summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/resolved.conf.xml20
1 files changed, 7 insertions, 13 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 024ad6a9c1..7556c6ff31 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -204,19 +204,13 @@
<varlistentry>
<term><varname>Cache=</varname></term>
- <listitem><para>Takes a boolean argument. If "yes" (the default),
- resolving a domain name which already got queried earlier will re-use
- the previous result as long as that is still valid, and thus does not
- need to do an actual network request.</para>
-
- <para>However, local caching slightly increases the chance of a
- successful DNS poisoning attack, and might also be a privacy problem in
- some environments: By measuring the time it takes to resolve a
- particular network name, a user can determine whether any other user on
- the same machine recently visited that name. If either of these is a
- concern, you may disable the local caching. Be aware that this comes at
- a performance cost, which is <emphasis>very</emphasis> high with DNSSEC.
- </para></listitem>
+ <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
+ queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
+ network request. Be aware that that turning off caching comes at a performance penalty, which is particularly
+ high when DNSSEC is used.</para>
+
+ <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
+ (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem>
</varlistentry>
</variablelist>