Domain: powerdns.com
Stories and comments across the archive that link to powerdns.com.
Comments · 28
-
Re:dnssec
Yes, you can do that.
For example with PowerDNS nameserver supports it:
https://doc.powerdns.com/md/au...I believe for example Bind and https://www.knot-dns.cz/ also has a system for something similar:
https://www.knot-dns.cz/docs/2... -
Re:How about a home brew dynamic DNS system?
-
Re:This story is ...DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.
Back then, there were two DNS servers out there:
- BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
- DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks
LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
-
Re:Dutch Innovate
Nobody is using them? 1/5 of the
.nl domains are registered DNSSEC domains:
http://xs.powerdns.com/dnssec-nl-graph/ -
Re:Dutch Innovate
Why choose this instead of powerdnssec? I strongly suggest the dnssec training at http://www.dnsseccourse.nl/en/player.html (flash) to improve one's understanding of the dnssec protocol. And powerdns to implement it http://doc.powerdns.com/powerdnssec-auth.html
BTW dnssec adoption is amongst the highest for
.nl in absolute numbers of domains, simply because there is a bounty for every domain signed. If you have a few hundred of domains the costs to implement are lower than the discount given till mid 2014 == profit for implementing dnssec. And since powerdns does all the hard work automatically and dynamically in a transparant way (except importing the DS key in the tld) -
BIND alternatives
Since this is about BIND, let me start the inevitable thread about the BIND alternatives.
BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE
Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE
PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE
MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE
DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.
There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones
-
Re:10 years agoLet's not forget Unbound, which may be faster than MaraDNS's 2.0 recursive resolver. Then again, I just got some funding from a sponsor to work on speeding things up. Also, Unbound has DNSSEC -- something MaraDNS doesn't have.
And, of course, there is Power DNS, another excellent DNS server.
Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.
- Sam
-
PowerDNS
PowerDNS -> run it yourself with the convenience of doing mass updates in SQL statements instead of maintaining a few dozen zone files on disk. If you think 50 domains is hard, try running several thousand on a shared hosting cluster. You either need scripted automation, or some type of DB-managed solution like PowerDNS. It's by no means the only one like it, but in my experience has worked reasonably well.
-
Re:So.. if BIND9 sucks.. what is an alternative?
Don't forget DJB's legendary personality as well.
I've been using PowerDNS to manage several thousand domains for almost 3 years and its been the best thing I ever did. Besides being GPL it has an SQL backend so doing things like changing the TTL for 300 domains takes a few seconds instead of the slog or scripting nightmare with BIND. I use mysql replication to keep my slaves uptodate which is also flawless. Load average handling around 150 queries a second is less than 1%
There is a postgres backend for it as well although I have never tried it. -
Re:PowerDNS
even better, its GPL.
A better place to point slashdot people to is http://doc.powerdns.com/
the shiny official site does not provide all the geeky information that we hunger for. -
PowerDNS
http://www.powerdns.com/
I used it when I was running an ISP a few years ago. Used a replicated MySQL backend behind three authoritative servers. Also used dnscache for recursors in front of all the customers.
All your zone data is stored in DB tables, so it's easy to hack together a frontend, or integrate with CRM or whatever. I wish Rails had existed back then for all the CRUD that I wrote by hand. :/ -
PowerDNS
Why don't you give PowerDNS a try?
It has an authoritive component and a recursive one, both work extremely well and are in use by some big companies, as well as the Wikipedia and the .TK TLD.
As for flexibility: PowerDNS uses backends to retrieve its zone data, so you can use one that's already available (MySQL, BIND zone files, SQLite, ODBC, etc.) or write one yourself.
Oh and it's opensource :) -
Re:If you have your own DNS...
For people (like me) that use the PowerDNS recursor: It too has a delegation-only setting.
-
Re:Its basically a DNS server with a big cache
PowerDNS is a nameserver that uses a backend structure, there are backends for most RDBMS and BIND zonefiles, but it would be perfectly possible to write a backend for it that does spellchecking.
On top of that it has a separate recursing nameserver component that's 64000 times harder to spoof than BIND. We've been using it for quite a while now (large ISP) and never looked back. -
PowerDNS
You can use PowerDNS and any number of administrative tools to manage the domains with a SQL database rather than flat text files.
-
Re:Obviously
Please point to a mail system that actually uses the file system to hard link 1000 emails like the grandparent proposed.
http://asg.web.cmu.edu/cyrus/download/imapd/overvi ew.html#singleinstance
http://doc.powerdns.com/powermail/indepth.html#AEN 824 -
Re:DJBDNS -- rocks
If you think that DJBDNS is as good as it gets, you really need to check out http://www.powerdns.com/. We switched to it at work (I pushed it, really), and I wrote a nice custom web-based frontend so our customers can manage their DNS domains independently - they can even create new ones as necessary. It's taken DNS out of the "necessary evil" realm, and brought it into a realm of being a "useful service". I recommend it heartily.
(No, I'm not a developer or otherwise affiliated with the project - just a very satisfied user.) -
Re:DJB is laughing this up I'm sure
-
Re:Nothing New
One of the few examples i've encountered is the PowerDNS converting from closed to open source. They simply found it easier to sell support for an OS product, rather than getting license fees for the closed one.
I too was hoping to hear more such stories. Anyone have some to share ? -
Article is an ad for Vixie and his companies...
First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.
Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.
Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.
Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.
Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."
Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis
maradns
Powerdns, mysql and a pretty website
djbdns he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah... -
Re:You really see which DNS does heavy lifting.[ http://www.maradns.org/dns_software.html ]
Other DNS software
This is a list of some other DNS software out there:
Freely downloadable DNS servers
Caching DNS servers
- BIND 9 is a complete rewrite of BIND, and, as such, probably does not have the security issues that previous versions of BIND has. In fact, one of the BIND developers found a security problem in earlier versions of MaraDNS. Very full-featured, and is the reference standard for the newer DNS RFCs.
- Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files.
- pdnsd is a recursive caching DNS server. Paul Rombouts is the current maintainer of this program.
- Posadis is another DNS server project, similiar to MaraDNS. This server is now both a resolving and an suthoritative DNS server.
Non-recursive DNS servers
- PowerDNS is an authoritative-only DNS server with support for, among other things, SQL. I would like to applaud the PowerDNS developers for making a libre release of this software. Note: Recursive code is in the works; PowerDNS will soon enough be a fully functioning recursive DNS server.
- DnsJAVA is an authoritative-only DNS server written in Java.
- NSD is an authoritative-only DNS server which is compatible with BIND zone files.
- MyDNS is an authoritative-only DNS server which uses MySQL as a database back end.
- The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
- Twisted includes a non-recursive DNS server.
- The Eddit project includes a DNS server
- SheerDNS is a simple non-caching DNS server that stores all records as their own files.
Abandoned DNS server projects
These are DNS server projects which have not released any files for six months or longer, and which never became functioning recursive (caching) DNS servers.
- MooDNS is another DNS server
project.
A CVS checkout on January 21, 2003 shows that no files have been updated
since July 20, 2002, except for a single readme file updated on August
1, 2002. This project is abadoned.
I have made a tarball available for people who do not want to bother with a CVS checkout.
- Dents is a DNS server that showed a lot of promise. Unfortunatly, no files have been released since 1999.
- Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
- CustomDNS has not released any files since the summer of 2000.
Other
-
Re:You really see which DNS does heavy lifting.[ http://cr.yp.to/djbdns/other.html ]
Other DNS software
Management tools
twa lets authorized browsers edit the tinydns data file.
ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.
mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.
sql2tinydns is similar to mkdns.
dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.
tinydyndns publishes dynamic IP addresses authenticated through POP connections.
Servers
ldapdns publishes DNS information from an LDAP database.
MyDNS publishes DNS information from a MySQL database.
Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.
NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?
PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.
MaraDNS is a general-purpose DNS server.
lbnamed is a load-balancing DNS server.
lbdns is another load-balancing DNS server.
Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.
Caches
pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18).
MaraDNS can act as a cache.
I don't know why anyone would want to use these caches in place of dnscache .
DNS clients
adns is a DNS client library.
ares is a DNS client library.
perldns is a DNS client library for Perl.
The Buggy Internet Name Daemon [how very professional... *sigh*]
BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcompla
-
Re:"There should be no end-user impact"
The zone data could even be generated dynamically, directly from a database, with the serial set to the last time the database was updated.
Check out Power DNS. Basically it's an authorative only nameserver that gets its results directly from a database (mySQL, Postgres, Oracle). Wanna update info for a zone, it's as simple as issuing an SQL UPDATE statement and viola, your changes are live. -
How about fixing bind 9 ?Let's see...
- rrset-order is still broken.
- GSS-TSIG support is still missing.
- Strange multi-threading bugs still exist
- Awful security history isn't behind it yet.
Does this sound like bullshit to you ? If so, see the following:
- Read the bottom parts of this and the links at the bottom of this
- Nominum/ISC relationship described here
:) PowerDNS is promising, but just got recursion.AAARRGGHH.
-
Re:Bug your ISP
-
Nameservers for Linux and *BSDevilpenguin wrote:
BTW, what alteratives to BIND exist for Linuxand *BSD? I actually don't know and would like to know.
There are now a number of alternative packages that may have advantages for many deployments. E.g.:
MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers):
http://www.maradns.org/pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations:
http://home.t-online.de/home/Moestl/Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases):
http://www.thekelleys.org.uk/dnsmasq/DNRD is a small caching-only DNS server for NAT / IPmasq networks:
http://dnrd.nevalabs.org/MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache:
http://mydns.bboy.net/ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9:
http://nimh.org/code/ldapdns/GnuDIP is an authoritative server for Dynamic DNS:
http://gnudip2.sourceforge.net/gnudip-www/NSD is a high-performance authoritative-only daemon:
http://www.nlnetlabs.nl/nsd/PowerDNS (open source as of 2002-11-25) is an authoritative-only daemon with a modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), BIND zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers.
http://www.powerdns.com/products/powerdns/CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS:
http://customdns.sourceforge.net/lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture:
http://www.stanford.edu/~riepel/lbnamed/Posadis is another fast authoritative-only daemon:
http://posadis.sourceforge.net/dents is another general-purpose DNS server, but is perenially unfinished, and is probably dead, at this point:
http://sourceforge.net/projects/dents/Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers:
http://pliant.cx/pliant/protocol/dns/Yaku-NS is another small, fast general-purpose DNS server:
http://www.kyuzz.org/antirez/ens.htmlTwisted Names is an authoritative and caching DNS server, written in Python:
http://twistedmatrix.com/documents/howto/namesOak DNS Server is an authoritative and caching DNS server, supporting dynamic DNS updates and AAAA records. It's written in Python, and doesn't need to run privileged:
http://www.digitallumber.com/oakdnsjava is a minimal, authoritative-only server, a resolver library, and a set of DNS utilities, all written in Java:
http://www.xbill.org/dnsjava/Related:
FireDNS is a client library for DNS requests, with emphasis on speed and asynchronous processing. Written in C, and has low-timeout blocking functions. Can be used to relace standard libc resolver library functions like getbyhostname with much faster equivalent code:
http://ares.penguinhosting.net/~ian/GNU adns is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities:
http://www.chiark.greenend.org.uk/~ian/adns/Proprietary packages include:
UltraDNS (UltraDNS Corporation)
djbdns/tinydns
ATLAS (Verisign)
BINDPlus (Information Network Eng. Group, Inc.)
Global Name Service (Nominum, Inc.)
NeDNS (Neteka, Inc.)I maintain this list at http://linuxmafia.com/~rick/linux-info/dns-server
s Rick Moen
rick@linuxmafia.com -
Re:Things Win2K has that nither UNIX or Linux have
DNS: Take a look at PowerDNS. It can scale pretty well, and grab the data from LDAP/SQL/whatever. Works like a charm, and it's GPL as well. Takes huge loads nicely too, not to mention most other record types.
Samba: Samba works pretty nicely using LDAP, even though there are some quirks :) I agree with you there, Win2K wins there.
Microsoft printing is nothing when you get to use CUPS. CUPS is literally extremly easy to use, and very realiable!
Myself, I don't care much about unified configuration interfaces (as long as it's in /etc or symlinked to /etc it's fine by me), but you may have a point there as well.
Anyway, there's a long way to go, but I believe Linux/*BSD are catching up at rapid speed. -
Powerdns