D. J. Bernstein
Internet publication
djbdns

How to run an external cache in place of an existing BIND cache, strategy 2

These instructions assume that your network already has a computer using BIND to find addresses of Internet hosts (BIND as a ``DNS cache'') and to publish addresses of your own hosts (BIND as a ``DNS server''). Here is how to use dnscache instead of BIND to find addresses of Internet hosts.

If you have taken the recommended approach of having different computers (or at least different IP addresses) for your DNS caches (listed in /etc/resolv.conf) and your DNS servers (listed in NS records), use strategy 3 instead. Strategy 3 is simpler than strategy 2.

If you can easily change /etc/resolv.conf on all your client machines, use strategy 1 instead. Strategy 2 is more complicated but avoids changing /etc/resolv.conf. If you're an ISP and you've given your cache IP address to thousands of client computers, use strategy 2.

Separating DNS service from DNS caching

For concreteness, let's say you're running BIND on two computers, dns1.panic.mil and dns2.panic.mil, with IP addresses 1.8.7.33 and 1.8.7.55. These computers have two functions:

They are DNS servers, publishing information about your own hosts. You are editing that information on dns1.panic.mil; dns2.panic.mil is using zone transfers to copy the information from 1.8.7.33.
They are DNS caches, finding addresses of other Internet hosts. Your client computers have nameserver 1.8.7.33 and nameserver 1.8.7.55 in /etc/resolv.conf.

Before you upgrade from BIND, you will have to put these two different functions on different IP addresses, as explained here.

1. Allocate two new public IP addresses in your network, let's say 1.8.7.91 and 1.8.7.92.

2. On dns1.panic.mil, as root: Set up 1.8.7.91 as an IP alias. Restart BIND.

3. On dns2.panic.mil, as root: Set up 1.8.7.92 as an IP alias. Change 1.8.7.33 to 1.8.7.91 in the masters lines in named.conf. Restart BIND.

4. On dns1.panic.mil, as root: In your BIND zone files, change the IP address of dns1.panic.mil from 1.8.7.33 to 1.8.7.91, create a new dnscache1.panic.mil name with IP address 1.8.7.33, change the IP address of dns2.panic.mil from 1.8.7.55 to 1.8.7.92, and create a new dnscache2.panic.mil name with IP address 1.8.7.55. Tell BIND to read the new zone files.

5. Contact the .mil parent server to make the same changes in the IP addresses of dns1.panic.mil and dns2.panic.mil.

6. If you have other NS names pointing to BIND (for example, if dns1.panic.mil is also known as dns1.panic.edu), repeat steps 4 and 5 for those names.

7. Wait a few days for the modified DNS records to spread through the Internet.

Upgrading the cache

Here's the current situation:

You have one computer with IP addresses 1.8.7.33 (dnscache1.panic.mil) and 1.8.7.91 (dns1.panic.mil), and another computer with IP addresses 1.8.7.55 (dnscache2.panic.mil) and 1.8.7.92 (dns2.panic.mil).
You have DNS servers running on 1.8.7.91 and 1.8.7.92. Computers around the Internet are contacting 1.8.7.91 and 1.8.7.92 for the addresses of your hosts.
You have DNS caches running on 1.8.7.33 and 1.8.7.55. Your clients are contacting 1.8.7.33 and 1.8.7.55 for the addresses of Internet hosts.

You can now follow the strategy 3 instructions. Those instructions will switch the DNS-cache software from BIND to dnscache, leaving BIND in place as the DNS-server software.