Slashdot Mirror
BIND Is Most Popular DNS Server
bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."
probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.
the old mighty conservative geeks wins again!
Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.
It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.
The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
But what I really want is something like EasyDNS provides: Aliases. I want to be able to 'clone' whole domains, because they're all going to the same place anyways based on the hostname.
Maybe EasyDNS just wipes out all the duplicate hostnames, and writes new records for them between the web interface and the backend when a host is changed or added..
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Well, I don't find BIND difficult to use or set up. Sure, it's better to understand the DNS protocol, but I find the configuration files & syntax to be very clear (at least in my configs ;)
"air is most popular substance to breathe". :)
That being said, PowerDNS is pretty awesome as a master, very nice for front end interface building.
-- The unsig...
Personally, I use one called djbdns. It's extremely small and basically bug free! The author actually will pay $50,000 to whoever finds the first exploit in it or something. If you don't need all the extra power that bind offers, this is a much better way to go. Less memory and space required, meaning cheaper systems may run it better. Even the config file can't be simpler!! cat /etc/tinydns/root/data .pnet:10.0.3.33:a:259200 .10.in-addr.arpa::ns.pnet:
#Define hosts & aliases
=pollux.pnet:10.0.3.1
=altair.pnet:10.0.3.2
They don't know any better and are afraid to change!
Unlike sendmail which can scare people away just with the configuration file, the BIND zone file layout and other stuff isn't hard to learn.
So people use what came with the box, what their book on "DNS & BIND" uses, and so on.
Also, everybody else uses it!
http://cr.yp.to/djbdns/run-server-bind.html i dont know ... ...
:)
maybe i'm just too old for this now
With that aggravating beauty, Lulu Walls.
Let's not forget Dynamic DNS, i.e., DNS updates from DHCP. I 3 DJB's software, tinydns included, but you can't (readily) attach it to ISC DHCPD and have your DNS records change with your DHCP leases. This isn't a limitation of Dan's software, but rather vendor lock-in on the part of the ISC (and MS, who provides the other major DDNS implementation).
For some people, in some situations, this is a necessity. I just can't wait for someone to write a DJB-inspired DHCP server.
Please explain how you managed to fingerprint DNS servers. I don't think many DNS servers have version identification fetures. BIND does but it's not exactly a standard. ...or maybe even a good idea.
This surey ranks up there with "Most dentists recommend brand X" marketing for me. The accuracy of the sample set is extremely questionable.
Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.
Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.
Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!
Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?
Because they haven't read how easy it is to setup!
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Thank you captain obvious.
How the heck do you get rid of BIND? It's everywhere unless your a MS Windows shop that is ruled by DDNS... but most folks I know won't expose DDNS directly to the internet, cause you know why... BIND often acts as an intermediate.
I know there are better alternatives out there, but why aren't they more popular?
- When you insult a troll, he wins.
The fact that sendmail is also frustrating, is default install on Linux and BSD, and is the most popular for mail shows that this theory is pretty much true.
I also know I am amungst the lazy ranks.
Evolution or ID?
Is because it has been done forever. Instead of the exploit a year phenomenon you have with Bind, there haven't been any yet. When Bind can take 10,000 requests per second on a dual Xeon box (used for MAPS) and not melt into a smoky plastic dog treat, let me know. Don't get me wrong. Djb is slightly, well, he comes across as a bitter man with something to prove. And I can't stand qmail. But he hit the nail on the head with DjbDNS. I've got nearly 240 domains with a combined total of over 125,000 records hosted with no problem.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
- Dan
"To rule them all.
And in the darkness BIND them."
Like, Duh... So obvious.
...since D. J. Bernstein's hasn't been updated for years...
Maybe because it hasn't needed updating.
http://cr.yp.to/djbdns/guarantee.html
You mean there are other DNS servers? Holy sh*t! I've actually used a couple of different ones on pre OS X Macs. DNS servers more than most other pieces of software are invisible until it breaks. You just never really think about it once you get the sucker running(unless you do something serious as opposed to what I do). Plus in the early days, the Internet was large public research project whose infrastructure was made by task forces rather than market forces, so a task force made a tool for the job and that was that. Combine that with the inertia that builds up behind a successful product and there's little incentive to change. We know it, we like it, it works, and it's free. Why bother with anything else unless you're running Mac OS 8 or something funky like that?
He explains exactly how he fingerprints DNS servers and also gives the percentage of servers that he was not able to fingerprint(mostly due to timeouts).
The question is whether the flexibility is worth the security cost imposed by the extra complexity required to get the flexibility. I say no, and run qmail. It's the only MTA that has never had a security lapse. (actually, Courier might not have had one either, but who runs Courier?)
-russ
Don't piss off The Angry Economist
djbdns simply is not as feature complete. Want zone transfers? Want CHAOS records? Want TSIG keys? Want a reasonable configuration syntax?
The fact is, djb staunchly refuses to incorporate features into his various software packages, resulting in a product that's simply less useful. I never thought I'd be defending any ISC products, but BIND surpasses djbdns.
If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.
/package etc.), and if you change them from the source, you violate his license!
Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service,
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!
djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).
And as far as I know, many distributions kicked his software out, including several *BSDs.
The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.
tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.
In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.
BIND - like Sendmail - is popular because it works. They might be ugly, buggy (as in security problems), whatever, but they are old and people know them.
... djbdns. Nothing to do with the software and everything to do with the attitude of its author.
I have a small home network. I also have a VPN to my work network. I would like to forward all DNS queries matching a particular domain or IP address range to the DNS servers at work.
For all other DNS queries, I probably should forward them to my ISP's DNS servers, but I'm not too particular about that.
My current problem is that my VPN isn't always running, and if BIND starts when the VPN is not up, then BIND doesn't work right. I have to restart it when the VPN is up, and then it is fine.
So, any suggestions for a DNS server that can handle this situation?
I'm a leaf on the wind. Watch how I soar.
DNS/Bind is standard and reliable full featured DNS and is supported as part of the base OS. And it has a better security record than many other proprietary systems.
Why would anyone use anything else?
are you still maintaining the qmail web site?
Don't bother telling me about non-open source software to solve this problem, I have open source software that works. The same goes for Qmail.
Though I think the way DJB licenses his gratis software is a shame, I'm not going to take part in the great flamefests about the man - to me, as a cryptographer, he stands as an indisputable contributor of genius to the field.
Xenu loves you!
Seriously. I use it, never had a problem with it. Not that hard to
configure if you know how to read.
In fact it's really amazingly much better than the alternatives. bind
seems to support more features than most of them.
ddns is important to me, works nicely used with dhcpd, I don't see
how I would achieve that using other dns servers.
Did the survey start with a long list of domain names, then seek out the DNS servers hosting them, or was it an IP scan, to randomly sample DNS servers, Netcraft-style. The choice of methods here will make a big difference on how your results turn out, especially given any biases which will be inherent in a domain name list. Thanks to Don Moore for the work, the DNS-server version percentage breakdowns were particularly revealing. More than half of bind installs are release candidates? Also, the prevalence of Windows2000 over other Windows flavors in doman name server roles says a LOT about how the "trustworthy computing" initiative is playing out for Microsoft. Now matter how you slice it (availability, confidentiality, integrity), the domain name system is one component of any networked security strategy.
http://tinyurl.com/4ny52
The reason bind, not djbdns is includedi with every distro is because djbdns can not be distributed in modified/binary form . I don't really agree with it, but hey, thats how Dan J. Bernstein wants it.
Anyway, compiling djbdns is mad easy (unlike qmail) check this out
I use djbdns anywhere I need DNS server.
Here at
Seriously, I have nothing against BIND. But you should always that there are liars, damn liars, and statictians.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.
Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.
My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.
After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.
Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...
"Never tell me the odds"
I believe that most people use BIND because it is already used by most people. For the most part, people are afraid of being different. There are some things the people just use blindly even though there may be superior alternatives available; such as BIND, MS Windows, MS Office, Sendmail.
milter, that is.
DJB is lazy. The fact that you need environment variables to run the dns server.
/usr/local? perhaps /usr? Maybe even /opt? But his own special partition? Are you nuts?
WTF? Environment Variables? Is he smoking crack?
Ever heard of a conf file?
And what about the fact that I need to add a new folder to / to run any of his software? Ever heard of
This doesn't count the fact of people finding *LEGIT* security flaws in his other software *ahem qmail*, and he refuses to admit it. Even M$ admits to most security flaws brought to their attention.
Seriously, MyDNS requires an SQL database. This is NOT a way of making things easier!
I've never understood what problem people have with BIND. It's as simple as it could possibly be. Everything makes clear sense. The config files are plaintext. It's backwards compatible almost to eternity. I use it because it's the best solution, not the only one.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I need miltering. Specifically spamass-milter. A few others, but primarily that.
Karma: Chameleon (mostly due to the fact that you come and go).
10k requests per second doesn't sound like that much.
Just for fun, I wrote a program that calls Python's socket.gethostbyname() 10,000 times, and ran it against a very old (AMD K6, 350MHz, single processor, 384 megs RAM) machine on the local network. The runtime was 13 seconds, and named got about 90% CPU usage during that time.
If your modern dual Xeon box isn't 13 times faster than this years-old box, I kinda feel like you must have gotten ripped off. Y'know, Moore's Law and all.
"Why is it so hard for alternate DNS servers to gain favor ?"
/. that people don't want to use it for the most core function of the Internet.
Can be rewritten as:
"Why people don't switch to djdns (which install in stupid places, is mostly unmaintained, is written by an offensive asshole, and that you cannot fork/modify) ?"
or
"Why people don't switch to MyDNS (that just reached version 0.11, indicating that it is really stable) ?"
Jezus. What are people thinking ? He versions his software as 0.11 and then complains publically on
the guy who wrote this is a cs prof at my university. He's a nut. They actually put him on probation after he failed most of his undergrad classes. The head of the CS dept attempted to take the final exam for a *freshman* class bernstein was teaching and determined he couldn't do it.
Bernstein seems to be a smart guy, but he sure is crazy.
One small reason your DNS server (MyDNS) isn't catching on is that it requires an external DB server process to be set up and running on the system.
I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.
True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.
Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.
Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.
djbdns has not been accepted, because it's too non-standard. The main thing is the folders. He creates and uses a folders called /service, /command and /doc, instead of following any UNIX filesystem standard. I guess he is suggesting that we abandon /usr, /bin, /lib, and just throw everything at the root level.
Not 10K times, 10K at the same time. 10K connections in 1 second. You do know what per second means don't you?
... and as the article author looks over the raw data, he notices one lone "BoredDNS" installation...
He said "on a related note" and then talked about neatness, which your post mentioned as well.
Don't be a pedantic asshat about on-topic posting.
Did your test script look up the same hostname 10,000 times? Did it look up different hostnames from 350 different domains? Or any different domains?
Vintage computer games and RPG books available. Email me if you're interested.
This is Joel (at IC)..
I personally feel that BIND/Sendmail both have actually weathered quite well and made it through a lot of checking over the years. All the bugs/sploits etc have kind of made both of those packages like the equivalent of a "software cactus" and people feel secure in knowing they have "weathered the storm".
DJB's software is great (i.e. qmail and me go way back, when is yours, IRIS, going to go opensource eh? IRIS could give sendmail a run for it's money.) but he seems to, on purpose, want to make it hard to modify and use (i.e. use for distro's) so he is slowly being shut out. Not to mention the fact that he is not bothering to update it or work on it.
If a significant exploit in BIND came out, or a string of significant exploits came out you would see a shift I think. (i.e. Software Darwin'ism) but this has not happened in a while.
In addition, if something new were to be added to DNS, a new way to add things in DNS that for some reason BIND could not support and people wanted to use it, then it would also go the way of the dodo, but time will tell.
I would be interesting to see a timeline survey with important markings of significant exploits to watch the usage change.
Anyway.. cheers.
-joeldg
anime+manga together at last.. in real time.
At the last ripe meeting Peter Koch gave a presentation on what I think was a methodologically better survey as the one presented here. The survey is at: http://www.ripe.net/ripe/meetings/ripe-48/presenta tions/ripe48-dns-survey.pdf
Use Adsense for Charity
Yeah, this is a group I find rather interesting. Not that all of them are like this, but rather that most of them are.
I tend to see most IT majors, and even ones I am friendly with, as those who want to work in the areas of systems administration and networking. However, they also come across as the types who will be in the perpetual "wanting to learn" mindset, and rarely leaping above that to the "now I know the fundamentals, so let me expand my knowledge" phase.
At my old college, RPI (Troy, NY), I found myself in a situation where I knew a lot of Computer Science majors who were quite knowledgable in the fields of networking and systems administration, whether or not they planned to persue a career along those paths. I rarely saw any IT majors, save the rare exception, involved in the ACM or any of the tech groups I was in. (our IT program had a variety of "concentrations," with some closer to CompSci or CompEng than typical of IT, though very few students chose those concentrations)
Now I'm living around a different school, UCF (Orlando, FL), and see a radically different situation. The CompSci students have absolutely no interest or knowledge whatsoever in networking or sysadmin stuff (beyond the odd high-level vague course), and the IT students do, on paper. I am friends with more IT students than CS students, however. But what I do notice, is that while I was a CompSci major myself, I know a lot more about SysAdmin and Networking topics than any of the IT or CS majors around here. (Thankfully enough are interested that I have given presentations on subjects, though it makes it harder to find people to involve in technical projects.)
Except for it's ugly, cryptic configuration. It's so ugly and cryptic that bindconf (GUI config tool) creates it's own config files and overwrite's BIND's files, instead of trying to locate and parse the main config and zone files. This is a big problem if you make changes to BIND's files using vi (or whatever you prefer). Next time you make a change with the GUI your earlier changes get blown away. Hey bindconf folks: bad idea!
TallGreen CMS hosting
My, we're a spunky little bag of pubescent testosterone today. . .
.and then talked about neatness, which your post mentioned as well.
.who needs to work on his reading compreshension.
. .
. .
KFG
no mod points today.
Random question: am I the only one who loves MySQL to death, but thinks that it's also horribly overused for EVERYTHING?
:P
I mean....yes, it's incredibly fast. Scalable. Low overhead. But when everything from e-mail to DNS depends on MySQL....it gets a little sickening
You don't need a datbase server for everything, no matter how it is that you can say "I run my DNS servers off of a MySQL database." It's still way overused.
Like the subject says, I USED to use djbdns for my home DNS server. After a while, when I upgraded the OS on said home DNS server, I got rid of djbdns and moved to BIND. Why, you may ask?
1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.
2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.
3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.
4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)
5) daemontools.... ugh. Let's not even go there.
Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.
Just my $.02...
When you
I do not deploy Linux. Ever.
If this was on fark would we be using the [Obvious] tag?
Personally, when I first encounter massive performance problems on a dedicated production-critical service, I would have contacted the developers and asked them what platform they recommend for running a dedicated server, and switched the base OS to the platform they best support.
Based on the above philosophy, I've ended up actually running more MS-Windows servers in the data center, as many speciality software vendors preferentially support Windows 2000 over UNIX-like systems. And of course any time you run two different applications from two different vendors on the same Windows box, antime a problem is encountered with Vendor A's application, as soon as the support engineer discovers that another package is running on the same box, Vendor B's application immediately becomes the root cause of the problem :)
I do not deploy Linux. Ever.
have you looked at a zone file lately, or dealt with scripting/automation related to them? .domain.com::ns1.domain.comm ain.com:101 .2.3.4
@domain.com::mail.do
=domain.com:1.2.3.4
=www.domain.com:
. for soa, @ for mail, = for alias...how much more intuitive or simple can it get?
With regards to two threads that seem to running here: how easy is BIND to use and how easy is sendmail to use. Like most self respecting geeks I learned how to set and manage these services, but ultimately decided I had more important things to do with my time. For BIND I started using Mice and Men's QuickDNS, which (I believe) is built on top of BIND. Very Easy to use and their support rocks. I finally bailed on that and just started using the free DNS service my domain host provides. I just didn't need more then 8 different addresses to resolve (thank you NAT), so why bother? One less machine to run and service to worry about... Similar story with Sendmail... used it forever, but finally switched to CommuniGate Pro, which is way easier to deal with and runs like a champ. I've probably saved myself the cost of the license just in saved time alone, not to mention that now I can delegate some of this work to junior IT memebers.
There are other reasons not to want to use your DB for everything. What if it goes down / gets corrupted? What if some wacked query for some other application makes your DNS server unresponsive?
The best way to use a DB in maintaining zone files is to store the master copy there, but then dump a BIND zone file out for production. Many huge ISP's do this.
Damn, that is OLD!
Version 0.9
Released March 1st, 1999
And people are STILL running it. heh.
Did you RTFA?
Because there it says:
70.105% 24,335,752 BIND
15.571% 5,405,266 TinyDNS
That must account at least for some exposure...
I haven't seen any comments on dnsmasq - it seems to be a small, easy-to-configure caching nameserver suitable for use on a home network (or maybe a small business). It also has some hooks for handling DHCP-assigned IP addresses.
Has anyone had any bad experiences using it?
Bind: 72
:-)
TinyDNS: 446
Mickysoft: 21
I guess if you want to serve more than 21 domains, you have to buy an extra Windoze server to handle the load
It follows the RFCs.
Who needs those. Remembereing a boat load of IP addresses is so much more useful.
Remember, 50% of people are below average...
BIND does not work properly with ADS if you have multiple domain controllers on seperate subnets.
Microsoft DNS will return the domain controller on your subnet as the topmost entry in your AD domain. Bind returns them in round robin order. Needless to say that this causes big problems in larger networks as users end up logging on to in-appropriate servers.
When I was investigating this problem the BIND answer was that sorting results is a problem for the client resolver and not the dns server.
13 times faster than 350 mhz would be 4.55 Ghz, so no it probably isn't 13 times faster
Snowden and Manning are heroes.
This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.
Hm..I consider most software to be an evolutionary process. You start out with a need, you write the software, and then someone else sees a little bit further out and says, "gee, I like what you've done, but it would be so much more useful if it [insert most wanted feature here]". I can't think of a single piece of software I've used that had everything I wanted. I don't think there will ever by one, either. It's like the bear and the mountain - each new version is another mountain, and once we get to the other side, we're apt to see more things we'd like the software to do for us.
bind was the first unix dns implementation and its user base has a lot of inertia. ISC supports it, both for free and for fee. it follows RFC's. there's DLZ for folks who need sql-driven zone or config data (and we're working with DLZ's author to integrate it into an upcoming BIND9 release). BIND4 and BIND8 were subject to exploit-of-the-year syndrome but BIND9 (released in Y2K) has been exploit free.
but the number one reason folks do use, or should use, BIND is that ISC wants to help you use it, including answering questions, accepting contributed code, adding requested features whenever possible, using a BSD-style license, and otherwise working to ensure BIND's relevance.
if you prefer something else, that's cool. but according to ISC's own survey, most servers on the internet today run BIND, and we at ISC could not possibly be any more pleased about that than we are. making DNS work, and keeping the specifications in the hands of what you now call "the open source community" has been our goal from day 1.
paul vixie
I see people bash bind and praise djbdns, but I personally have never had a problem with bind. It was relatively easy to setup and it's relatively easy to maintain and has a decent amount of power to it. Granted, I'm just doing simple tasks of dns for sites and nothing very complicated.
I'm not oppossed to switching but given that my time is already crunched, I will probably keep using bind so I don't have to spend the time learning how to setup djbdns.
Now if some huge security hole was discovered that affected me directly and there was an actual need to switch, I would spend the time and do it.
Until then I'll probably keep using bind since my distro gives me the choice to choose my dns server.
BTW, this same post could be used for sendmail.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
While the poster's test has some other problems (which isn't exactly unexpected for a quickie test; if all you folks are so smart, why don't you post your own tests and results?), this isn't one of them. DNS isn't connection oriented (most of the time); for your standard gethostbyname-type operation, it basically services a bunch of UDP packets. A DNS server will have one 'socket' open to the DNS port, and then dispatch accordingly as it receives datagrams. Having more than one socket bound to the port would be impossible, and having more than one file descriptor map to the same socket is usually less-than-useful because of synchronization overhead (although it can be done, especially with UDP datagrams, since they act like atomic requests).
Yeah, and then they have to wait hours before that BIND zone has been reparsed and reloaded if updated.
And powerdns does grok bind zonefiles, btw.
I've been running Posadis on a Windows 2000 server for about three months now, and it's been nothing but awesome. Rock solid stable, and easy to config. Took me a while to find the rare gem, though. It's hard to find an open-source/free DNS server for Windows.
Not All Who Wander Are Lost
What would you like to do?
[ ] Install and configure a non-default DNS server?
[ ] Surf the web for Pr0n now!
[Back][Next][Finish][Cancel]
Yeah, and then they have to wait hours before that BIND zone has been reparsed and reloaded if updated
That's an implementation design issue, not a technical limitation of the concept.
that's why you have companies like www.infoblox.com making it easier for people to use bind.
Vidi, vici, veni. (I saw, I conquered, I came)
Not lazy (or not just lazy): more to the point, most people don't care! Most people want the service, but don't care about the fiddly details of how it works. If it comes with the system and works, why should they mess around looking for alternatives? If there's hundreds of books on it, why switch to something else, especially if you don't care?
/etc/hosts files, at least at home, where I am in charge, and there's barely a half-dozen machines to worry about. :)
At most places I've worked, DNS is a tiny part of what's going on in the organization. A critical part, but a tiny part. Often, there's no particular person assigned to maintain the DNS. Instead, it's simply a (small) part of the duties of the admin or ops team. And since it's a team responsibility, and the team members may change over time, better and easier to stick with something widely known (e.g. bind). Especially since nobody really cares, as long as it works.
Lots of places I've worked at have had several dedicated email adminstrators, and email is their primary (only) responsibility, so they care! So alternate email systems like qmail and postfix and whatnot are not uncommon. But DNS is just something that most people don't care about as long as it works.
Me, I use
No. I have apache, proftp, postfix, courier, and mydns all pulling from 4 tables. For apache 1.3.x I found mod_shapvh that lets you pull vhosts from mysql. The rest of them all have native support. I also use libpam-mysql and libnss-mysql for having users owning files when they don't have accounts /etc/passwd.
Yes.. its a sick sick MySQL fetish.
Comaptibility with the majority of name servers is crucial--name one name server software daemon which is entirely compatible with BIND, offers its own set of features and functionality that is superior to BIND, and is open source.
The qmail and djbdns ebuilds provided by gentoo automagically download DJB's sources as well as all of the popular patches (including qmailscanner), and then apply the patches and build it all very cleanly for you. No fuss, no muss, no license violations, no FUD.
Then again, I guess a lot of people are still a little afraid of gentoo (if not quite as much as DJB's scathing condescending wrath).
Simple: support for views, and licensing that allows redistribution.
I absolutely, positively require view support, which nobody but BIND that I know of supports. TinyDNS might, but I can't so much as consider it due to the license; we're distributing servers with a fairly custom software environment, and DJB's terms make that a no-no. (This is also why we're using runit rather than daemontools).
Support views in something that supports pulling info (not just zone info, but definition of what the zones are, what the views are, what the ACLs are, etc a la named.conf) directly from a database and I'll be happy as a clam. 'Till then, I run BIND.
You might want to read the first line of the djbdns security guarantee:
$500 is hardly $50,000 but even if it was $50,000, please keep in mind that a hypothetical non-public exploit of tinydns would be worth much more than $50,000 for anyone who would want to use it seriously. Please remember that by compromising DNS server you can effectively control mail and websites, even without compromising the mail and web servers themselves. I have already seen web traffic for compromised domains routed through proxy servers controlled by attackers (or smtp traffic redirected via external relays, for that matter). This might be very powerful and can be quite hard to detect, especially when you provide correct dns info to internal network.
With all due respect to D. J. Bernstein, even though I do believe that his name server is probably the most secure one in use today, his cracking contest is hardly meaningful. There is an interesting article, The Fallacy of Cracking Contests by Bruce Schneier, published in the December 1998 issue of The Crypto-Gram Newsletter:
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Another reason is that tinydns, daemontools and other DJB's utilities are very inconsistent. Try to get -h output from these utilities or read man page. Something like man svc! Or may be svc -h? Ooops. This is standard drill for any unix utility. To read documentation for these you have to search the net! AFAIR tcpserver gives short description of its arguments but no man page anyway. And DJB knows how to write man pages, he did it for qmail for example. Fuck.
When something is much more popular than its alternatives, you get a number of benefits:
For example, there are packages to connect BIND with DHCP servers, allowing dynamic DNS for DHCP clients. You're unlikely to find those as easily for another DNS server. The same thing was true for sendmail -- there were tons of programs that expected to be able to use /usr/bin/sendmail. That required people writing other mail programs to stub out this binary.
@ Parent of yours: you can also use bind zone files, PostGre, LDAP, and _many_ others...
"There are other reasons not to want to use your DB for everything. What if it goes down / gets corrupted? What if some wacked query for some other application makes your DNS server unresponsive?"
Ever heard of "backing things up"? Replicating? Fallover? I'm not backing you up.
I don't understand how a sample of roughly 24 and 1/3rd million is a "tiny number"
Perhaps you have a very weird definition of "tiny" that really means big.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Random question: am I the only one who loves MySQL to death, but thinks that it's also horribly overused for EVERYTHING?
No, I think this is precisely the niche for MySQL , as MySQL is not and never will be an SQLDBMS ala Postgresql, Oracle, etc. Those applications don't represent everything that some idiots are trying to push MySQL into.
If MySQL fanboys would simply be happy with using it for their small, mostly read-only applications (DNS/LDAP/auth/non mission critical message board) database and quit trying to convince me that its an Oracle killer, I would consider that ideal.
It might as well be good for something. Basically MySQL is like a Berkeley DB with a slightly more general/useful out of the box interface (The limitations of SQL don't really become a big issue for the ideal MySQL applications). And since it is still fast and low overhead with that ready to go interface (relative to BDB), why shouldn't it be used?
Comment removed based on user account deletion
You are a liar and calling me a troll doesn't change anything.
In fact when you get called on your lies you start insulting my mother, my face, and bragging about your massive slashdot epenis regarding your modifier points???
WTF? You have no credibility.