Slashdot Mirror

Back then, there were two DNS servers out there:

1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
2. DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

Since this is about BIND, let me start the inevitable thread about the BIND alternatives.

BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE

Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE

PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE

MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.

There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones

There's no mention of the bloat of BIND9. Will it be carried into BIND10? Are they reimplementing all the bloat from the ground up?

I'll stick with NSD and Unbound.

Try DNSSEC Drill: Extension for Firefox, it sounds like what you want with the idns libraries and programs. I've never used it but it sounds interesting.

If they were using NSD like the RIPE does for K root, the zone compiler wouldn't have compiled the faulty zone file and the parser would have made noise about it. NSD is very hard to break as the zone files must be compiled into a database before loading. The parser simply refuses to compile when there are zones with errors in them, so the database it creates will never be bogus (similar to the way a compiler won't create an executable if the source code violates its rules).

Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.

BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.

This is a troll? The cluefulness ratio here has gone down so far...

Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.

BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.

There are excellent alternatives to bind.
For example, i have been using nsd for years.
Super easy to configure. Lacks recursive
resolver tho..

http://www.nlnetlabs.nl/projects/nsd/

I don't want to bash BIND but it has had a fair amount of sec issues (well a lot), try unbound or nsd instead http://unbound.nlnetlabs.nl/ http://www.nlnetlabs.nl/projects/nsd/

I don't want to bash BIND but it has had a fair amount of sec issues (well a lot), try unbound or nsd instead http://unbound.nlnetlabs.nl/ http://www.nlnetlabs.nl/projects/nsd/

... DNS servers, using the reliable, secure, high performing, authoritative-only, name server software called NSD. Generate your zone files from a script in your favorite language, and be done with the issues.

yes, there is one:

http://www.nlnetlabs.nl/dnssec/drill_extension.html

Microsoft's name services? Not sure..

Anyway, authoritative name server that works well is called NSD.

http://www.nlnetlabs.nl/nsd/

If you need a small and simple authorative DNS server, i suggest
# apt-get install nsd

Simple to install. Simple to configure.

According to the homepage, it can handle big loads too.
http://www.nlnetlabs.nl/nsd/

Not entirely unexpected, since NLnet Labs develops NSD, which is an authoritative DNS server only ;)

That might be due to the website of the distributor calling the product a DNS server.

Taken from http://www.nlnetlabs.nl/:

Recent Software Updates
Unbound 1.0.0
Tue May 20 2008
The public release of Unbound, a fast recursive validating caching DNS server.

oh, I think we may see a few

oh, I think we may see a few

not to address all your points - but lol how your "employer" trashes the performance of BIND 9 (which they, themselves wrote) and then on top of it go on to explain how their high performance commercial version is written as separate auth and cacheing servers like BIND 4 - 9? No, like the guy they have been trashing for doing so all these years.

Your company has no credibility - they'd gain some of they said - "We wrote BIND 9 under contract to ISC Corp and it was crap, so we wrote something a little better that you can pay through the nose for. But in the end its not any better than djbdns or nsd http://www.nlnetlabs.nl/nsd/ " Your "employer's" software is bested by one grouchy guy's 5+ year old software and by a group of 5 Northern European Bongheads on a 500K EUR budget - its a joke, how much did you guys get for writing BIND 9, how many millions ?

As for a few of the other things - how about the cult of the term "reference implementation" the Brad Knowles is on ? Now that ISC has sucked up ntp, notice how he has started bad-mouthing OpenNTPd and using the term "reference implementation" with ntp software, too - the guy has a problem.http://66.102.7.104/search?q=cache:2CD_GXH _YAoJ:bradknowles.typepad.com/considered_harmful/2 004/09/openntpd.html+reference+implementation+open ntp "reference implementation" doesn't mean jack, esp. when it sucks. And yeah the BIND zone transfer is _so_ much better than rsync/scp. And please don't compare the number of patches in BINDs history to djbdns - yeah he doesn't incorporate the few that there are out there but boohoo, I have an automated build for djbdns and there are lots of pre-patched bundles available on the net.

• MaraDNS
• Posadis
• PowerDNS (Recursion is incomplete and not part of the base package)
• NSD (No caching nor recursion)
• MyDNS (Specialized for people who insist on using MySQL to store DNS records)

First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis
maradns
Powerdns, mysql and a pretty website
djbdns he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah...

First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis
maradns
Powerdns, mysql and a pretty website
djbdns he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah...

Other DNS software

This is a list of some other DNS software out there:

Freely downloadable DNS servers

Caching DNS servers

• BIND 9 is a complete rewrite of BIND, and, as such, probably does not have the security issues that previous versions of BIND has. In fact, one of the BIND developers found a security problem in earlier versions of MaraDNS. Very full-featured, and is the reference standard for the newer DNS RFCs.
• Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files.
• pdnsd is a recursive caching DNS server. Paul Rombouts is the current maintainer of this program.
• Posadis is another DNS server project, similiar to MaraDNS. This server is now both a resolving and an suthoritative DNS server.

Non-recursive DNS servers

• PowerDNS is an authoritative-only DNS server with support for, among other things, SQL. I would like to applaud the PowerDNS developers for making a libre release of this software. Note: Recursive code is in the works; PowerDNS will soon enough be a fully functioning recursive DNS server.
• DnsJAVA is an authoritative-only DNS server written in Java.
• NSD is an authoritative-only DNS server which is compatible with BIND zone files.
• MyDNS is an authoritative-only DNS server which uses MySQL as a database back end.
• The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
• Twisted includes a non-recursive DNS server.
• The Eddit project includes a DNS server
• SheerDNS is a simple non-caching DNS server that stores all records as their own files.

Abandoned DNS server projects

These are DNS server projects which have not released any files for six months or longer, and which never became functioning recursive (caching) DNS servers.

• MooDNS is another DNS server project. A CVS checkout on January 21, 2003 shows that no files have been updated since July 20, 2002, except for a single readme file updated on August 1, 2002. This project is abadoned.

  I have made a tarball available for people who do not want to bother with a CVS checkout.

• Dents is a DNS server that showed a lot of promise. Unfortunatly, no files have been released since 1999.
• Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
• CustomDNS has not released any files since the summer of 2000.

Other

• LdapDNS is a small DNS server which converts DNS requests in to LDAP requests, without caching.
• DnsPython is a DNS toolkit for Python.

Other DNS software

Management tools

twa lets authorized browsers edit the tinydns data file.

ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.

mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.

sql2tinydns is similar to mkdns.

dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.

tinydyndns publishes dynamic IP addresses authenticated through POP connections.

Servers

ldapdns publishes DNS information from an LDAP database.

MyDNS publishes DNS information from a MySQL database.

Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.

NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?

PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.

MaraDNS is a general-purpose DNS server.

lbnamed is a load-balancing DNS server.

lbdns is another load-balancing DNS server.

Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.

Caches

pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18).

MaraDNS can act as a cache.

I don't know why anyone would want to use these caches in place of dnscache .

DNS clients

adns is a DNS client library.

ares is a DNS client library.

perldns is a DNS client library for Perl.

The Buggy Internet Name Daemon [how very professional... *sigh*]

BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcompla

• TinyDNS
• Power DNS
• NSD

• The Dutch SECREG
  
• Opportunistic Encryption
  
• My OpenOffice or PowerPoint presentation on deplying DNSSEC and OE.
  

DNSSEC is not vapourware. It will happen, and you want it to happen. Think about VOIP using the ENUM dnszone without DNSSEC. Do you WANT your phonecalls to be hijacked?

What fitting timing. I just deployed a replacement for BIND called NSD for all my authoritative name servers. Now I need to choose a good resolving server. Maybe tinydns.

BTW, what alteratives to BIND exist for Linuxand *BSD? I actually don't know and would like to know.

There are now a number of alternative packages that may have advantages for many deployments. E.g.:

MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers):
http://www.maradns.org/

pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations:
http://home.t-online.de/home/Moestl/

Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases):
http://www.thekelleys.org.uk/dnsmasq/

DNRD is a small caching-only DNS server for NAT / IPmasq networks:
http://dnrd.nevalabs.org/

MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache:
http://mydns.bboy.net/

ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9:
http://nimh.org/code/ldapdns/

GnuDIP is an authoritative server for Dynamic DNS:
http://gnudip2.sourceforge.net/gnudip-www/

NSD is a high-performance authoritative-only daemon:
http://www.nlnetlabs.nl/nsd/

PowerDNS (open source as of 2002-11-25) is an authoritative-only daemon with a modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), BIND zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers.
http://www.powerdns.com/products/powerdns/

CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS:
http://customdns.sourceforge.net/

lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture:
http://www.stanford.edu/~riepel/lbnamed/

Posadis is another fast authoritative-only daemon:
http://posadis.sourceforge.net/

dents is another general-purpose DNS server, but is perenially unfinished, and is probably dead, at this point:
http://sourceforge.net/projects/dents/

Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers:
http://pliant.cx/pliant/protocol/dns/

Yaku-NS is another small, fast general-purpose DNS server:
http://www.kyuzz.org/antirez/ens.html

Twisted Names is an authoritative and caching DNS server, written in Python:
http://twistedmatrix.com/documents/howto/names

Oak DNS Server is an authoritative and caching DNS server, supporting dynamic DNS updates and AAAA records. It's written in Python, and doesn't need to run privileged:
http://www.digitallumber.com/oak

dnsjava is a minimal, authoritative-only server, a resolver library, and a set of DNS utilities, all written in Java:
http://www.xbill.org/dnsjava/

Related:

FireDNS is a client library for DNS requests, with emphasis on speed and asynchronous processing. Written in C, and has low-timeout blocking functions. Can be used to relace standard libc resolver library functions like getbyhostname with much faster equivalent code:
http://ares.penguinhosting.net/~ian/

GNU adns is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities:
http://www.chiark.greenend.org.uk/~ian/adns/

Proprietary packages include:

UltraDNS (UltraDNS Corporation)
djbdns/tinydns
ATLAS (Verisign)
BINDPlus (Information Network Eng. Group, Inc.)
Global Name Service (Nominum, Inc.)
NeDNS (Neteka, Inc.)

I maintain this list at http://linuxmafia.com/~rick/linux-info/dns-servers

Rick Moen
rick@linuxmafia.com

Is it my imagination or is ICANN actually working on getting their job done rather than horribly complex politics (more complex than needed to solve the problem), or trademark/legal craziness? There's some background at the page of the ICANN DNS Root committee.

Now, I'm pretty skeptical that a closed source DNS server from Register.com is going to be a big part of the solution, but even that I don't really mind so much. Having a few alternatives is good if for no other reason than helping to keep BIND from stagnating.

The article didn't talk much about DNSsec (or this older page) which has got to be part of the solution (to try to give the 10 second summary, when a client makes a DNS query and gets a response, it is kind of tricky to ensure that the response is really from the correct server, and DNSsec uses crypto to solve this and other problems).