<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>PowerDNS resolver/recursing nameserver</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REL="HOME"
TITLE="PowerDNS manual"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Recursion"
HREF="recursion.html"><LINK
REL="NEXT"
TITLE="Controlling and querying the recursor"
HREF="rec-control.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>PowerDNS manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="recursion.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="rec-control.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="BUILT-IN-RECURSOR"
></A
>Chapter 12. PowerDNS resolver/recursing nameserver</H1
><P
> The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. Starting from
the version 3.0 pre-releases, there are zero known bugs or issues with the recursor. It is known to power the resolving needs of over 2 million
internet connections.
</P
><P
> The documentation below is only for the 3.0 series, users of older versions are urged to upgrade!
</P
><P
> Notable features:
<P
></P
><UL
><LI
><P
> Uses MTasker (<A
HREF="http://ds9a.nl/mtasker"
TARGET="_top"
>homepage</A
>)
</P
></LI
><LI
><P
> Can handle thousands of concurrent questions. A dual Xeon 3GHz has been measured functioning very well at 9000 real life replayed
packets per second, with 40% cpu idle. More testing equipment is needed to max out the recursor.
</P
></LI
><LI
><P
> Powered by a highly modern DNS packet parser that should be resistant against many forms of buffer overflows.
</P
></LI
><LI
><P
> Best spoofing protection that we know about, involving both source port randomisation and spoofing detection.
</P
></LI
><LI
><P
> Uses 'connected' UDP sockets which allow the recursor to react quickly to unreachable hosts or hosts for which
the server is running, but the nameserver is down. This makes the recursor faster to respond in case of misconfigured domains,
which are sadly very frequent.
</P
></LI
><LI
><P
> Special support for FreeBSD, Linux and Solaris stateful multiplexing (kqueue, epoll, completion ports).
</P
></LI
><LI
><P
> Very fast, and contains innovative query-throttling code to save time talking to obsolete or broken nameservers.
</P
></LI
><LI
><P
> Code is written linearly, sequentially, which means that there are no problems with 'query restart' or anything.
</P
></LI
><LI
><P
> Relies heavily on Standard C++ Library infrastructure, which makes for little code (406 core lines).
</P
></LI
><LI
><P
> Is very verbose in showing how recursion actually works, when enabled to do so with --verbose.
</P
></LI
><LI
><P
> The algorithm is simple and quite nifty.
</P
></LI
></UL
>
</P
><P
> The PowerDNS recursor is controlled and queried using the <TT
CLASS="FILENAME"
>rec_control</TT
> tool.
</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="RECURSOR-SETTINGS"
>12.1. pdns_recursor settings</A
></H1
><P
> At startup, the recursing nameserver reads the file <TT
CLASS="FILENAME"
>recursor.conf</TT
> from the configuration directory,
often <TT
CLASS="FILENAME"
>/etc/powerdns</TT
> or <TT
CLASS="FILENAME"
>/usr/local/etc</TT
>. Each setting below can appear on the command line,
prefixed by '--', or in the configuration file. The command line overrides the configuration file.
</P
><P
> A switch can be set to on simply by passing it, like '--daemon', and turned off explicitly by '--daemon=off' or '--daemon=no'.
</P
><P
> The following settings can be configured:
<P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>aaaa-additional-processing</DT
><DD
><P
> If turned on, the recursor will attempt to add AAAA IPv6 records to questions for MX records and NS records.
Can be quite slow as absence of these records in earlier answers does not guarantee their non-existance. Can double
the amount of queries needed. Off by default.
</P
></DD
><DT
>allow-from</DT
><DD
><P
> Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918
private IP addresses, like 10.0.0.0/8. Due to the agressive nature of the internet these days, it is highly recommended
to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do
not get an answer.
</P
></DD
><DT
>auth-can-lower-ttl</DT
><DD
><P
> Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a
'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature.
This will mean a slight deterioration of performance, and it will not solve any problems, but does make
the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.
</P
></DD
><DT
>auth-zones</DT
><DD
><P
> Comma separated list of 'zonename=filename' pairs. Zones read from these files are served authoritatively. Example:
<B
CLASS="COMMAND"
>auth-zones= ds9a.nl=/var/zones/ds9a.nl, powerdns.com=/var/zones/powerdns.com</B
>. Available since 3.1.
</P
></DD
><DT
>chroot</DT
><DD
><P
> If set, chroot to this directory for more security. See <A
HREF="security.html"
>Chapter 7</A
>.
</P
></DD
><DT
>client-tcp-timeout</DT
><DD
><P
> Time to wait for data from TCP clients. Defaults to 2 seconds.
</P
></DD
><DT
>config-dir</DT
><DD
><P
> Directory where the configuration file can be found.
</P
></DD
><DT
>daemon</DT
><DD
><P
> Operate in the background, which is the default.
</P
></DD
><DT
>delegation-only</DT
><DD
><P
> A Verisign special.
</P
></DD
><DT
>dont-query</DT
><DD
><P
> The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects,
depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query
private space IP addresses. This setting can be used to expand or reduce the limitations.
</P
></DD
><DT
>export-etc-hosts</DT
><DD
><P
> If set, this flag will export the host names and IP addresses mentioned in <TT
CLASS="FILENAME"
>/etc/hosts</TT
>. Available since 3.1.
</P
></DD
><DT
>fork</DT
><DD
><P
> If running on an SMP system with enough memory, this feature forks PowerDNS so it benefits from two processors. Experimental. Renames
controlsockets, so care is needed to connect to the right one using <B
CLASS="COMMAND"
>rec_control</B
>, using <B
CLASS="COMMAND"
>--socket-pid</B
>.
</P
></DD
><DT
>forward-zones</DT
><DD
><P
> Comma separated list of 'zonename=IP' pairs. Queries for zones listed here will be forwarded to the IP address listed.
<B
CLASS="COMMAND"
>forward-zones= ds9a.nl=213.244.168.210, powerdns.com=127.0.0.1</B
>. Available since 3.1.
</P
></DD
><DT
>forward-zones-file</DT
><DD
><P
> Same as <B
CLASS="COMMAND"
>forward-zones</B
>, parsed from a file. Only 1 zone is allowed per line, specified as follows:
<B
CLASS="COMMAND"
>ds9a.nl=213.244.168.210</B
>. Available since 3.1.5.
</P
></DD
><DT
>hint-file</DT
><DD
><P
> If set, the root-hints are read from this file. If unset, default root hints are used. Available since 2.9.19.
</P
></DD
><DT
>local-address</DT
><DD
><P
> Local IPv4 or IPv6 addresses to bind to, comma separated. Defaults to only loopback. Addresses can also contain port numbers,
for IPv4 specify like this: <B
CLASS="COMMAND"
>1.2.3.4:5300</B
>, for IPv6: <B
CLASS="COMMAND"
>[::1]:5300</B
>. Port specifications are available since
3.1.2.
</P
></DD
><DT
>local-port</DT
><DD
><P
> Local port (singular) to bind to. Defaults to 53.
</P
></DD
><DT
>log-common-errors</DT
><DD
><P
> Some DNS errors occur rather frequently and are no cause for alarm. Logging these is on by default.
</P
></DD
><DT
>logging-facility</DT
><DD
><P
> If set to a digit, logging is performed under this LOCAL facility. See <A
HREF="syslog.html"
>Section 6.3</A
>>. Available from 3.1.3 and onwards. Do not pass names like 'local0'!
</P
></DD
><DT
>max-cache-entries</DT
><DD
><P
> Maximum number of cache entries. 1 million will generally suffice for most installations.
</P
></DD
><DT
>max-negative-ttl</DT
><DD
><P
> A query for which there is authoritatively no answer is cached to quickly deny a record's existence later on, without
putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of thousands of hosts
which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative
entries are cached.
</P
></DD
><DT
>max-tcp-clients</DT
><DD
><P
> Maximum number of simultaneous incoming TCP connections allowed. Defaults to 128. Available since 2.9.18.
</P
></DD
><DT
>max-tcp-per-client</DT
><DD
><P
> Maximum number of simultaneous incoming TCP connections allowed per client (remote IP address). Defaults to 0, which means unlimited.
</P
></DD
><DT
>query-local-address</DT
><DD
><P
> Send out local queries from this address. Useful for anycast.
</P
></DD
><DT
>query-local-address6</DT
><DD
><P
> Send out local IPv6 queries from this address. Disabled by default, which also disables
outgoing IPv6 support. A useful setting is <B
CLASS="COMMAND"
>::0</B
>.
</P
></DD
><DT
>quiet</DT
><DD
><P
> Don't log queries. On by default.
</P
></DD
><DT
>remotes-ringbuffer-entries</DT
><DD
><P
> Number of entries in the remotes ringbuffer, which keeps statistics on who is querying your server. Can be read out using
<B
CLASS="COMMAND"
>rec_control top-remotes</B
>. Defaults to 0.
</P
></DD
><DT
>serve-rfc<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>1918</I
></SPAN
></DT
><DD
><P
> On by default, this makes the server authoritatively aware of: <TT
CLASS="FILENAME"
>10.in-addr.arpa</TT
>,
<TT
CLASS="FILENAME"
>168.192.in-addr.arpa</TT
>, <TT
CLASS="FILENAME"
>16-31.172.in-addr.arpa</TT
>, which saves
load on the AS112 servers. Individual parts of these zones can still be loaded or forwarded.
</P
></DD
><DT
>server-id</DT
><DD
><P
> The PowerDNS recursor by replies to a query for 'id.server' with its hostname, useful for in clusters. Use this setting to override
the answer it gives.
</P
></DD
><DT
>setgid, setuid</DT
><DD
><P
> PowerDNS can change its user and group id after binding to its socket. Can be used for better security.
</P
></DD
><DT
>socket-dir</DT
><DD
><P
> Where to store the control socket. This option also works with the controller, <B
CLASS="COMMAND"
>rec_control</B
>.
</P
></DD
><DT
>spoof-nearmiss-max</DT
><DD
><P
> If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20.
</P
></DD
><DT
>trace</DT
><DD
><P
> If turned on, output impressive heaps of logging. May destroy performance under load.
</P
></DD
><DT
>version</DT
><DD
><P
> Print version of this binary. Useful for checking which version of the PowerDNS recursor is installed on a system. Available since 3.1.5.
</P
></DD
><DT
>version-string</DT
><DD
><P
> By default, PowerDNS replies to the 'version.bind' query with its version number. Security concious users may wish to override
the reply PowerDNS issues.
</P
></DD
></DL
></DIV
>
</P
><P
> </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="recursion.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="rec-control.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Recursion</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
> </TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Controlling and querying the recursor</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
