Slashdot Mirror

lack of EDNS support is a potential problem

"Potential" being the operative word. Truncated DNS packets still have enough information in them to answer DNS questions, and the only time I've really seen truncated packets is with some of the byzantine DNS packets Yahoo has.

DNSSEC support is critical

But not critical enough for someone to send me the money to make DNSSEC happen with MaraDNS: http://maradns.org/products.html It's really the same problem IPv6 has: All kinds of geeks talk about how great it would be if IPv6 were everywhere, but they don't put out the money for IPv6 to happen more quickly.

It's still possible to resolve domains and surf the web without DNSSEC. I know: MaraDNS 2.0 (Deadwood) is being used to resolve Slashdot.org (and all the other places I go) so I can make this posting. Yes, there are issues with someone with a packet sniffer forging DNS packets on the same network, and I do agree DNSSEC is needed on a larger network with infected machines, and is needed for a DNS server that calls itself secure, but it is working for me right now.

(For sites where forgery is a real problem, such as online banking, I use a special virtual machine and make sure the HTTPS certificate is kosher)

DNS resolvers should not be usable by the world.

Google, OpenDNS, and heck, Level3 disagree with you. That said, I mostly agree: That's why there are no examples in MaraDNS' documentation showing how to make a recursive nameserver globally resolvable, and why it has never been a default configuration in Mara.

Any DNS server that provides recursive DNS ought to not simultaneously provide authoritative DNS from the same service, or from the same IP.

That's the design MaraDNS 2.0 has: I removed the recursion from the "maradns" daemon and completely, from scratch, reimplemented recursion in a separate daemon, which has to run on a separate IP. Not one line of code is shared between the two.

I fully expect any government or corporate grants will go towards DNS server implementations that are more widely used

I understand your sentiment, but, software monoculture is a bad thing and software diversity is a good thing.

When DNS first showed up in the 1980s, there were a number of different implementations. By the time I started MaraDNS 12 years ago, there was only one usable open-source DNS server out there. When I finished MaraDNS, there were five or six (depending on whether Unbound/NSD counts as one or two) different actively maintained significant open-source DNS servers out there. That number has since gone down (none of the djbdns forks came out with a release that fixes CVE-2012-1191). I hope that number continues to be higher than one.

An attitude of "let's only support one DNS server" can return us to the world of a DNS monoculture. EDNS, DNSSEC, and all of these extensions to DNS do not help.

I don't like how CSS, Javascript, and HTML have become such a mess that it requires multi-million dollar grants to keep a browser current, and where Opera finally threw in the towel because they just couldn't keep up with the nonstop update treadmill browsers are on. Dillo doesn't even try to be current (I think they made a mistake trying to support CSS at all, but that's another discussion for another day).

While I disagree with DJB on a lot of things, I understand why he rejected DNSSEC and proposed DNSCURVE: He wanted to keep DNS simple, to keep DNS something that a single talented developer can implement in their spare time.

For better or for worse, DNSSEC won, and now DNS is no longer can practically be implemented by a one-man show any more.

PowerDNS

I agree PowerDNS is a good choice, especially for people who want a database back end, but I'm disappointed it took them over a year to patch CVE-

I would love to implement DNSSEC for MaraDNS, but, again, it's a case of TANSTAAFL: http://maradns.org/products.html

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?

If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.

If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.

Back then, there were two DNS servers out there:

1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
2. DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

Really quickly:

• DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
• djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
• There are ways to make blind DNS spoofing almost impossible without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
• I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.

Really quickly:

• DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
• djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
• There are ways to make blind DNS spoofing almost impossible without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
• I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.

Look here: MaraDNS. It is a fork of MySQL, incorporates all free available changes from MySQL and makes some improvements.

Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE

Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE

PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE

MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.

There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones

I would hardly call calling a single program bundled with MaraDNS before running it the first time a "stupid convoluted hoop", especially when said program is run by the built-in install.bat script and requires no user-interaction to run.

But, hey, if you would rather have CryptGenRandom() in the MaraDNS and Deadwood binary itself, show me the money and we'll talk.

I no longer implement features just because some anonymous identity on the web wants it, but money talks. Please discuss rates with me in private email before paying me.

You know, I knew this issue would come out of the woodwork one day; I went to some bother to have a randomized hash compression function for MaraDNS 2.0's recursive resolver (Deadwood).

From the relevant man page (this part was last updated in September of 2010):

To protect Deadwood from certain possible denial-of-service attacks, it is best if Deadwood's prime number used for hashing elements in the cache is a random 31-bit prime number. The program RandomPrime.c generates a random prime that is placed in the file DwRandPrime.h that is regenerated whenever either the program is compiled or things are cleaned up with make clean. This program uses /dev/urandom for its entropy; the file DwRandPrime.h will not be regenerated on systems without /dev/urandom.

[...]

If using a precompiled binary of Deadwood, please ensure that the system has /dev/urandom support (on Windows system, please ensure that the file with the name secret.txt is generated by the included mkSecretTxt.exe program); Deadwood, at runtime, uses /dev/urandom (secret.txt in Windows) as a hardcoded path to get entropy (along with the timestamp) for the hash algorithm.

Personally, I think it this is a pretty obvious attack to think of when designing a hash compression function.

get a $2.99 a month VPS running whatever flavour of *nix you want. I have two of them. I use one for a proxy (for hulu.com access; I'm in Canada) and my personal websites. The other is for friends and family websites; both are from different providers, both run MaraDNS for redundancy (ns1 and ns2).

Your information is out of date; I completely, from scratch, rewrote the recursive code of MaraDNS starting four years ago with far cleaner code.

That code was declared stable over a year ago and looking at its source code won't make you blind.

- Sam

And, of course, there is Power DNS, another excellent DNS server.

Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.

- Sam

Mod parent up! :)

Seriously, people here love to talk about how the "new economy" makes it possible to remove "artificial scarcity" and make it so everything is free.

What these people ignore is that, even if it costs no money to copy something, it still costs money to create something. There is still, in this "new economy", the very real economics that the majority of content people use (Computer programs, movies, music, television programs, written articles, etc.) is content that would not exist if someone wasn't being paid to make it.

I enjoy reading all of the articles on the New York Times' front page every morning, and understand I soon may need to pay for the privilege of reading the quality journalism and writing the the NYT offers.

Now, I'm sure someone will point to open source software and say "Mr. MaraDNS, you don't know about open source software and how this proves that we can have all the compelling content we want for free in the 'new economy'". I will point out to people who think like this that I am, in fact, a developer of open-source software.

People who think open-source software (OSS) makes it possible for all content to be free don't understand how OSS changes the relationship between the developer and the user. A lot of people think an OSS program is like a commercial program, but free, and that they can ask for features or get support for free, and it gets pretty tiring to have people email me asking for free support, even though I make it clear that I don't provide free email support for my program.

The thinking behind OSS is that I donate some of my coding time and effort to the greater community. In return, people are free to contribute bug fixes or improvements to the program, or supply support on the mailing list. For example, someone wanted better IPv6 support, supplied patches, and now MaraDNS has good IPv6 support. Another person wanted better Windows service support, and supplied patches to make MaraDNS' new recursive core be a full Windows service. Other people answer user's questions on the mailing list or translate documentation. Webconquest very generously provides me a free Linux shell account and hosting for the web site.

Likewise, I found an OSS Doom random generator I liked and provided bug fixes and improvements to it; when I lost interest in it, another person became the maintainer and improvements continue to be made even though I no longer work on that code. And, there is a Free Windows Civilization clone for Windows which I have provided a bug fix and extended the documentation with.

OSS doesn't mean we have the right to demand all content be free or are justified in pirating media and software. OSS means that we can, together, make free content which complements the for-pay content out there.

Putting closure on a software product is important.

Professional software usually has an EOL schedule. For example, RedHat Enterprise Linux and Windows XP both have EOLs for early 2014. This allows people using the software to plan upgrades and know when they need to be making a transition.

This is equally as important for open-source software. It looks really bad when this is not done. For example, Dan Bernstein's DjbDNS software package has three unpatched security holes. People using this software have to know about these holes and apply third-party patches.

In addition, when the maker of an open-source program says "OK, I'm done with this program.", it allows maintainers to step forward and take over the project. For example, when I announced I would no longer work on a Doom random map generator I had been hacking on for a while, someone expressed interest in maintaining the software, and subsequent updates have since been done.

I think the Apache foundation should either say "OK, we'll still fix security bugs on this program" or "We're no longer maintaining this release". This way, the users of these programs know whether to upgrade, form their own group applying security patches, or just know they're OK from a security prospective if they're current.

I have blogged about putting closure on open-source projects and have well defined EOL dates for older releases of my own MaraDNS.

A lot of open-source projects just languish when the developers lose interest; I feel this is irresponsible and feel EOL dates and putting closure is important.

Putting closure on a software product is important.

Professional software usually has an EOL schedule. For example, RedHat Enterprise Linux and Windows XP both have EOLs for early 2014. This allows people using the software to plan upgrades and know when they need to be making a transition.

This is equally as important for open-source software. It looks really bad when this is not done. For example, Dan Bernstein's DjbDNS software package has three unpatched security holes. People using this software have to know about these holes and apply third-party patches.

In addition, when the maker of an open-source program says "OK, I'm done with this program.", it allows maintainers to step forward and take over the project. For example, when I announced I would no longer work on a Doom random map generator I had been hacking on for a while, someone expressed interest in maintaining the software, and subsequent updates have since been done.

I think the Apache foundation should either say "OK, we'll still fix security bugs on this program" or "We're no longer maintaining this release". This way, the users of these programs know whether to upgrade, form their own group applying security patches, or just know they're OK from a security prospective if they're current.

I have blogged about putting closure on open-source projects and have well defined EOL dates for older releases of my own MaraDNS.

A lot of open-source projects just languish when the developers lose interest; I feel this is irresponsible and feel EOL dates and putting closure is important.

Over at The Chess Variants page, there used to be a rather prolific inventor named Ralph Betza. Not only was he a very strong Chess player (FIDE master), he also invented dozens of chess variants and was the first person to come up with a lot of innovative Chess Variant pieces.

We haven't heard from him in years. We don't know whether he is alive or dead. It would have been nice if there was some way for his family to inform us who only knew him through the internet about his (possible) death.

Also, as the primary maintainer of an open-source project, I have just given my family the email address of my webmaster so that they can let him know just in case I have an untimely death (no, I have no plans to die; I plan on soon getting married to my fiancée and staying married to her for many decades), in addition to a link to Facebook's deceased form.

This way, should the unspeakable happen and I die, people know about it right away and can figure out who will become the maintainer of my open-source project.

This is why MaraDNS (my open-source DNS server) uses a special zone file format.

MaraDNS uses a zone file format that, for the most part, resembles BIND zone files. However, the zone file format has some minor differences so the common "Forgot to put a dot at the end of a hostname" and the "forgot to update the SOA serial number" problems do not happen; a domain name without a dot at the end in a syntax error in MaraDNS' zone file parser; if you want to end a hostname with the name of the zone in question, this has to be explicitly specified with a .% at the end of the hostname.

There is also a mechanism for automatically generating SOA records, or having a SOA record where the serial is automatically updated based on the "last write" timestamp for the zone file.

For people who want to use their BIND zonefiles, there is included a Python script that converts a BIND zonefile in to MaraDNS' similar zone file format.

While I disagree with the idea that open-source DNS servers are insecure (having written one myself), I can see why he wants to say bad things about Open-source DNS servers.

The bottom line is this: There is no money to be made with DNS. While DNS is something that is essential for the Internet, it's something that is completely free. Bert Hubert tried making money with DNS a few years ago with PowerDNS, but sales were so bad he threw in the towel and GPLd the code around 2002. BIND 9 was, as it turns out, funded with a combination of contributions from UNIX corporations and military funding (for DNSSEC) who wanted to update DNS, but the funding has dried up and the code is BSD-licensed. NSD and Unbound's development were funded with government grants.

DjbDNS was done as an independent project by Bernstein; he stopped working on it in 2001 and the code is really out of date (three unpatched security holes, outdated root servers list, etc). My own MaraDNS is still being actively developed, but at a glacial pace; between my girlfriend, my job, and my other interests, I often have to put it on the back burner.

So, yes, DNS is essential, but it's free and it's really hard to make money with it. Heck, it's hard to get enough goodwill and net-reputation from making a DNS server for me to get a well-paying job in the US working with computers again in today's depression-level tech economy (if you want to hire someone with the expertise to write a DNS server, my resume is online).

So, yeah, I can see why this person resorts to FUD and BS to try and get people to pay more money for DNS. But, the truth is that there are a lot of really good free and open-source DNS servers out there an no need to buy a commercial DNS server.

As a long-time CentOS user, I'm really glad to hear this. I've been a bit worried about CentOS (indeed, I recently muttered darkly about maybe moving to Scientific Linux), but it looks like CentOS is working on decentralizing their leadership so we don't get issues like this and the delayed 5.3 release because a key member was getting married.

If people are having problems with yum update, this should fix the issue I saw the other day: yum clean metadata

I would like to use 64-bit CentOS 5 as the primary OS on my 1997 Dell 1420 laptop, but there are a couple of hardware compatibility issues:

• The Alps touchpad driver included with X doesn't support the particular touchpad the 1420 has. This is an issue fixed in newer versions of X, but I'm wondering if anyone has backported the newer Alps touchpad driver to work with CentOS's version of X
• I haven't found a driver for the Intel 3945ABG wireless card I'm happy with; one driver had an issue with crashing unless I pinged the router every second, and I haven't been able to get a newer driver to work

Not a big deal; right now I'm using 32-bit Windows XP Home edition as my primary OS and 32-bit CentOS 5 is in a virtual machine for Linux open-source software development (My DNS server).

OK, since Mr. Kaminsky is following this thread, I figured this would be a good place to open up some questions and a discussion between a DNS implementor and Mr. Kaminsky.

Let me introduce myself: My name is Sam Trenholme and I am the implementor of MaraDNS, a recursive and caching DNS server. Right now, I am in the slow process of re-writing the recursive DNS resolver. While MaraDNS has always been as secure as non-DNSSEC can be against Mr. Kaminsky's bug (DJB knew about the problem back in 1999 and I implemented his solution to randomize both the query ID and the source port back in 2001), I am wondering:

How hard is it to implement DNSSEC in my recursive cache? How many RFCs am I going to have to toil over to understand DNSSEC well enough to implement it? About how long will it take me to code MaraDNS to have full DNSSEC support?

I have a bad feeling that DNSSEC is a monster to implement and that we will not see many independent implementations of it; right now BIND and Unbound appear to be the only DNS servers to support it. DjbDNS doesn't support it, of course, and probably never will. My own MaraDNS and PowerDNS also don't support.

What are your thoughts? Has a reasonable effort been made to make DNSSEC easy to implement?

I suspect many people don't have a choice. Of the two broadband providers who serve me, all three do this. The local cable company (Charter) turned it on. When their tech support proved unable to even understand my complaint, let alone fix it, I bailed. Months later the new company (TDS Telecom) started doing it. At least their tech support understood me, but they were unable to turn it off. Sure, I can use OpenDNS, or pinch DNS service from elsewhere, but providing functional DNS is a reasonable baseline of service. Welcome to the race to bottom of quality, thanks to the "free" market.

I've been very happy running my own local, caching DNS server. It communicates directly with the root DNS servers, no middleman required. It's also noticably faster for normal Web browsing because there is less latency when a lookup must be performed and effectively zero latency when a result has already been cached. I've been doing this for years and years, before anyone (to my knowledge anyway) decided that hijacking DNS queries was ever a desirable business practice (it isn't).

What follows is my opinion, though it's an informed one. The only thing I'd strongly recommend is to avoid using BIND. It has a terrible security history, comparable to that of Sendmail, which is fitting since both hail from an era before the Internet was considered a hostile network. The recent rewrite of BIND doesn't seem to have done much to change that. I used to use djbdns but I've switched to maradns and have been extremely satisfied with it. It's small, lean, secure, and generally it does everything I want it to do and nothing that I don't want it to do.

When ISPs overstep their bounds and start hijacking traffic when I have neither asked them to do so nor want them to do so, my answer is simple. Please pardon how I put this, but to them I say "fuck that" and run my own. I'd recommend this approach to anybody, and not just because I believe that relative independence is a virtue.

You know, that's a good feature request for Deadwood, code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS. Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).

MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.

My goal is to have full recursion supported by the end of 2009.

You know, that's a good feature request for Deadwood, code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS. Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).

MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.

My goal is to have full recursion supported by the end of 2009.

DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given domain. As a implementer of a somewhat obscure Open-source DNS server, from where I stand I don't like DNSsec, mainly because it's a pain to implement (Don't even get me started on the mess that is the BIND zonefile format; there's a reason DJB was too lazy to implement BIND zonefiles at all). But, yes, considering the number of programs that actually trust a DNS packet (web browsers, cough cough), we need to make these packets secure. - Sam

I think one of the reasons MaraDNS (my own DNS server) is as good as it is is because I paid attention to DJB's writings. You know, a lot of people don't like DJB and his software is very polarizing. His confrontational behavior towards BIND and Sendmail was, at best, very unprofessional. I also don't like his dishonesty about the security issues both DjbDNS and Qmail have, pretending that these programs have no security problems. That is also fanboy behavior and not behavior a responsible software developer should have. The license was an issue for years, also; when the license was finally made reasonable late 2007 it has been too long to really develop a community of developers around either DjbDNS or Qmail (or Publicfile or...).

That said, he had some good ideas. The idea of randomizing both the query ID and the source port came from DJB and I implemented it in MaraDNS because I took the time to read what he had to say about DNS before implementing MaraDNS.

It is unfortunate that the bad blood between DJB and the BIND developers made it so BIND didn't implement source port randomization back in, say, 2001. It was known and a good idea then; it's essential today.

- Sam

I'm hoping to take delivery of a WRT54GL for precisely this reason. I can stick maradns on it, which does its own recursion, keeps an in memory cache, and randomizes the source ports of its queries (avoiding the other big DNS security issue that's come up recently.) This will be nicely platform agnostic, so the Win XP box on my home network is saved from being fdisk'ed for another few months..

(Of course, because my ISP uses PPPoA and not PPPoE, I've also had to get a Speedtouch 536, which can relay via PPTP to the WRT54GL. Oh well..)

This is one of the best: http://www.maradns.org/

I considered Mara for our authoritative name server, then decided it has two significant limitations:

• its support for IPv6 was nonexistent at the time, and is still very much limited;
• it uses a non-standard format for zone files, which means that you cannot test it conveniently before comitting to switch.

The name server is the one place where you want to deploy IPv6 support as early as possible, since it will be needed as soon as you have a single IPv6 server. As to the zone file format, while RFC 1035 format is not the best format around, it's at least standard and mostly transportable between servers.

This is one of the best: http://www.maradns.org/

MaraDNS is another alternative to BIND, with a security focus;
http://www.maradns.org/

I am using (and like) maradns -- http://www.maradns.org/. The format of the zone file is *much* simpler.

Yes, you can. (The following explanation is simplified but good enough for resolving purposes.) DNS is a hierarchy. The root servers know the IP addresses of the domains servers for the top level domains. The top level domain servers know the IP addresses of all second level domain servers in their TLD. Almost all of these servers don't do recursive lookups, which means they will only respond to queries for the information in their own domain. That's why you need a recursive resolver. When you ask a recursive resolver for www.slashdot.org, it asks one of the root servers for the address of the .org nameserver. Then it asks the .org nameserver for the address of the slashdot.org nameserver, then it asks the slashdot.org nameserver for the www.slashdot.org address. BTW, all of these responses get cached, so you rarely need to contact the root servers. These lookups each take some time, which is longer if there is a high latency link between the resolver and the nameserver, which is why people on dialup like to use better connected computers to do these lookups for them and return only the final result. But there's no technical reason why you can't request these lookups yourself and with today's networks it is not slow at all. Try it yourself: MaraDNS windows binary. Run the resolver with run_maradns.bat and set your DNS to 127.0.0.1. That's all there is to it.

I've been using MaraDNS quite happily. Never a problem on FreeBSD, Slackware or OS X. The developer is very responsive, and the documenation is very very good, unlike that for some other alternative DNS daemons *cough*tinydns*cough*

The zone syntax and config file structure is worlds ahead of BIND and actually makes setting up DNS fun (no, I'm not kidding. Well-written software is always a pleasure to use).

First of all, you can request more than one record at a time - the specification explicitly allows for more than one Question in the message.

If you're a server, what do you set RCODE to if one of the requests returns NXDOMAIN and the other returns a record? What if, instead of NXDOMAIN, you get SERVFAIL?

Having QDCOUNT>1 is ambiguous, and is basically a bug in the RFC. The author of MaraDNS did some research a while ago, and determined that no DNS server really supports it. I quote from doc/en/misc/multiple.qdcount in the MaraDNS distribution:

Neither DjbDNS, BIND, nor MSDNS support queries where QDCOUNT > 1. DjbDNS ignores queries where QDCOUNT > 1. Microsoft DNS server replies with a "format error", and the qdcount is set to the number of questions sent to the server. BIND 8 replies with a "format error", and QDCOUNT is set to zero.

Realistically, DNS servers should probably reply with "not implemented" instead of "format error".

Some discussion of the fact that QDCOUNT > 1 queries are not handled by modern-day DNS servers:

http://www.ietf.org/proceedings/98aug/I-D/draft-ie tf-dnsind-edns-03.txt
http://www.vpnc.org/ietf-ipsec/96.ipsec/msg00779.h tml
http://www.wcug.wwu.edu/lists/ipng/200005/msg00080 .html

In summary, the nitty gritty implementation details of handling multiple question queries in a single packet make this difficult to correctly handle.

I'm making the handling of multiple QDCOUNT queries a low priority in MaraDNS.

Of course, it would be possible to update the standards---and every existing DNS implementation---to support QDCOUNT>1 in some specific way, for this purpose, but by the time it's deployed, we probably won't care much about IPv4 compatibility any longer.

• MaraDNS
• Posadis
• PowerDNS (Recursion is incomplete and not part of the base package)
• NSD (No caching nor recursion)
• MyDNS (Specialized for people who insist on using MySQL to store DNS records)

DNS cache poison can be effectively stopped by using the correct DNS caching program. Basically, it is important to use a strong psudo-random number generator to determine the DNS query ID. Ideally, we have the same psudo-random number generator determine the source port of the DNS query.

To the extent of my knowledge, only two recursive DNS servers have this level of DNS poison protection: DjbDNS' dnscache and MaraDNS.

It is also important to have bailwick protection. Basically, the recursive DNS server needs to look at a DNS reply, and filter out any answers not in the bailwick. Older DNS servers (and possibly poorly written embedded DNS caches and recursive servers) will get a reply like "www.paypal.com has the ip 10.1.2.3" to the question "what is the ip for www.phisherscum.com?", and incorrectly cache the data for www.paypal.com instead of saying "I didn't ask for paypal.com's ip, so I'll ignore this data as being out of bailwick".

Additionally, it improves security to restrict which IP addresses are allowed to make remote DNS queries. This is best done at the firewall level (don't allow any UDP connections to port 53 from the internet at large unless you have some domains hosted by the machine in question). This stops malicious servers sending a large number of requests to your dns server for www.paypal.com, and a number of bogus answers "www.paypal.com has the IP of some phishing site in China; remember this until 2007", until one of the answers looks valid and fools your DNS server.

In summary, by using a secuirty aware DNS resolver, you can minimize, if not eliminate the chances of being vulnerable to bogus DNS data.

MaraDNS

Until a true open source alternative to BIND appears, we're stuck with it.

By "true alternative" do you mean it has to be GPLable?

Not necessarily. Being distributable wouln't hurt, though. Being compatible with the DNS standard would also be a plus. Don't get me wrong, I am all for alternatives to BIND, but djbdns cannot even be distributed as a simple rpm or deb package not messing the whole bloody filesystem, for God's sake.

If you want a name server with such a strong emphasis on security, use MaraDNS--at least it's free software. Unfortunately, like djbdns, it is not RFC-compatible, but at least it can be made so, with no strings attached.

Until a true open source alternative to BIND appears, we're stuck with it.

By "true alternative" do you mean it has to be GPLable?

Not necessarily. Being distributable wouln't hurt, though. Being compatible with the DNS standard would also be a plus. Don't get me wrong, I am all for alternatives to BIND, but djbdns cannot even be distributed as a simple rpm or deb package not messing the whole bloody filesystem, for God's sake.

If you want a name server with such a strong emphasis on security, use MaraDNS--at least it's free software. Unfortunately, like djbdns, it is not RFC-compatible, but at least it can be made so, with no strings attached.

First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis
maradns
Powerdns, mysql and a pretty website
djbdns he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah...

Other DNS software

This is a list of some other DNS software out there:

Freely downloadable DNS servers

Caching DNS servers

• BIND 9 is a complete rewrite of BIND, and, as such, probably does not have the security issues that previous versions of BIND has. In fact, one of the BIND developers found a security problem in earlier versions of MaraDNS. Very full-featured, and is the reference standard for the newer DNS RFCs.
• Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files.
• pdnsd is a recursive caching DNS server. Paul Rombouts is the current maintainer of this program.
• Posadis is another DNS server project, similiar to MaraDNS. This server is now both a resolving and an suthoritative DNS server.

Non-recursive DNS servers

• PowerDNS is an authoritative-only DNS server with support for, among other things, SQL. I would like to applaud the PowerDNS developers for making a libre release of this software. Note: Recursive code is in the works; PowerDNS will soon enough be a fully functioning recursive DNS server.
• DnsJAVA is an authoritative-only DNS server written in Java.
• NSD is an authoritative-only DNS server which is compatible with BIND zone files.
• MyDNS is an authoritative-only DNS server which uses MySQL as a database back end.
• The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
• Twisted includes a non-recursive DNS server.
• The Eddit project includes a DNS server
• SheerDNS is a simple non-caching DNS server that stores all records as their own files.

Abandoned DNS server projects

These are DNS server projects which have not released any files for six months or longer, and which never became functioning recursive (caching) DNS servers.

• MooDNS is another DNS server project. A CVS checkout on January 21, 2003 shows that no files have been updated since July 20, 2002, except for a single readme file updated on August 1, 2002. This project is abadoned.

  I have made a tarball available for people who do not want to bother with a CVS checkout.

• Dents is a DNS server that showed a lot of promise. Unfortunatly, no files have been released since 1999.
• Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
• CustomDNS has not released any files since the summer of 2000.

Other

• LdapDNS is a small DNS server which converts DNS requests in to LDAP requests, without caching.
• DnsPython is a DNS toolkit for Python.

Other DNS software

Management tools

twa lets authorized browsers edit the tinydns data file.

ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.

mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.

sql2tinydns is similar to mkdns.

dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.

tinydyndns publishes dynamic IP addresses authenticated through POP connections.

Servers

ldapdns publishes DNS information from an LDAP database.

MyDNS publishes DNS information from a MySQL database.

Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.

NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?

PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.

MaraDNS is a general-purpose DNS server.

lbnamed is a load-balancing DNS server.

lbdns is another load-balancing DNS server.

Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.

Caches

pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18).

MaraDNS can act as a cache.

I don't know why anyone would want to use these caches in place of dnscache .

DNS clients

adns is a DNS client library.

ares is a DNS client library.

perldns is a DNS client library for Perl.

The Buggy Internet Name Daemon [how very professional... *sigh*]

BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcompla

Well, there's TinyDNS, djbdns and MaraDNS, just for starters. And whatever those Windows folks use on their server OS.

Interesting to note that djbdns has already been patched to workaround the Verisign nonsense ....

i've always liked maradns since it's not "braindamaged" like djbdns, but it does priviledge separation to run in a jail.

BTW, what alteratives to BIND exist for Linuxand *BSD? I actually don't know and would like to know.

There are now a number of alternative packages that may have advantages for many deployments. E.g.:

MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers):
http://www.maradns.org/

pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations:
http://home.t-online.de/home/Moestl/

Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases):
http://www.thekelleys.org.uk/dnsmasq/

DNRD is a small caching-only DNS server for NAT / IPmasq networks:
http://dnrd.nevalabs.org/

MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache:
http://mydns.bboy.net/

ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9:
http://nimh.org/code/ldapdns/

GnuDIP is an authoritative server for Dynamic DNS:
http://gnudip2.sourceforge.net/gnudip-www/

NSD is a high-performance authoritative-only daemon:
http://www.nlnetlabs.nl/nsd/

PowerDNS (open source as of 2002-11-25) is an authoritative-only daemon with a modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), BIND zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers.
http://www.powerdns.com/products/powerdns/

CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS:
http://customdns.sourceforge.net/

lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture:
http://www.stanford.edu/~riepel/lbnamed/

Posadis is another fast authoritative-only daemon:
http://posadis.sourceforge.net/

dents is another general-purpose DNS server, but is perenially unfinished, and is probably dead, at this point:
http://sourceforge.net/projects/dents/

Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers:
http://pliant.cx/pliant/protocol/dns/

Yaku-NS is another small, fast general-purpose DNS server:
http://www.kyuzz.org/antirez/ens.html

Twisted Names is an authoritative and caching DNS server, written in Python:
http://twistedmatrix.com/documents/howto/names

Oak DNS Server is an authoritative and caching DNS server, supporting dynamic DNS updates and AAAA records. It's written in Python, and doesn't need to run privileged:
http://www.digitallumber.com/oak

dnsjava is a minimal, authoritative-only server, a resolver library, and a set of DNS utilities, all written in Java:
http://www.xbill.org/dnsjava/

Related:

FireDNS is a client library for DNS requests, with emphasis on speed and asynchronous processing. Written in C, and has low-timeout blocking functions. Can be used to relace standard libc resolver library functions like getbyhostname with much faster equivalent code:
http://ares.penguinhosting.net/~ian/

GNU adns is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities:
http://www.chiark.greenend.org.uk/~ian/adns/

Proprietary packages include:

UltraDNS (UltraDNS Corporation)
djbdns/tinydns
ATLAS (Verisign)
BINDPlus (Information Network Eng. Group, Inc.)
Global Name Service (Nominum, Inc.)
NeDNS (Neteka, Inc.)

I maintain this list at http://linuxmafia.com/~rick/linux-info/dns-servers

Rick Moen
rick@linuxmafia.com

That behind me, my thonghts on DNSSEC. The main problem with DNSSEC is that DNS itself has no concept of security; any attempt to add signatures has the issue of having to graft on signatures to a system not designed to have signatures. For example:

• A DNS packet can only be 512 bytes long; that really is not enough room to fit a signature.

• How do you sign the statement "this host name does not exist"? All of the solutions have a problem. We either have to put a private key on an internet connected computer, or we have to reveal all of the host names that exist in our network.

• Digital signatures add a good deal of workload to already overloaded recursive DNS servers.

- Sam