oracular (8) dqcache.8.gz

Provided by: dqcache_20240101-1_amd64 bug

NAME

       dqcache - DNS cache with DNSCurve support

DESCRIPTION

       dqcache       is       recursive      DNS      server      derived      from      dnscache
       (https://cr.yp.to/djbdns/dnscache.html)

CONFIGURATION

       dqcache runs chrooted in the directory specified by the $ROOT environment variable,  under
       the uid and gid specified by the $UID and $GID environment variables.

       dqcache  listens for incoming UDP packets and TCP connections addressed to port 53 of $IP.
       Typically $IP is 127.0.0.1, but it can also be an externally accessible IP address.

       dqcache accepts  connections  from  localhost  (127.0.0.0/8  or  ::1/128).   For  external
       connections dqcache has file-style accesslist.
           e.g. for IPv4 address 1.2.3.4 dqcache allows connection when sees a file named:
           ip4/1.2.3.4 or
           ip4/1.2.3 or
           ip4/1.2 or
           ip4/1
           e.g. for IPv6 address 2a02:598:7000:101:12dd:b1ff:fede:3476 dqcache allows connection when sees a file named:
           ip6/2a02:598:7000:101:12dd:b1ff:fede:3476 or
           ip6/2a02:598:7000:101:12dd:b1ff:fede or
           ip6/2a02:598:7000:101:12dd:b1ff or
           ip6/2a02:598:7000:101:12dd or
           ip6/2a02:598:7000:101 or
           ip6/2a02:598:7000 or
           ip6/2a02:598 or
           ip6/2a02
       when environment variable $OKCLIENT is set, dqcache accepts all connections.

       Warning  ,  dqcache  encrypts  DNS  packets and should run on client's machine. If You run
       dqcache on external IP (not on localhost), You're probably doing it wrong.

       dqcache sends outgoing IPv4 packets from high ports of  $IPSEND4.  Typically  $IPSEND4  is
       0.0.0.0, meaning the machine's primary IPv4 address.

       dqcache sends outgoing IPv6 packets from high ports of $IPSEND6. Typically $IPSEND6 is ::,
       meaning the machine's primary IPv6 address.

       If $HIDETTL is set, dqcache always uses a TTL of 0 in its responses

       dqcache reads a list of root servers as an anchor, one record per  line,  from  servers/@.
       The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY} e.g.:
           servers/@:
           198.41.0.4
           2001:503:ba3e::2:30
           192.228.79.201
           2001:500:84::b
           etc.

       dqcache  also  scans  the  servers directory for anchors for other domains, one record per
       line.  The record has format {IP} or {IP}|{DNSCURVEPUBLICKEY} e.g.:
            servers/dnscurve.cz:
            185.66.36.55|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
            37.157.196.86|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
            2a02:2b88:2:1::127d:1|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq
            2a03:1e20:0:5::2|uz5mj60yr9tnudkkpcglw1y0w6dlh78j1l4gk4z7t8bsf1u4d48wlq

       dqcache supports forward-only mode. If $FORWARDONLY is set, dqcache treats servers/@ as  a
       list  of  IP  addresses  for  other caches, not root servers. It forwards queries to those
       caches the same way that a  client  does,  rather  than  contacting  a  chain  of  servers
       according to NS records.

       dqcache  uses  a  fixed-size  cache, as controlled by the $CACHESIZE environment variable.
       Typically $CACHESIZE is 10000000 (10MB).

       dqcache typically generates new secret key at start of program.  If  environment  variable
       $SECRETKEY is set, then dqcache loads this secret key. $SECRETKEY must be safely generated
       using dqcache-makekey(8).

       Note that dqcache uses internally two secret keys, one used as the discrete  logarithm  of
       the  public  key  (256bit DNSCurve key) and one to encrypt the nonce (128bit TEA symmetric
       key).   Both   of   these   keys   are   actually   derived    from    $SECRETKEY    using
       crypto_stream_salsa20().

       dqcache  also  supports  nonce-separation via environment variable $NONCESTART. This means
       that several caches share a key but use separate nonces:
         e.g.:
         NONCESTART=100 ... the first of four caches is configured to use top bits 100
         NONCESTART=101 ... the second is configured to use top bits 101
         NONCESTART=110 ... the third is configured to use top bits 110
         NONCESTART=111 ... and the fourth is configured to use top bits 111.
         etc.

       dqcache typically supports DNSCurve in 'combined  mode'  (meaning:  if  Streamlined  query
       fails, dqcache tries also TXT query).  Environment variable $DNSCURVETYPE selects specific
       DNSCurve type.
         DNSCURVETYPE=1 ... Streamlined only DNSCurve
         DNSCURVETYPE=2 ... TXT only DNSCurve

       dqcache caches records for at least $MINTTL seconds, when  MINTTL  is  set.  It's  limited
       <0-300> seconds. Use only if you really know what you're doing.

       dqcache  sends  only  IPv4  queries, when DISABLEIPV6 is set.  Use only if you really know
       what you're doing.

SEE ALSO

       dqcache-makekey(8), dq(1), dnscache(8)

       https://mojzis.com/software/dq
       https://dnscurve.org/
       https://cr.yp.to/djbdns/dnscache.html

                                                                                       dqcache(8)