Advantages of dnscache over other caching resolvers

Tony Baechler - BATS bats at
Sun May 3 09:00:47 UTC 2015

Hmm, that's weird.  Of course you're right.  I see that dbndns is in fact in
Trusty.  I must've been looking for djbdns on which dbndns was forked and
didn't find it.  The best way to learn about the advantages is to read DJB's

I especially like the dnscache-run package for the following reasons:

1. It just works.  All you have to do is install it and you can use as your nameserver immediately.  If you want it on 192.168.x.x,
that can be easily done just by touching a file.

2. It's more secure.  While the bind* packages have had many security issues
over the years, some of which are critical including cache poisoning, I am
not aware of djbdns having any such issues.  Someone please correct me if
I'm wrong on this.

3. It's not bloated.  It installs relatively few packages and doesn't use
the libresolv libraries at all.  All code is written from scratch by DJB.

4. It supports arbitrary record types, not just those officially defined, so
it's future-proof.  That mostly applies to tinydns, but applies to dnscache
and the shipped tools as well.

5. There are no complicated config files.  Just go to /etc/sv/dnscache/env
and touch files as necessary.  To change the listening IP address, just type:

echo >IP

To allow other hosts besides to access the resolver, just touch
files with the appropriate prefixes or addresses.  This is all documented on
the above link and in the man pages.  No restart is required.

I also prefer tinydns over other authoritative nameservers.  There is no
need for complex zone files.  Just put all of your records in a single data
file, one record per line.  Here is an example of a typical A record:

You can of course customize the TTL etc as described in the tinydns-data man
page.  Since it supports any record type, adding AAAA records is simple.
Also, the bind9 that ships with Trusty wouldn't accept my SPF txt records,
complaining that I must also have type "SPF" records, even though major
sites like Google don't in fact have type "SPF" records at all.  Obviously
tinydns has no such requirement, but even if it did, the data file suports
it.  Oh, it compiles the data for fast access.

Finally, I really like tinydns-get.  It directly reads data.cdb (the
compiled data) and tells you exactly what will be returned by lookup
requests.  You can have different information returned for different clients
and you can have it dynamically change the data after a certain time has passed.

On 5/1/2015 12:01 AM, Karl Auer wrote:
> On Thu, 2015-04-30 at 23:44 -0700, Tony Baechler - BATS wrote:
>> I would agree.  As far as I can tell, you don't need resolvconf at all
>> unless you're on a laptop or other mobile device.  Like the poster above, I
>> always "chattr +i /etc/resolv.conf" when I get it to a working state that I
>> like.
> It's a pretty ugly solution, but it works. You just need to remember
> you've done it.
>> By the way, there are much better caching nameservers than bind9.  I can't
>> recommend any in particular because everyone is different, but I like
>> dnscache from djbdns (AKA dbndns).  Too bad it seems to no longer be
>> available in Trusty and Jessie.  Others are unbound and I think pdnsd.
> Tell us more. Why are dnscache, unbound and pdnsd better than BIND?
> Specifics please :-)
> I'm pretty sure djbdns is still in Trusty though I have not actually
> installed it:
> kauer at karl:~$ apt-cache search djbdns
> dbndns - Debian fork of djbdns, a collection of Domain Name System tools
> djbdns - a collection of Domain Name System tools
> dnscache-run - djbdns dnscache service
> ...and sundry dependencies on it/them.
> Regards, K.


Tony Baechler, CEO
Baechler Access Technology Support Services
mailto:bats at  <>

More information about the ubuntu-users mailing list