you can run an Template:Codeline to find the current IPs. You’ll know if the query is being proxied, because the server’s name will resolve to something like Template:Codeline. For me, these addresses were Template:Codeline and Template:Codeline.

Once you know the IPs, you can replace the Template:Filename’s already-existant rejected IPs inside the OpenDNS Template:Codeline declaration. Make sure you retain the prefixes.


The default configuration has a security flaw. The daemon runs as Template:Codeline, a standard account often used when you want to give a user as few permissions as possible. This is a bad idea with pdnsd, as the daemon needs read/write access to the DNS cache. If a malicious user finds a vulnerability in another process running as nobody, they may have the ability to inject false DNS data into the cache, leading to all sorts of possible problems.

To avoid this risk, you should run pdnsd as a separate user. First you need to create it:

# groupadd pdnsd
# useradd -r -d /var/cache/pdnsd -g pdnsd -s /bin/false pdnsd

Template:Filename was chosen for the home directory because that is where pdnsd stores its data.

Next, go back to Template:Filename. This time you will be editing the Template:Codeline section at the top of the file. Change Template:Codeline from Template:Codeline to Template:Codeline. You should also add the Template:Codeline option for extra security. Set it to Template:Codeline.

Now the server is too limited; it needs to write to a directory under Template:Filename, but it cannot since it no longer has root privileges. Return some functionality:

# chown -R pdnsd:pdnsd /var/cache/pdnsd
# chmod 700 /var/cache/pdnsd
# chmod 600 /var/cache/pdnsd/pdnsd.cache


You should now have a working pdnsd daemon. Fire it up and find out.

# /etc/rc.d/pdnsd start

You can test it with the Template:Codeline utility (from the Template:Codeline package).

$ nslookup www.google.com

If everything works, you should see a list of IP addresses associated with www.google.com.

Or you can messure the query time with dig (pacman -S dnsutils):

$ dig archlinux.org | grep "Query time"

For the second time you look up the address, query time should be around 1 msec.

System setup

Now it is time to point your system toward your brand-new DNS server.

If you use DHCP to configure your network settings, you need to edit Template:Filename (otherwise, you should modify Template:Filename); add pdnsd before all of the other nameservers:

# pdnsd cache @ localhost

All that is left is adding Template:Codeline to your daemons array in Template:Filename. It should be immediately after network, as it depends on the network to run, and some daemons that use the network rely on working DNS.

Restart the network (and Template:Codeline should already be running, from above):

# /etc/rc.d/network restart

Special Settings for Home Broadband Users

Many users have broadband connections where the DNS server is slow or unreliable, and would like to use Template:Codeline as a caching server to minimize the number of DNS queries that need to be made. After doing the setup detailed above, the following settings in the Template:Filename will help improve the performance in this role:

Under global settings:


Under server settings:


The Template:Codeline policy means that when a negative response comes back for a query, the pdnsd server will still cache the result even if the response is not "authoritative". This is important since watching DNS queries will reveal that there are many requests for AAAA records (DNS queries for IPv6) which will never return results since many domains are not using IPv6, as well as MX records since not every domain has an MX record. Without the negative caching, these requests will be sent even after a domain name has been cached, and in this role you do not want the extra DNS requests being made. It is important to use this option in conjunction with the Template:Codeline option to minimize the number of queries coming out of the system.

The Template:Codeline option is useful if you specify more than one DNS server in your "server" section below. It specifies an increment of how many parallel queries will be made at once. For example, if four DNS servers are listed in the "server" section, and Template:Codeline, then the first 2 servers will be queried simultaneously, and if both of the first two servers fail, Template:Codeline will move on to the next two and query them simultaneously. The setting used above means that one DNS server at a time gets queried, so you can list two or more DNS servers in the "server" section, and the second one will only be queried if the first one fails. This helps minimize traffic, but if the first server fails you will have to wait through the timeout before the second server will be queried. Tweak this setting for your own preferences, and if you only specify one server in the "server" section then you do not need to worry about it.

The Template:Codeline setting is mentioned below in the FAQ and is important for home broadband users since you generally are using only one or two DNS servers instead of trying to do the full-blown hierarchical name resolution that a full DNS server would do. This setting will prevent Template:Codeline from resolving all the way back to the "authoritative" name server, and instead accept the results of the DNS servers that were already specified in the "server" section. Once again, this reduces the number of DNS queries you need to make, improving performance.

The Template:Codeline setting tells Template:Codeline not to remove cache entries even if they have outlived the DNS record's time-to-live metric. This can be very useful when your ISP's DNS server goes down and you want to be able to access name lookups for domains you frequently use despite the outage. Records will still be bumped out of the cache based on age once the cache becomes full (see Template:Codeline on how to set the size of the cache).


Shared server for your LAN

If you have several computers on your network, you may want to make pdnsd the DNS server for them all. This allows your entire network to share a single DNS cache, making repeated lookups much faster. To allow this, simply set Template:Codeline in the Template:Codeline section to the name of your network interface (usually Template:Codeline). If you have set up a firewall, tell it to allow connections to port 53 from any address on your network.

Now you can configure the other computers on your network to use the computer running pdns as their primary dns server.

Name blocking

pdnsd allows you to specify hosts or domains that it should never return results for. This allows you to use it as a primitive ad or content blocker, among other things. Create a new Template:Codeline section in Template:Filename. Template:Codeline sections have two main options. Template:Codeline is the name of the host or domain you want to block. Template:Codeline can be set to Template:Codeline to block all hosts in the given domain. The default Template:Filename gives an example that blocks all ads from doubleclick.net.


Q) It does not seem much faster to me. Why? 
A) The extra speed gained from running a local DNS cache is all in how long it takes to connect to a server. Throughput, what people normally think of as speed, will not be affected. The difference is most noticeable when browsing the web, as that typically involves small downloads from several servers. With slower connections, especially dial-up, throughput is the primary bottleneck, so there will not be as large a difference percentage-wise.
Q) Why is it so much slower now than before? 
A) You almost certainly have the Template:Codeline option turned off in one of the server sections of Template:Filename. By default, pdnsd frequently asks several DNS servers about a domain to get the most accurate response possible. The Template:Codeline option disables this feature. It should be turned on if you use the DNS server provided by your ISP.