1DEADWOOD(1) Deadwood reference DEADWOOD(1)
2
6 Deadwood - A fully recursive caching DNS resolver
7
9 Deadwood is a fully recursive DNS cache. This is a DNS server with the
10 following features:
11 * Full support for both DNS recursion and DNS forwarding caching
13 * Small size and memory footprint suitable for embedded systems
15 * Simple and clean codebase
17 * Secure design
19 * Spoof protection: Strong cryptography used to determine the Query ID
21 and source port
22 * Ability to read and write the cache to a file
24 * Dynamic cache that deletes entries not recently used
26 * Ability to use expired entries in the cache when it is impossible to
28 contact upstream DNS servers.
29 * IPv6 support can be compiled in if desired
31 * Both DNS-over-UDP and DNS-over-TCP are handled by the same daemon
33 * Built-in dnswall functionality
35 * The ability to assign names to IPv4 IPs as specified in one's
37 dwood3rc file.
38
40 Deadwood has a single optional command line argument: The location of
41 the configuration file that Deadwood uses, specified with the "-f"
42 flag. If this is not defined, Deadwood uses the file "/etc/dwood3rc"
43 as the configuration file.
44 In other words, invoking Deadwood as Deadwood will cause Deadwood to
46 use /etc/dwood3rc as the configuration file; invoking Deadwood as
47 Deadwood -f foobar will cause Deadwood to use the file "foobar" in the
48 current working directory (the directory one is in when starting
49 Deadwood) as the configuration file.
50
52 The Deadwood configuration file is modeled after Python 2's syntax.
53 Any valid Deadwood configuration file should also correctly parse in
54 both Python 2.4.3 and Python 2.6.6. If any configuration file does
55 correctly parse in Deadwood but raises a syntax error in Python, this
56 is a bug that should be fixed.
57 This in mind, whitespace is significant; Deadwood parameters must be in
59 the leftmost column with no leading whitespace. This is a valid line
60 (as long as there are no spaces to its left):
61 recursive_acl = "127.0.0.1/16"
63 The following line, however, will raise a parse error:
65 recursive_acl = "127.0.0.1/16"
67 Observe the space to the left of the "recusive_acl" string in the
69 incorrectly formatted line.
70
72 Deadwood has three different parameter types:
73 * Numeric parameters. Numeric parameters must not be surrounded by
75 quotes, such as this example:
76 filter_rfc1918 = 0
78 If a numeric parameter is surrounded by quotes, the error message
80 "Unknown dwood3rc string parameter" will appear.
81 * String parameters. String parameters must be surrounded by quotes,
83 such as in this example:
84 bind_address = "127.0.0.1"
86 * Dictionary parameters. All dictionary parameters must be initialized
88 before use, and dictionary parameters must have both the dictionary
89 index and the value for said index surrounded by quotes, such as in
90 this example:
91 upstream_servers = {}
93 upstream_servers["."]="8.8.8.8, 8.8.4.4"
94 All dwood3rc parameters except the following are numeric parameters:
96 * bind_address (string)
98 * cache_file (string)
100 * chroot_dir (string)
102 * ip_blacklist (string)
104 * ipv4_bind_addresses (string)
106 * random_seed_file (string)
108 * recursive_acl (string)
110 * root_servers (dictionary)
112 * upstream_servers (dictionary)
114 * ip4 (dictionary)
116
118 The Deadwood configuration file supports the following parameters:
119 bind_address
121 This is the IP (or possibly IPv6) address we bind to.
123 cache_file
125 This is the filename of the file used for reading and writing the cache
127 to disk; this string can have lowercase letters, the '-' symbol, the
128 '_' symbol, and the '/' symbol (for putting the cache in a
129 subdirectory). All other symbols become a '_' symbol.
130 This file is read and written as the user Deadwood runs as.
132 chroot_dir
134 This is the directory the program will run from.
136 deliver_all
138 This affects behavior in Deadwood 2.3, but has no effect in Deadwood 3.
140 This variable is only here so Deadwood 2 rc files can run in Deadwood
141 3.
142 dns_port
144 This is the port Deadwood binds to and listens on for incoming
146 connections. The default value for this is the standard DNS port: port
147 53
148 filter_rfc1918
150 When this has a value of 1, a number of different IP ranges are not
152 allowed to be in DNS A replies:
153 * 192.168.x.x
155 * 172.[16-31].x.x
157 * 10.x.x.x
159 * 127.x.x.x
161 * 169.254.x.x
163 * 224.x.x.x
165 * 0.0.x.x
167 If one of the above IPs is detected in a DNS reply, and filter_rfc1918
169 has a value of 1, Deadwood will return a synthetic "this host does not
170 reply" response (a SOA record in the NS section) instead of the A
171 record.
172 The reason for this is to provide a "dnswall" that protects users for
174 some kinds of attacks, as described at http://crypto.stanford.edu/dns/
175 Please note that Deadwood only provides IPv4 "dnswall" functionality
177 and does not help protect against IPv6 answers. If protection against
178 certain IPv6 AAAA records is needed, either disable all AAAA answers by
179 setting reject_aaaa to have a value of 1, or use an external program to
180 filter undesired IPv4 answers (such as the dnswall program).
181 The default value for this is 1
183 handle_noreply
185 When this is set to 0, Deadwood sends no reply back to the client (when
187 the client is a TCP client, Deadwood closes the TCP connection) when a
188 UDP query is sent upstream and the upstream DNS never sends a reply.
189 When this is set to 1, Deadwood sends a SERVER FAIL back to the client
191 when a UDP query is sent upstream and the upstream DNS never sends a
192 reply.
193 The default value for this is 1
195 handle_overload
197 When this has a value of 0, Deadwood sends no reply when a UDP query is
199 sent and the server is overloaded (has too many pending connections);
200 when it has a value of 1, Deadwood sends a SERVER FAIL packet back to
201 the sender of the UDP query. The default value for this is 1.
202 hash_magic_number
204 This used to be used for Deadwood's internal hash generator to keep the
206 hash generator somewhat random and immune to certain types of attacks.
207 In Deadwood 3.0, entropy for the hash function is created by looking at
208 the contents of /dev/urandom (secret.txt on Windows machines) and the
209 current timestamp. This parameter is only here so older configuration
210 files do not break in Deadwood 3.0.
211 ip4
213 This is a dictionary variable which allows us to have given names
215 resolve to bogus IPv4 addresses. Here, we have the name "maradns.foo"
216 resolve to "10.10.10.10" and "kabah.foo" resolve to "10.11.11.11",
217 regardless of what real values these DNS records may have:
218 ip4 = {}
220 ip4["maradns.foo."] = "10.10.10.10"
221 ip4["kabah.foo."] = "10.11.11.11"
222 Note that a given name can only resolve to a single IP, and that the
224 records have a fixed TTL of 30 seconds.
225 ip6
227 Like ip4, ip6 uses a similar syntax to have bogus IPv6 addresses. We
229 don't use standard notation for IPv6 addresses. Instead, we we use
230 32-character hex addresses (case insensitive); to make it easier to
231 count long strings of "0"s, the "_" acts like a 0. Here is an example:
232 ip6 = {}
234 ip6["maradns.foo."] = "fd4d617261444e530000000000001234"
235 ip6["kabah.foo."] = "FD4D617261444E53__00__00__002345"
236 ip_blacklist
238 This is a list of IPs that we do not allow to be in the answer to a DNS
240 request. The reason for this is to counteract the practice some ISPs
241 have of converting a "this site does not exist" DNS answer in to a page
242 controlled by the ISP; this results in possible security issues.
243 This parameter only accepts individual IPs, and does not use netmasks.
245 maradns_uid
247 The user-id Deadwood runs as. This can be any number between 10 and
249 65535; the default value is 99 (nobody on RedHat-derived Linux
250 distributions). This value is not used on Windows systems.
251 maradns_gid
253 The group-id Deadwood runs as. This can be any number between 10 and
255 65535; the default value is 99. This value is not used on Windows
256 systems.
257 max_ar_chain
259 Whether resource record rotation is enabled. If this has a value of 1,
261 resource record rotation is enabled, otherwise resource record rotation
262 is disabled.
263 Resource record rotation is usually desirable, since it allows DNS to
265 act like a crude load balancer. However, on heavily loaded systems it
266 may be desirable to disable it to reduce CPU usage.
267 The reason for the unusual name for this variable is to retain
269 compatibility with MaraDNS mararc files.
270 The default value is 1: Resource record rotation enabled.
272 max_inflights
274 The maximum number of simultaneous clients we process at the same time
276 for the same query.
277 If, while processing a query for, say, "example.com.", another DNS
279 client sends to Deadwood another query for example.com, instead of
280 creating a new query to process example.com, Deadwood will attach the
281 new client to the same query that is already "in flight", and send a
282 reply to both clients once we have an answer for example.com.
283 This is the number of simultaneous clients a given query can have. If
285 this limit is exceeded, subsequents clients with the same query are
286 refused until an answer is found. If this has a value of 1, we do not
287 merge multiple requests for the same query, but give each request its
288 own connection.
289 The default value is 8.
291 max_ttl
293 The maximum amount of time we will keep an entry in the cache, in
295 seconds (also called "Maximum TTL").
296 This is the longest we will keep an entry cached. The default value for
298 this parameter is 86400 (one day); the minimum value is 300 (5 minutes)
299 and the maximum value this can have is 7776000 (90 days).
300 The reason why this parameter is here is to protect Deadwood from
302 attacks which exploit there being stale data in the cache, such as the
303 "Ghost Domain Names" attack.
304 maximum_cache_elements
306 The maximum number of elements our cache is allowed to have. This is a
308 number between 32 and 16,777,216; the default value for this is 1024.
309 Note that, if writing the cache to disk or reading the cache from disk,
310 higher values of this will slow down cache reading/writing.
311 The amount of memory each cache entry uses is variable depending on the
313 operating system used and the size of memory allocation pages assigned.
314 In Windows XP, for example, each entry uses approximately four
315 kilobytes of memory and Deadwood has an overhead of approximately 512
316 kilobytes. So, if there are 512 cache elements, Deadwood uses
317 approximately 2.5 megabytes of memory, and if there are 1024 cache
318 elements, Deadwood uses approximately 4.5 megabytes of memory. Again,
319 these numbers are for Windows XP and other operating systems will have
320 different memory allocation numbers.
321 Please note that each root_servers and upstream_servers entry takes up
323 space in Deadwood's cache and that maximum_cache_elements will need to
324 be increased to store a large number of these entries.
325 maxprocs
327 This is the maximum number of pending remote UDP connections Deadwood
329 can have. The default value for this is 1024.
330 max_tcp_procs
332 This is the number of allowed open TCP connections. Default value: 8
334 num_retries
336 The number of times we retry to send a query upstream before giving up.
338 If this is 0, we only try once; if this is 1, we try twice, and so on,
339 up to 32 retries. Note that each retry takes timeout_seconds seconds
340 before we retry again. Default value: 5
341 ns_glueless_type
343 The RR type we send to resolve glueless records. This should be 1 (A)
345 when mainly using IPv4 to resolve records. If glueless NS records have
346 AAAA but not A records, and IPv6 is enabled, it may make sense to give
347 this a value of 255 (ANY). If IPv4 ever stops being used on a large
348 scale, it may eventually become possible to make this have a value of
349 28 (AAAA).
350 The default value is 1: An A (IPv4 IP) record. This parameter has not
352 been tested; use at your own risk.
353 random_seed_file
355 This is a file that contains random numbers, and is used as a seed for
357 the cryptographically strong random number generator. Deadwood will
358 try to read 256 bytes from this file (the RNG Deadwood uses can accept
359 a stream of any arbitrary length).
360 Note that the hash compression function obtains some of its entropy
362 before parsing the mararc file, and is hard-coded to get entropy from
363 /dev/urandom (secret.txt on Windows systems). Most other entropy used
364 by Deadwood comes from the file pointed to by random_seed_file.
365 recurse_min_bind_port
367 The lowest numbered port Deadwood is allowed to bind to; this is a
369 random port number used for the source port of outgoing queries, and is
370 not 53 (see dns_port above). This is a number between 1025 and 32767,
371 and has a default value of 15000. This is used to make DNS spoofing
372 attacks more difficult.
373 recurse_number_ports
375 The number of ports Deadwood binds to for the source port for outgoing
377 connections; this is a power of 2 between 256 and 32768. This is used
378 to make DNS spoofing attacks more difficult. The default value is 4096.
379 recursive_acl
381 This is a list of who is allowed to use Deadwood to perform DNS
383 recursion, in "ip/mask" format. Mask must be a number between 0 and 32
384 (for IPv6, between 0 and 128). For example, "127.0.0.1/8" allows local
385 connections.
386 reject_aaaa
388 If this has a value of 1, a bogus SOA "not there" reply is sent
390 whenever an AAAA query is sent to Deadwood. In other words, every time
391 a program asks Deadwood for an IPv6 IP address, instead of trying to
392 process the request, when this is set to 1, Deadwood pretends the host
393 name in question does not have an IPv6 address.
394 This is useful for people who aren't using IPv6 but use applications
396 (usually *NIX command like applications like "telnet") which slow
397 things down trying to find an IPv6 address.
398 This has a default value of 0. In other words, AAAA queries are
400 processed normally unless this is set.
401 reject_mx
403 When this has the default value of 1, MX queries are silently dropped
405 with their IP logged. A MX query is a query that is only done by a
406 machine if it wishes to be its own mail server sending mail to machines
407 on the internet. This is a query an average desktop machine (including
408 one that uses Outlook or another mail user agent to read and send
409 email) will never make.
410 Most likely, if a machine is trying to make a MX query, the machine is
412 being controlled by a remote source to send out undesired "spam" email.
413 This in mind, Deadwood will not allow MX queries to be made unless
414 reject_mx is explicitly set with a value of 0.
415 Before disabling this, please keep in mind that Deadwood is optimized
417 to be used for web surfing, not as a DNS server for a mail hub. In
418 particular, the IPs for MX records are removed from Deadwood's replies
419 and Deadwood needs to perform additional DNS queries to get the IPs
420 corresponding to MX records, and Deadwood's testing is more geared for
421 web surfing (almost 100% A record lookup) and not for mail delivery
422 (extensive MX record lookup).
423 reject_ptr
425 If this has a value of 1, a bogus SOA "not there" reply is sent
427 whenever a PTR query is sent to Deadwood. In other words, every time a
428 program asks Deadwood for "reverse DNS lookup" -- the hostname for a
429 given IP address -- instead of trying to process the request, when this
430 is set to 1, Deadwood pretends the IP address in question does not have
431 a hostname.
432 This is useful for people who are getting slow DNS timeouts when trying
434 to perform a reverse DNS lookups on IPs.
435 This has a default value of 0. In other words, PTR queries are
437 processed normally unless this is set.
438 resurrections
440 If this is set to 1, Deadwood will try to send an expired record to the
442 user before giving up. If it is 0, we don't. Default value: 1
443 root_servers
445 This is a list of root servers; its syntax is identical to
447 upstream_servers (see below). This is the type of DNS service ICANN,
448 for example, runs. These are servers used that do not give us complete
449 answers to DNS questions, but merely tell us which DNS servers to
450 connect to to get an answer closer to our desired answer.
451 Please note that each root_servers entry takes up space in Deadwood's
453 cache and that maximum_cache_elements will need to be increased to
454 store a large number of these entries.
455 tcp_listen
457 In order to enable DNS-over-TCP, this variable must be set and have a
459 value of 1. Default value: 0
460 timeout_seconds
462 This is how long Deadwood will wait before giving up and discarding a
464 pending UDP DNS reply. The default value for this is 1, as in 1
465 second, unless Deadwood was compiled with FALLBACK_TIME enabled.
466 timeout_seconds_tcp
468 How long to wait on an idle TCP connection before dropping it. The
470 default value for this is 4, as in 4 seconds.
471 ttl_age
473 Whether TTL aging is enabled; whether entries in the cache have their
475 TTLs set to be the amount of time the entries have left in the cache.
476 If this has a value of 1, TTL entries are aged. Otherwise, they are
478 not. The default value for this is 1.
479 upstream_port
481 This is the port Deadwood uses to connect or send packets to the
483 upstream servers. The default value for this is 53; the standard DNS
484 port.
485 upstream_servers
487 This is a list of DNS servers that the load balancer will try to
489 contact. This is a dictionary variable (array indexed by a string
490 instead of by a number) instead of a simple variable. Since
491 upstream_servers is a dictionary variable, it needs to be initialized
492 before being used.
493 Deadwood will look at the name of the host that it is trying to find
495 the upstream server for, and will match against the longest suffix it
496 can find.
497 For example, if someone sends a query for "www.foo.example.com" to
499 Deadwood, Deadwood will first see if there is an upstream_servers
500 variable for "www.foo.example.com.", then look for "foo.example.com.",
501 then look for "example.com.", then "com.", and finally ".".
502 Here is an example of upstream_servers:
504 upstream_servers = {} # Initialize dictionary variable
506 upstream_servers["foo.example.com."] = "192.168.42.1"
507 upstream_servers["example.com."] = "192.168.99.254"
508 upstream_servers["."] = "10.1.2.3, 10.1.2.4"
509 In this example, anything ending in "foo.example.com" is resolved by
511 the DNS server at 192.168.42.1; anything else ending in "example.com"
512 is resolved by 192.168.99.254; and anything not ending in "example.com"
513 is resolved by either 10.1.2.3 or 10.1.2.4.
514 Important: the domain name upstream_servers points to must end in a "."
516 character. This is OK:
517 upstream_servers["example.com."] = "192.168.42.1"
519 But this is not OK:
521 upstream_servers["example.com"] = "192.168.42.1"
523 The reason for this is because BIND engages in unexpected behavior when
525 a host name doesn't end in a dot, and by forcing a dot at the end of a
526 hostname, Deadwood doesn't have to guess whether the user wants BIND's
527 behavior or the "normal" behavior.
528 If neither root_servers nor upstream_servers are set, Deadwood sets
530 root_servers to use the default ICANN root servers, as follows:
531 198.41.0.4 a.root-servers.net (VeriSign)
533 199.9.14.201 b.root-servers.net (ISI)
534 192.33.4.12 c.root-servers.net (Cogent)
535 199.7.91.13 d.root-servers.net (UMaryland)
536 192.203.230.10 e.root-servers.net (NASA Ames)
537 192.5.5.241 f.root-servers.net (ISC)
538 192.112.36.4 g.root-servers.net (DOD NIC)
539 198.97.190.53 h.root-servers.net (ArmyRU)
540 192.36.148.17 i.root-servers.net (NORDUnet)
541 192.58.128.30 j.root-servers.net (VeriSign)
542 193.0.14.129 k.root-servers.net (Reseaux)
543 199.7.83.42 l.root-servers.net (IANA)
544 202.12.27.33 m.root-servers.net (WIDE)
545 This list is current as of November 9, 2017, and was last changed in
547 October of 2017.
548 Please note that each upstream_servers entry takes up space in
550 Deadwood's cache and that maximum_cache_elements will need to be
551 increased to store a large number of these entries.
552 verbose_level
554 This determines how many messages are logged on standard output; larger
556 values log more messages. The default value for this is 3.
557
559 Deadwood uses a standard ip/netmask formats to specify IPs. An ip is
560 in dotted-decimal format, e.g. "10.1.2.3" (or in IPv6 format when IPv6
561 support is compiled in).
562 The netmask is used to specify a range of IPs. The netmask is a single
564 number between 1 and 32 (128 when IPv6 support is compiled in), which
565 indicates the number of leading "1" bits in the netmask.
566 10.1.1.1/24 indicates that any ip from 10.1.1.0 to 10.1.1.255 will
568 match.
569 10.2.3.4/16 indicates that any ip from 10.2.0.0 to 10.2.255.255 will
571 match.
572 127.0.0.0/8 indicates that any ip with "127" as the first octet
574 (number) will match.
575 The netmask is optional, and, if not present, indicates that only a
577 single IP will match.
578
580 DNS-over-TCP needs to be explicitly enabled by setting tcp_listen to 1.
581 Deadwood extracts useful information from UDP DNS packets marked
583 truncated which almost always removes the need to have DNS-over-TCP.
584 However, Deadwood does not cache DNS packets larger than 512 bytes in
585 size that need to be sent using TCP. In addition, DNS-over-TCP packets
586 which are "incomplete" DNS replies (replies which a stub resolver can
587 not use, which can be either a NS referral or an incomplete CNAME
588 reply) are not handled correctly by Deadwood.
589 Deadwood has support for both DNS-over-UDP and DNS-over-TCP; the same
591 daemon listens on both the UDP and TCP DNS port.
592 Only UDP DNS queries are cached. Deadwood does not support caching over
594 TCP; it handles TCP to resolve the rare truncated reply without any
595 useful information or to work with very uncommon non-RFC-compliant TCP-
596 only DNS resolvers. In the real world, DNS-over-TCP is almost never
597 used.
598
600 It is possible to have Deadwood, while parsing the dwood3rc file, read
601 other files and parse them as if they were dwood3rc files.
602 This is done using execfile. To use execfile, place a line like this
604 in the dwood3rc file:
605 execfile("path/to/filename")
607 Where path/to/filename is the path to the file to be parsed like a
609 dwood3rc file.
610 All files must be in or under the directory /etc/deadwood/execfile.
612 Filenames can only have lower-case letters and the underscore character
613 ("_"). Absolute paths are not allowed as the argument to execfile; the
614 filename can not start with a slash ("/") character.
615 If there is a parse error in the file pointed to by execfile, Deadwood
617 will report the error as being on the line with the execfile command in
618 the main dwood3rc file. To find where a parse error is in the sub-file,
619 use something like "Deadwood -f /etc/deadwood/execfile/filename" to
620 find the parse error in the offending file, where "filename" is the
621 file to to parsed via execfile.
622
624 This server can also be optionally compiled to have IPv6 support. In
625 order to enable IPv6 support, add '-DIPV6' to the compile-time flags.
626 For example, to compile this to make a small binary, and to have IPv6
627 support:
628 export FLAGS='-Os -DIPV6'
630 make
631
634 Deadwood is a program written with security in mind.
635 In addition to use a buffer-overflow resistant string library and a
637 coding style and SQA process that checks for buffer overflows and
638 memory leaks, Deadwood uses a strong pseudo-random number generator
639 (The 32-bit version of RadioGatun) to generate both the query ID and
640 source port. For the random number generator to be secure, Deadwood
641 needs a good source of entropy; by default Deadwood will use
642 /dev/urandom to get this entropy. If you are on a system without
643 /dev/urandom support, it is important to make sure that Deadwood has a
644 good source of entropy so that the query ID and source port are hard to
645 guess (otherwise it is possible to forge DNS packets).
646 The Windows port of Deadwood includes a program called
648 "mkSecretTxt.exe" that creates a 64-byte (512 bit) random file called
649 "secret.txt" that can be used by Deadwood (via the "random_seed_file"
650 parameter); Deadwood also gets entropy from the timestamp when Deadwood
651 is started and Deadwood's process ID number, so it is same to use the
652 same static secret.txt file as the random_seed_file for multiple
653 invocations of Deadwood.
654 Note that Deadwood is not protected from someone on the same network
656 viewing packets sent by Deadwood and sending forged packets as a reply.
657 To protect Deadwood from certain possible denial-of-service attacks, it
659 is best if Deadwood's prime number used for hashing elements in the
660 cache is a random 31-bit prime number. The program RandomPrime.c
661 generates a random prime that is placed in the file DwRandPrime.h that
662 is regenerated whenever either the program is compiled or things are
663 cleaned up with make clean. This program uses /dev/urandom for its
664 entropy; the file DwRandPrime.h will not be regenerated on systems
665 without /dev/urandom.
666 On systems without direct /dev/urandom support, it is suggested to see
668 if there is a possible way to give the system a working /dev/urandom.
669 This way, when Deadwood is compiled, the hash magic number will be
670 suitably random.
671 If using a precompiled binary of Deadwood, please ensure that the
673 system has /dev/urandom support (on Windows system, please ensure that
674 the file with the name secret.txt is generated by the included
675 mkSecretTxt.exe program); Deadwood, at runtime, uses /dev/urandom
676 (secret.txt in Windows) as a hardcoded path to get entropy (along with
677 the timestamp) for the hash algorithm.
678
680 Deadwood does not have any built-in daemonization facilities; this is
681 handled by the external program Duende or any other daemonizer.
682
684 Here is an example dwood3rc configuration file:
685 # This is an example deadwood rc file
687 # Note that comments are started by the hash symbol
688 bind_address="127.0.0.1" # IP we bind to
690 # The following line is disabled by being commented out
692 #bind_address="::1" # We have optional IPv6 support
693 # Directory we run program from (not used in Win32)
695 chroot_dir = "/etc/deadwood"
696 # The following upstream DNS servers are Google's
698 # (as of December 2009) public DNS servers. For
699 # more information, see the page at
700 # http://code.google.com/speed/public-dns/
701 #
702 # If neither root_servers nor upstream_servers are set,
703 # Deadwood will use the default ICANN root servers.
704 #upstream_servers = {}
705 #upstream_servers["."]="8.8.8.8, 8.8.4.4"
706 # Who is allowed to use the cache. This line
708 # allows anyone with "127.0" as the first two
709 # digits of their IP to use Deadwood
710 recursive_acl = "127.0.0.1/16"
711 # Maximum number of pending requests
713 maxprocs = 2048
714 # Send SERVER FAIL when overloaded
716 handle_overload = 1
717 maradns_uid = 99 # UID Deadwood runs as
719 maradns_gid = 99 # GID Deadwood runs as
720 maximum_cache_elements = 60000
722 # If you want to read and write the cache from disk,
724 # make sure chroot_dir above is readable and writable
725 # by the maradns_uid/gid above, and uncomment the
726 # following line.
727 #cache_file = "dw_cache"
728 # If your upstream DNS server converts "not there" DNS replies
730 # in to IPs, this parameter allows Deadwood to convert any reply
731 # with a given IP back in to a "not there" IP. If any of the IPs
732 # listed below are in a DNS answer, Deadwood converts the answer
733 # in to a "not there"
734 #ip_blacklist = "10.222.33.44, 10.222.3.55"
735 # By default, for security reasons, Deadwood does not allow IPs in
737 # the 192.168.x.x, 172.[16-31].x.x, 10.x.x.x, 127.x.x.x,
738 # 169.254.x.x, 224.x.x.x, or 0.0.x.x range. If using Deadwood
739 # to resolve names on an internal network, uncomment the
740 # following line:
741 #filter_rfc1918 = 0
742
745 Deadwood does not follow RFC2181's advice to ignore DNS responses with
746 the TC (truncated) bit set, but instead extracts the first RR. If this
747 is not desired, set the undocumented parameter truncation_hack to 0
748 (but read the DNS over TCP section of this man page).
749 Deadwood can not process DNS resource record types with numbers between
751 65392 and 65407. These RR types are marked by the IANA for "private
752 use"; Deadwood reserves these record types for internal use. This is
753 only 16 record types out of the 65536 possible DNS record types (only
754 71 have actually been assigned by IANA, so this is a non-issue in the
755 real world).
756 It is not clear whether the DNS RFCs allow ASCII control characters in
758 DNS names. Even if they were, Deadwood does not allow ASCII control
759 characters (bytes with a value less then 32) in DNS names. Other
760 characters (UTF-8, etc.) are allowed.
761 Combining a CNAME record with other records is prohibited in RFC1034
763 section 3.6.2 and RFC1912 section 2.4; it makes an answer ambiguous.
764 Deadwood handles this ambiguity differently than some other DNS
765 servers.
766
768 THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR
769 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
770 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
771 DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR
772 ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
773 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
774 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
775 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
776 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
777 IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
778 POSSIBILITY OF SUCH DAMAGE.
779
781 Sam Trenholme (http://www.samiam.org) is responsible for this program
782 and man page. He appreciates all of Jean-Jacques Sarton's help giving
783 this program IPv6 support.
784DEADWOOD August 2009 DEADWOOD(1)