Pdnsd

From ArchWiki
Revision as of 15:39, 12 September 2007 by Skymt (Talk | contribs) (Created page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

pdnsd is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection.

Installation

pdnsd can be installed with Pacman if you enable the community repository.

pacman -S pdnsd

Configuration

Initial preparation

The sample configuration file that comes with pdnsd needs a few changes before the daemon can start. First, copy the file to where pdnsd expects it to be.

cp /etc/pdnsd.conf.sample /etc/pdnsd.conf

Format

The pdnsd.conf file uses a fairly simple format, but it has some differences from most other configuration files you've likely encountered. It has a collection of sections of various types. A section is started with the name of the type of section and an opening curly bracket ({) and is ended by a closing curly bracket (}). Sections cannot be nested.

Inside each block is a series of options of the following format:

option_name=option_value;

Notice the semicolon at the end; unlike some formats, it is not optional.

Comments are started with either # or /*. The former goes to the end of the line, the latter continues until it reaches */.

DNS servers

pdnsd needs to know the address of at least one DNS server to collect DNS information from. This part of the setup differs depending on whether you have a broadband connection or dial-up. Broadband users should use the first server section as a starting point, dial-up users the second, leaving the other server sections commented out.

label 
The label option is used to uniquely identify a server section. It's completely arbitrary, but one good choice is the name of your ISP.
ip 
This option, used in the default broadband configuration, tells pdnsd the addresses of DNS servers to use. Multiple addresses should be separated by a single comma, no space. You can just copy the addresses from /etc/resolv.conf.
file 
The file option can be used instead of ip to specify a set of DNS server IPs. Its value is the path to a file with servers listed in resolv.conf format. The default dial-up configuration uses it because the PPP client writes /etc/ppp/resolv.conf with the addresses it gets from the PPP server. You shouldn't need to change it unless you want to use a different DNS server than your ISP gives you by default.

The rest of the server section will work without any more changes. For details on all the available options, see the pdnsd manual.

Security

The default configuration has a security flaw. The daemon runs as nobody, a standard account often used when you want to give a user as few permissions as possible. This is a bad idea with pdnsd, as the daemon needs read/write access to the DNS cache. If a malicious user finds a vulnerability in another process running as nobody, they may have the ability to inject false DNS data into the cache, leading to all sorts of possible problems.

To avoid this risk, you should run pdnsd as a separate user. First you need to create it.

groupadd pdnsd
useradd -d /var/cache/pdnsd -g pdnsd -s /bin/false

/var/cache/pdnsd was chosen for the home folder because that's where pdnsd stores its data.

Next, go back to pdnsd.conf. This time we'll be editing the global section at the top of the file. Change run_as from nobody to pdnsd. You should also add the strict_setuid option for extra security. Set it to on.

Now we've limited the server a little too much. It needs to write to a folder in /var/cache, but it can't, since it no longer has root privileges. Let's help it out a little.

mkdir /var/cache/pdnsd
chown pdnsd:pdnsd /var/cache/pdnsd
chmod 700 /var/cache/pdnsd

If you got hasty and tried starting the daemon before you got to this section, you already have a pdnsd.cache file, and it isn't owned by the pdnsd user. If that's the case, just delete it. It will be automatically regenerated.

Testing

You should now have a working pdnsd daemon. Fire it up and find out.

/etc/rc.d/pdnsd start

You can test it with the nslookup utility (from the dnsutils package).

nslookup www.google.com 127.0.0.1

If everything works, you should see a list of IP addresses associated with www.google.com.

System setup

Now it's time to point your system toward your brand-new DNS server.

If you use DHCP to configure your network settings, you need to take a brief detour into the /etc/conf.d/dhcpcd config file. Add -R to the string of options. This prevents it from overwriting /etc/resolv.conf. It should look something like this:

DHCPCD_ARGS="-t 10 -h $HOSTNAME -R"

Now just edit /etc/resolv.conf and replace the contents with this.

nameserver 127.0.0.1

All that's left is adding pdnsd to your daemons array in /etc/rc.conf. It should be immediately after network, as it depends on the network to run, and some daemons that use the network rely on working DNS.

Congratulations! You're done!

FAQs

Q) It doesn't seem much faster to me. Why? 
A) The extra speed gained from running a local DNS cache is all in how long it takes to connect to a server. Throughput, what people normally think of as speed, will not be affected. The difference is most noticeable when browsing the web, as that typically involves small downloads from several servers. With slower connections, especially dial-up, throughput is the primary bottleneck, so there won't be as large a difference percentage-wise.
Q) Why is it so much slower now than before? 
A) You almost certainly have the proxy_only option turned off in one of the server sections of pdnsd.conf. By default, pdnsd frequently asks several DNS servers about a domain to get the most accurate response possible. The proxy_only option disables this feature. It should be turned on if you use the DNS server provided by your ISP.