dnscache runs chrooted in the directory specified by the $ROOT environment variable, under the uid and gid specified by the $UID and $GID environment variables.
dnscache listens for incoming UDP packets and TCP connections addressed to port 53 of $IP. Typically $IP is 127.0.0.1, but it can also be an externally accessible IP address. dnscache accepts a packet or connection from IP address 1.2.3.4 if it sees a file named ip/1.2.3.4 or ip/1.2.3 or ip/1.2 or ip/1.
dnscache sends outgoing packets from high ports of $IPSEND. Typically $IPSEND is 0.0.0.0, meaning the machine's primary IP address.
dnscache reads a list of dotted-decimal root server IP addresses, one address per line, from servers/@. It also scans the servers directory for server IP addresses for other domains. If there are addresses listed in servers/corp.local, for example, then dnscache will send queries for anything.corp.local to those addresses, and will not cache records for anything.corp.local from outside servers such as the root servers.
dnscache reads a seed, up to 128 bytes, from standard input, and passes the seed to dns_random_init.
dnscache uses a fixed-size cache, as controlled by the $CACHESIZE environment variable. Roughly 5% of the cache is used for a hash table. The rest is used for cache entries (including 8-byte Y2038-compliant expiration times):
dnscache does not exit when it runs out of space in its cache; it simply removes the oldest entries to make more space.
dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers.
dnscache does not bypass its cache to obtain glue from the additional section of a response. In particular, it will not use glue outside the server's bailiwick, or glue with TTL 0, or glue that violates other caching policies.
dnscache caches records for at most a week. It interprets TTLs above 2147483647 as 0.
dnscache does not cache SOA records. However, it does use SOA TTLs to determine cache times (up to an hour) for zero-record responses and nonexistent domains.
dnscache tries to prevent local users from snooping on other local users. It handles all queries recursively; it discards inverse queries; it discards zone-transfer requests; and it always uses a TTL of 0 in its responses.
According to RFC 1035, the AA bit ``specifies that the responding name server is an authority for the domain name in question section.'' dnscache is not an authority for any domain names. dnscache never sets the AA bit (except in NXDOMAIN responses, as required by RFC 2308, to work around a common client bug). In contrast, BIND often sets AA for positive responses even when it is not an authority for the domain name.
dnscache handles 1.0.0.127.in-addr.arpa internally, giving it a PTR record of 127.0.0.1.
dnscache handles dotted-decimal domain names internally, giving (e.g.) the domain name 192.48.96.2 an A record of 192.48.96.2.