Back to main page

FREQUENTLY ASKED QUESTIONS

INDEX

1. I'm using an older version of MaraDNS

2. How do I try out MaraDNS?

3. What license is MaraDNS released under?

4. How do I report bugs in MaraDNS?

5. Some of the postings to the mailing list do not talk about MaraDNS!

6. How do I get off the mailing list?

7. How do I set up reverse DNS on MaraDNS?

8. I am on a slow network, and MaraDNS can not process recursive queries

9. When I try to run MaraDNS, I get a cryptic error message.

10. After I start MaraDNS, I can not see the process when I run netstat -na

11. What string library does MaraDNS use?

12. Why does MaraDNS use a multi-threaded model?

13. I feel that XXX feature should be added to MaraDNS

14. I feel that MaraDNS should use another documentation format

15. Is there any process I need to follow to add a patch to MaraDNS?

16. Can MaraDNS act as a primary nameserver?

17. Can MaraDNS act as a secondary nameserver?

18. What is the difference between an authoritative and a recursive DNS server?

19. The getzone client isn't allowing me to add certain hostnames to my zone

20. Is MaraDNS portable?

21. Can I use MaraDNS in Windows?

22. MaraDNS freezes up after being used for a while

23. What kind of Python integration does MaraDNS have

24. Doesn't "kvar" mean "four" in Esperanto?

25. How scalable is MaraDNS?

26. I am having problems setting upstream_servers

27. Why doesn't the MaraDNS.org web page validate?

28. How do MX records work?

29. Does MaraDNS have support for SPF?

30. I'm having problems resolving CNAMES I have set up.

31. I have a NS delegation, and MaraDNS is doing strange things.

32. I am transferring a zone from another server, but the NS records are these strange "synth-ip" records.

33. Where is the root.hints file?

34. Are there any plans to use autoconf to build MaraDNS?

35. How do I change the compiler or compile-time flags with MaraDNS' build process?

36. Will you make a package for the particular Linux distribution I am using?

37. I am using the native Windows port of MaraDNS, and some features are not working.

38. MaraDNS isn't starting up

39. You make a lot of releases of MaraDNS; at our ISP/IT department, updating software is non-trivial.

40. I have star records in my zones, and am having problems with NXDOMAINs/IPV6 resolution

41. I have a zone with only SOA/NS records, and the zone is not working.

42. I am having problems registering my domain with AFNIC (the registrar for .fr domains)

43. I can't see the full answers for subdomains I have delegated

44. MaraDNS 1 has a problem resolving a domain

45. MaraDNS 1.2 has issues with NXDOMAINS and case sensitivity.

46. Can MaraDNS offer protection from phishing and malicious sites?

47. Does maradns support star (wildcard) records?

48. I'm having problems using MaraDNS with some *NIX command line applications like telnet

49. My virus scanner reports that MaraDNS or Deadwood has a virus

50. I can not subscribe to the MaraDNS mailing list

51. How does MaraDNS respond to EDNS (RFC2671) packets?

52. How to I get MaraDNS to always give the same IP to all DNS queries?

53. Why did you change MaraDNS' tagline?

54. How do you stop MaraDNS from taking part in a distributed denial-of-service attack?

55. What about DNS-over-TCP?

56. How do I use MaraDNS with systemd?

57. Why doesn't MaraDNS use IP_FREEBIND?

58. Is there a web interface for MaraDNS?

59. What does the message “don’t forget the trailing dot” mean?

60. Does MaraDNS support newer top level domains?

ANSWERS

1. I'm using an older version of MaraDNS

Upgrade to MaraDNS 2.0. Here is an upgrade guide.

MaraDNS 1.4 is only supported for critical security updates; this support is being phased out and MaraDNS 1 will no longer be supported on June 21, 2015.

2. How do I try out MaraDNS?

Read the quick start guide, which is the file named 0QuickStart in the MaraDNS distribution.

3. What license is MaraDNS released under?

MaraDNS is released with the following two-clause BSD-type license:
Copyright (c) 2002-2015 Sam Trenholme and others

TERMS

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

This software is provided 'as is' with no guarantees of correctness or fitness for purpose.

4. How do I report bugs in MaraDNS?

Post your bug report as a Github issue.

5. Some of the postings to the mailing list do not talk about MaraDNS!

As of September 2013, the mailing list has become moderated and only postings on the mailing list are relevant MaraDNS announcements.

6. How do I get off the mailing list?

Send an email to list-unsubscribe@maradns.org, or an email to list-request@maradns.org with "unsubscribe" as the subject line.

The mailing list will send you an email confirming the unsubscribe request; this email needs to be replied to in order to get off the list.

7. How do I set up reverse DNS on MaraDNS?

Reverse DNS (sometimes called "reverse mapping") is set up by using PTR (pointer) records. For example, the PTR record which performs the reverse DNS lookup for the ip 10.2.3.4 looks like this in a CSV2 zone file:
4.3.2.10.in-addr.arpa. PTR www.example.com.

It is also possible to use a special "FQDN4" which automatically sets up the reverse mapping of a given record:

www.example.com. FQDN4 10.2.3.4
If you wish to have a PTR (reverse DNS lookup; getting a DNS name from a numeric IP) record work on the internet at large, it is not a simple matter of just adding a record like this to a MaraDNS zonefile. One also needs control of the appropriate in-addr.arpa. domain.

While it could make logical sense to contact the IP 10.11.12.13 when trying to get the reverse DNS lookup (fully qualified domain name) for a given IP, DNS servers don't do this. DNS server, instead, contact the root DNS servers for a given in-addr.arpa name to get the reverse DNS lookup, just like they do with any other record type.

When an internet service provider is given a block of IPs, they are also given control of the DNS zones which allow them to control reverse DNS lookups for those IPs. While it is possible to obtain a domain and run a DNS server without the knowledge or intervention of an ISP, being able to control reverse DNS lookups for those IPs requires ISP intervention.

8. I am on a slow network, and Deadwood can not process recursive queries

Deadwood, by default, only waits two seconds for a reply from a remote DNS server. This default can be increased by adding a line like this in the mararc file: 
timeout_seconds = 5
Note that making this too high will slow MaraDNS down when DNS servers are down, which is, alas, all too common on today's internet.

9. When I try to run MaraDNS, I get a cryptic error message.

There is usually some context of where there is a syntax error in a data file before the cryptic error message. For example, when there is a syntax error in a csv2 zone file, MaraDNS will tell you exactly at what point it had to terminate parsing of the zone file.

If MaraDNS does return a cryptic error message without letting you know what is wrong, let us know in a Github issue so that we can fix the bug. MaraDNS is designed to be easy to use; cryptic error messages go against this spirit.

10. After I start MaraDNS, I can not see the process when I run netstat -na

Udp services do not have a prominent "LISTEN" when netstat is run.

When MaraDNS is up, the relevant line in the netstat output looks like this: udp 0 0 127.0.0.1:53 0.0.0.0:*

While on the topic of netstat, if you run netstat -nap as root on Linux and some other *nix operating systems, you can see the names of the processes which are providing internet services.

11. What string library does MaraDNS use?

MaraDNS uses its own string library, which is called the "js_string" library. Man pages for most of the functions in the js_string library are in the folder doc/man of the MaraDNS distribution

12. Why does MaraDNS use a multi-threaded model?

MaraDNS 2.0 no longer uses threads.

It took me three years to rewrite MaraDNS' recursive resolver as a separate non-threaded daemon. This has been done, and now all recursion is done with Deadwood which does not need threads.

13. I feel that XXX feature should be added to MaraDNS

There are no plans to add new features to MaraDNS or Deadwood at this time.

14. I feel that MaraDNS should use another documentation format

The reason that MaraDNS uses its own documentation format is to satisfy both the needs of translators to have a unified document format and my own need to use a documentation format that is simple enough to be readily understood and which I can add features on an as needed basis.

The documentation format is essentially simplified HTML with some special tags added to meet MaraDNS' special needs.

This gives me more flexibility to adapt the documentation format to changing needs. For example, when someone pointed out that it's not a good idea to have man pages with hi-bit characters, it was a simple matter to add a new HIBIT tag which allows man pages to be without hi-bit characters, and other document formats to retain hi-bit characters.

Having a given program have its own documentation format is not without precedent; Perl uses its own "pod" documentation format.

15. Is there any process I need to follow to add a patch to MaraDNS?

I no longer accept third party patches

16. Can MaraDNS act as a primary nameserver?

Yes.

The zoneserver program serves zones so that other DNS servers can be secondaries for zones which MaraDNS serves. This is a separate program from the maradns server, which processes authoritative UDP DNS queries, and Deadwood which processes recursive DNS queries.

See the DNS master document in the MaraDNS tutorial for details.

17. Can MaraDNS act as a secondary nameserver?

Yes.

Please read the DNS slave document, which is part of the MaraDNS tutorial.

18. What is the difference between an authoritative and a recursive DNS server?

A recursive DNS server is a DNS server that is able to contact other DNS servers in order to resolve a given domain name label. This is the kind of DNS server one points to in /etc/resolv.conf. MaraDNS uses the Deadwood daemon to process recursive DNS queries.

An authoritative DNS server is a DNS server that a recursive server contacts in order to find out the answer to a given DNS query. The maradns daemon processes authoritative DNS queries.

19. The fetchzone client isn't allowing me to add certain hostnames to my zone

For security reasons, MaraDNS' fetchzone client does not add records which are not part of the zone in question. For example, if someone has a zone for example.com, and this record in the zone:

1.1.1.10.in-addr.arpa. PTR dns.example.com.

MaraDNS will not add the record, since the record is out-of-bailiwick. In other words, it is a host name that does not end in .example.com.

There are two workarounds for this issue:

20. Is MaraDNS portable?

MaraDNS is developed in CentOS 6 and Windows 7. MaraDNS may or may not compile and run on other systems.

21. Can I use MaraDNS in Windows?

Yes. There is both a partial mingw32 (native win32 binary) port and a full Cygwin port of MaraDNS; both of these ports are part of the native build of MaraDNS. Deadwood has full Windows support, including the ability to run as a service.

22. MaraDNS freezes up after being used for a while

If using your ISP's name servers or some other name servers which are not, in fact, root name servers, please make sure that you are using the upstream_servers dictionary variable instead of the root_servers dictionary variable.

If you still see MaraDNS freeze up after making this correction, please send a bug report as a Github issue.

23. What kind of Python integration does MaraDNS have

The mararc file uses the same syntax that Python uses; in fact, Python can parse a properly formatted mararc file.

There is no other integration with Python.

24. Doesn't "kvar" mean "four" in Esperanto?

Indeed, it does. However the use of "kvar" in the MaraDNS source code only coincidentally is an Esperanto word. "kvar" is short for "Kiwi variable"; a lot of the parsing code comes from the code used in the Kiwi spam filter project.

25. How scalable is MaraDNS?

MaraDNS is optimized for serving a small number of domains as quickly as possible. That said, MaraDNS is remarkably efficnent for serving a large number of domains, as long as the server MaraDNS is on has the memory to fit all of the domains, and as long as the startup time for loading a large number of domains can be worked around.

The "big-O" or "theta" growth rates for various MaraDNS functions are as follows, where N is the number of authoritative host names being served: 

Startup time                            N
Memory usage                            N
Processing incoming DNS requests        1

As can be seen, MaraDNS will process 1 or 100000 domains in the same amount of time, once the domain names are loaded in to memory.

26. I am having problems setting upstream_servers

upstream_servers is only supported by Deadwood, and is no longer supported in MaraDNS 2.0. The upstream_servers dwood3rc variable is set thusly:
upstream_servers["."] = "10.3.28.79, 10.2.19.83"
Note the ["."].

Note that the upstream_servers variable needs to be initialized before being used via upstream_servers = {} (the reason for this is so that a dwood3rc file has 100% Python-compatible syntax). A complete dwood3rc file that uses upstream_servers may look like this: 

ipv4_bind_addresses = "127.0.0.1"
chroot_dir = "/etc/maradns"
recursive_acl = "127.0.0.1/8"
upstream_servers = {}
upstream_servers["."] = "10.1.2.3, 10.2.4.6"

27. Why doesn't the MaraDNS.org web page validate?

HTML pages on the MaraDNS.org web site should validate as HTML 4.0 Transitional. However, the CSS will not validate.

I have designed MaraDNS' web page to be usable and as attractive as possible in any major browser released in the last ten years. Cross-browser support is more important than strict W3 validation. The reason why the CSS does not validate is because I need a way to make sure there is always a scrollbar on the web page, even if the content is not big enough to merit one; this is to avoid the content jumping from page to page. There is no standard CSS tag that lets me do this. I'm using a non-standard tag to enable this in Gecko (Firefox's rendering engine); this is enabled by default in Trident (Internet Explorer's rendering engine). The standards are deficient and blind adherence to them would result in an inferior web site.

There are also two validation warnings generated by redefinitions which are needed as part of the CSS filters used to make the site attractive on older browsers with limited CSS support.

On a related note, the reason why I use tables instead of CSS for some of the layout is because Microsoft Internet Explorer 6 and other browsers do not have support for the max-width CSS property. Without this property, the web page will not scale down correctly without using tables. Additionally, tables allow a reasonably attractive header in browsers without CSS support.

28. How do MX records work?

How MX records work: As an aside, do not have MX records point to CNAMEs.

29. Does MaraDNS have support for SPF?

SPF, or sender policy framework, is method of using DNS that makes it more difficult to forge email. MaraDNS has full support for SPF, both via TXT records and RFC4408 SPF records.

SPF configuration is beyond the scope of MaraDNS' documentation. However, at the time this FAQ entry was last updated (July, 2013), information and documentation concerning SPF is available at http://openspf.org. The BIND examples will work in MaraDNS csv2 zone files as long as the double quotes (") are replaced by single quotes ('). For example, a SPF TXT record that looks like example.net. IN TXT "v=spf1 +mx a:colo.example.com/28 -all" in a BIND zone file will look like example.net. TXT 'v=spf1 +mx a:colo.example.com/28 -all' in a MaraDNS zone file. MaraDNS can also make the corresponding SPF record, which will have the syntax example.net. SPF 'v=spf1 +mx a:colo.example.com/28 -all'.

Use '\x7e' to put a tilde ("~" character) in a SPF record:

example.com. SPF 'v=spf1 +mx a:colo.example.com/28 '\x7e'all'

30. I'm having problems resolving CNAMES I have set up.

This is probably because you have set up what MaraDNS calls a dangling CNAME record.

Let us suppose we have a CNAME record without an A record in the local DNS server's database, such as: 

	google.example.com. CNAME www.google.com.

This record, which is a CNAME record for "google.example.com", points to "www.google.com". Some DNS servers will recursively look up www.google.com, and render the above record like this: 

	google.example.com. CNAME www.google.com.
	www.google.com. A 66.102.7.104

For security reasons, MaraDNS doesn't do this. Instead, MaraDNS will simply output: 

	google.example.com. CNAME www.google.com.
Some stub resolvers will be unable to resolve google.example.com as a consequence.

If you set up MaraDNS to resolve CNAMEs thusly, you will get a warning in your logs about having a dangling CNAME record.

If you want to remove these warnings, add the following to your mararc file: 

	no_cname_warnings = 1

Information about how to get MaraDNS to resolve dangling CNAME records is in the tutorial file dangling.html

31. I have a NS delegation, and MaraDNS is doing strange things.

This is only an issue in MaraDNS 1.4. MaraDNS 2.0 does not allow the same IP to both authoritatively and recursively resolve records.

32. I am transferring a zone from another server, but the NS records are these strange "synth-ip" records.

MaraDNS expects, in csv2 zone files, for all delegation NS records to be between the SOA record and the first non-NS record.

If a zone looks like this: 

example.net. +600 soa ns1.example.net. 
hostmaster@example.net 10 10800 3600 604800 1080
example.net. +600 mx 10 mail.example.net.
example.net. +600 a 10.2.3.5
example.net. +600 ns ns1.example.net.
example.net. +600 ns ns3.example.net.
mail.example.net. +600 a 10.2.3.7
www.example.net. +600 a 10.2.3.11
Then the NS records will be "synth-ip" records.

The zone should look like this: 

example.net. +600 soa ns1.example.net. 
hostmaster@example.net 10 10800 3600 604800 1080
example.net. +600 ns ns1.example.net.
example.net. +600 ns ns3.example.net.
example.net. +600 mx 10 mail.example.net.
example.net. +600 a 10.2.3.5
mail.example.net. +600 a 10.2.3.7
www.example.net. +600 a 10.2.3.11
This will remove the "synth-ip" records.

To automate this process, this awk script is useful: 

fetchzone whatever.zone.foo 10.1.2.3 | awk '
{if($3 ~ /ns/ || $3 ~ /soa/){print}
else{a = a "\n" $0}}
END{print a}' > zonefile.csv2
Replace "whatever.zone.foo" with the name of the zone you are fetchin 10.1.2.3 with the IP address of the DNS master, and zonefile.csv2 with the name of the zone file MaraDNS loads.

33. Where is the root.hints file?

MaraDNS (actually, Deadwood), unlike BIND, does not need a complicated root.hints file in order to have custom root servers. In order to change the root.hints file, add something like this to your dwood3rc file: 
root_servers["."] =  "131.161.247.232,"
root_servers["."] += "208.185.249.250,"
root_servers["."] += "66.227.42.140,"
root_servers["."] += "66.227.42.149,"
root_servers["."] += "65.243.92.254"
Note that there is no "+=" in the first line, and the last line does not have a comma at the end. Read the recursive tutorial document for more information.

34. Are there any plans to use autoconf to build MaraDNS?

No.

In more detail, MaraDNS does not use autoconf for the following reasons:

This leads us to the next question:

35. How do I change the compiler or compile-time flags with MaraDNS' build process?

To change the compiler used by MaraDNS: Changing compile-time flags is a similar process:

36. Will you make a package for the particular Linux distribution I am using?

No.

There is, however, a CentOS 5-compatible RPM spec file in the build directory.

37. I am using the native Windows port of MaraDNS, and some features are not working.

Since Windows 32 does not have some features that *NIX OSes have, the native Windows port does not have all of the features of the *NIX version of MaraDNS. In particular, the following features are disabled: If any of the above features are desired, try compiling MaraDNS using Cygwin. Note that the Cygwin port of MaraDNS does not have ipv6 support, and that while chroot_dir works in Cygwin, it does not have the security that the *NIX chroot() call has.

38. MaraDNS isn't starting up

This is usually caused by a syntax error in one's mararc file, or by another MaraDNS process already running. To see what is happening, look at your system log (/var/log/messages in Centos 3) to see what errors MaraDNS reports. If you do not know how to look at a system log, you can also invoke MaraDNS from the command line as root; any errors will be visible when starting MaraDNS.

39. You make a lot of releases of MaraDNS; at our ISP/IT department, updating software is non-trivial.

Regularly updating software is required to keep something as complicated as a DNS server secure; there is not a DNS server out there so secure that it never needs to be updated.

Since MaraDNS is finished, updates usually only happen about once a year.

The last security bug which required a MaraDNS update was made before January 30, 2015.

40. I have star records in my zones, and am having problems with NXDOMAINs/IPV6 resolution

This was a bug in MaraDNS 1.2 which has long since been fixed.

41. I have a zone with only SOA/NS records, and the zone is not working.

MaraDNS 1.2 had a bug where it did not correctly process zones without any "normal" records. Upgrade to MaraDNS 2.0.

42. I am having problems registering my domain with AFNIC (the registrar for .fr domains)

Because of an issue with AFNIC (who, annoyingly enough, check the RA bit when registering a domain), in order to register a domain with AFNIC using MaraDNS as your DNS server, the following steps need to be followed: If one wishes to both register domains with AFNIC and use MaraDNS 1.4 as a recursive DNS server, it is required to have the recursive server be a separate instance of MaraDNS on a separate IP. It is not possible to have the same DNS server both send DNS packets in a way that both makes AFNIC happy and allows recursive queries.

Note also: AFNIC gives warnings about reverse DNS lookups; more information about this issue can be found in the FAQ entry about reverse DNS mappings (question 7). In addition, AFNIC requires DNS-over-TCP to work; information on configuring MaraDNS to have this can be found in the DNS-over-TCP tutorial.

43. I can't see the full answers for subdomains I have delegated

To have the subdomains be visible to MaraDNS 1.4 recursive nameservers, add the following to your mararc file:

recurse_delegation = 1

44. MaraDNS 1 has a problem resolving a domain

This issue should be fixed in MaraDNS 2.0.

Here's what happening: I have rewritten the recursive resolver for MaraDNS. The old code was always designed to be a placeholder until I wrote a new recursive resolver.

The new recursive resolver is called "Deadwood"; right now it's fully functional and part of MaraDNS 2.0. More information is here:

http://maradns.blogspot.com/search/label/Deadwood

http://maradns.samiam.org/deadwood/

Since the old recursive code is a bit difficult to maintain, and since I in the process of rewriting the recursive code, my rule is that I will only resolve security issues with MaraDNS 1.0's recursive resolver.

45. MaraDNS 1.2 had issues with NXDOMAINS and case sensitivity.

There was a known bug in MaraDNS 1.2.12 where, should a client ask for a non-existent record in all caps, MaraDNS 1.2.12 will return a NXDOMAIN instead of a "not there" reply. Upgrade to 2.0.

46. Can MaraDNS offer protection from phishing and malicious sites?

Deadwood can block up to about 20,000 domains. More details are in the Deadwood FAQ.

47. Does maradns support star (wildcard) records?

Yes.

MaraDNS supports both having stars at the beginning of records and the end of records. For example, to have anything.example.com. have the IP 10.1.2.3, add this line to the zone file for example.com:

*.example.com. A 10.1.2.3

To have stars at the end of records, csv2_default_zonefile has to be set. The mararc parameter bind_star_handling affects how star records are handled. More information is in the mararc man page.

48. I'm having problems using MaraDNS with some *NIX command line applications like telnet.

Some *NIX command line networking applications, such as telnet and ssh, try to do either a reverse DNS lookup (IP-to-host name conversion) or an IPv6 lookup. This slows things down and sometimes causes the applications to not work at all.

For people who do not need IPv6 lookups, add the following line to one's mararc file to have MaraDNS respond to all IPv6 lookups with a bogus "not found" reply:

reject_aaaa = 1

If knowing the hostname a given IP has isn't important, these kinds of lookups can also be disabled:

reject_ptr = 1

49. My virus scanner reports that MaraDNS or Deadwood has a virus

This can be caused either by a poorly written anti-virus program reporting a false positive, or because a virus on your system has infected your copy of MaraDNS/Deadwood.

Please use GPG to verify that the file which your scanner reports having a virus in has not been altered. In addition, please scan the file with AVG (free for non-commercial use) to verify your virus scanner has not reported a false positive.

If you have verified the GPG signature of the program and AVG reports a virus, please let us know with a Github issue. Otherwise, please use a better virus scanner and make sure there are no viruses on your computer.

50. I can not subscribe to the MaraDNS mailing list

Please note that the mailing list is no longer used to handle MaraDNS support requests. Please file a Github issue at https://github.com/samboy/MaraDNS/issues to file a MaraDNS bug report.

The procedure for subscribing to the mailing list is as follows:

If you get an email from list-request@maradns.org with the subject "The results of your email commands", you did not correctly send an email to list-request@maradns.org with the subject "Subscribe".

If you do not get the email from list-request@maradns.org asking you for a confirmation, ensure that this email is not in your "spam" or "junk mail" folder. If you are unable to get these emails at your email address, please get a gmail email account, which can successfully subscribe to the MaraDNS mailing list. Note that subscription confirmation emails may be in Gmail's "promotions" tab.

51. How does MaraDNS respond to EDNS (RFC2671) packets?

MaraDNS 2 (both the authoritative maradns server and the recursive Deadwood server) responds to EDNS packets by ignoring the OPT record and acting as if it the packet did not have an OPT record.

MicroDNS (available in the tools/misc directory of any MaraDNS 2 release) responds to EDNS queries the same way Deadwood 2.9.03 did: By giving back "NOTIMPL" instead of answering the query with the default IP. NanoDNS, in the interest of minimizing code side, responds to EDNS requests by returning NOTIMPL in the header, giving the OPT query in the AN section of the response, and giving the default IP in the AR section of the DNS reply packet.

52. How to I get MaraDNS to always give the same IP to all DNS queries?

There are three ways to have MaraDNS always give the same IP in reply to any DNS query given to it: 
/*Placed in the public domain by Sam Trenholme*/
#include <arpa/inet.h>
#include <string.h>
#include <stdint.h>
#define Z struct sockaddr
#define Y sizeof(d)
int main(int a,char **b){uint32_t i;char q[512]
,p[17]="\xc0\f\0\x01\0\x01\0\0\0\0\0\x04";if(a>
1){struct sockaddr_in d;socklen_t f=511;bzero(&
d,Y);a=socket(AF_INET,SOCK_DGRAM,0);*((uint32_t
*)(p+12))=inet_addr(b[1]);d.sin_family=AF_INET;
d.sin_port=htons(53);bind(a,(Z*)&d,Y);for(;;){i
=recvfrom(a,q,255,0,(Z*)&d,&f);if(i>9&&q[2]>=0)
{q[2]|=128;q[11]?q[3]|=4:1;q[7]++;memcpy(q+i,p,
16);sendto(a,q,i+16,0,(Z*)&d,Y);}}}return 0;}
NanoDNS takes one argument: The IP we return. This program binds to all IP addresses a given machine has on the UDP DNS port (port 53). For example, to make a DNS server that binds to all IPs your system has and return the IP 10.11.12.13 to any UDP DNS queries sent to it, compile the above C program, call it NanoDNS, and invoke it with NanoDNS 10.11.12.13 Note that NanoDNS does not daemonize, nor log anything, nor have any other space-wasting features.

Why did you change MaraDNS' tagline?

I have changed MaraDNS' tagline from "MaraDNS: A security-aware DNS server" to "MaraDNS: A small open-source DNS server" because MaraDNS does not support DNSSEC. I have blogged about this:
http://samiam.org/blog/20120326.html

How do you stop MaraDNS from taking part in a distributed denial-of-service attack?

While I do not have time to implement rate limiting, CentOS 6 does support response rate limiting at the firewall level. The following iptables commands allow a given IP to only send MaraDNS/Deadwood 20 DNS queries every four seconds:

iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DDOS --rsource

iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --name DDOS --rsource -j DROP

To verify they are applied:

iptables --list

To save these commands in CentOS so they are applied at system boot time:

iptables-save > /etc/sysconfig/iptables

Disclaimer

These incantations work in CentOS 6 but may or may not work in other versions of Linux. I do not support non-CentOS6 Linux installs of MaraDNS.

What about DNS-over-TCP?

For people who want DNS-over-TCP, instructions are in the DNS-over-TCP tutorial. Note that Windows users will have to use Cygwin to have DNS-over-TCP.

However, DNS-over-TCP is not necessary. DNS-over-TCP is optional as per section 6.1.3.2 of RFC1123; any program or web service that considers no DNS-over-TCP an error is not RFC-compliant.

Not having DNS-over-TCP is more secure, because it gives attackers a smaller surface to attack.

How do I use MaraDNS with systemd?

While I like systemd, it is not part of CentOS 6 nor, obviously, Windows 7. That in mind, I have no plans to support systemd until 2017, when I plan to update MaraDNS' supported operating systems.

However, Tomasz Torcz has kindly made some systemd files for MaraDNS, which people are free to use.

As an aside, I do not like the fact that Debian will probably not make systemd the default init; I do not think this kind of fragmentation is good for Linux.

Why doesn't MaraDNS use IP_FREEBIND?

IP_FREEBIND is a non-POSIX Linux-specific extension to POSIX's netinet/in.h, and, as such, has no place in MaraDNS' code. MaraDNS strives to use POSIX-compliant calls so that it can compile on as many systems as possible.

When I say that Windows 7 and CentOS 6 are the only supported operating systems for MaraDNS, this does not mean that MaraDNS will not compile and run on other systems; it merely means that I can not provide support for Github bug reports for people who want to run MaraDNS in Minix, one of the open-source BSD variants, or what not.

Is there a web interface for MaraDNS?

The Kloxo-MR control panel has MaraDNS support.

What does the message “don’t forget the trailing dot” mean?

It means to not forget the tailing dot.

Hostnames in zone files need to be properly terminated; if a hostname is in the form “foo.example.com”, this name will not parse and return an error with a note to not forget the trailing dot.

To fix this, put a trailing dot at the end of the hostname, so it looks like “foo.example.com.” (observe that dot at the end) instead of “foo.example.com”

Does MaraDNS support newer top level domains?

MaraDNS does not impose any limitations on the top level domain used in zone files and other places, as is fully compatible with newer top level domains like “today.”

Note that, if using an internationalized domain name, it needs to be translated in to Punycode first. For example, if using the domain name “ñ.com.”, it needs to be in the form “xn--ida.com.” in MaraDNS’ mararc and zone files.