BIND Is Most Popular DNS Server

bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."

probably

[greechneb]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Re:probably

[kinema]

People are lazy.

If laziness dictated what DNS server people ran I find it hard to believe that they would choose BIND. BIND is hardly the simplest DNS server out their to learn, setup and maintain.

Re:probably

[missing000]

It may not be "simple", but it is /powerful/.

Do you live in a DOS shell? It's "simple" - so is driving a golf cart or programming in BASIC.

Simple is not equal to good. Very few people would actually chose simple over capable any day.

Re:probably

[kfg]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."

It's very peculiar.

KFG

Re:probably

[kfg]

pfft, why should you ever go back to hang up you're coat when you've thrown it in a perfectly good spot.

I haven't a clue, but people do.

KFG

Re:probably

[linzeal]

If you want logical organization you are going to have to label where everything goes, that has been my exp with past live in gf. Get a label maker and put labels on the bottom of drawers and on the inside of cabinet doors for each shelf and section of drawer. For large bulky items like christmas decorations put them on storage containers on at least 2 sides so that when you store them you can see what is in there.

This is a fun weekend project as you get to walk around your place with your SO and figure out 'exactly' where things should go.

arrr!

[Baka_kun]

the old mighty conservative geeks wins again!

De Facto

[the_mad_poster]

Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?

Re:De Facto

[winchester]

False arguments. At least the possibility for people to run other software in full compliance with the published standards (RFC's), thus providing full interoperability exists.

With windows, you do not get that choice... either you use what Microsoft provides you or you don't use it at all. There is no choice. On Unix, there is.

Re:De Facto

[Psiren]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

I haven't used sendmail in years, having switched over to exim a long while ago. Out of interest, what does sendmail offer you that exim doesn't?

Re:De Facto

[stephenbooth]

There's also the fact that, due to it's current dominance, if I buy a book about DNS it probably assumes BIND. Therefore in a lot of people's heads BIND = DNS. Heck, for that very reason if I had to set up a DNS server (I'm not a networking expert) I'd select BIND as then I know that there's going to be examples in a book I can adapt to suit what I want to do. If it's not my core area then I don't want to have to spend hours learning how to configure a system, I just want to copy something out of a book and for it to work. Looking at the MyDNS site that has a second strike against it, it requires MySQL. Not only do I have to learn to setup and configure the product I actually want but I also have to learn another unrelated product! At least BIND uses text files, I know how to edit those.

Stephen

Re:De Facto

[Apreche]

True that. But in addition, because it is the de facto standard, its what they teach college students in IT classes. I'm a CS major, and I know quite a few IT majors around here. If you asked most of them to set up a DNS server they could. If you asked how they would say "the bind command". Because they are all windowsy, they don't realize bind is a piece of software that is replaceable. They were taught how to do things a certain way, and they don't know to do it differently.

Not all IT majors are that dumb, some of them deserve some credit.

The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.

There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Re:De Facto

[CrankyFool]

After about ten years of using Sendmail (I was using Sendmail back when you had to understand rulesets and how to hack LHS/RHS of rules), I switched to Postfix. I am happier than a pig in mud for a whole bunch of reasons and consider Postfix a superior MTA.

I have at least one acquaintance who, on his very large enterprise, runs Sendmail at the edge (and Exchange internally, but that's not his choice). Why? Because that way, he doesn't need to worry about separate patch management for his MTA -- Sun makes sure his MTA is up to date, and he doesn't have to document "this is how to install the MTA" separately.

Is he using an inferior MTA? I believe so. So does he. But the ways in which Sendmail is less good don't affect him nearly as much as the way in which it is better -- by lowering maintenance costs (or, really, just rolling them into the ridiculous amount he pays Sun -- though he could get the patches for free, of course).

With respects to my fellow sysadmins here -- obviously, some of you are vastly superior to me in all matters technical -- we really should know by now that sometimes, we make technical decisions for reasons that are not purely technical. The reasons people choose Sendmail over Postfix are usually in that sort of category, as well as the reason people choose BIND over other DNS servers (BTW, BIND is also the default DNS server on Solaris).

I don't see this as a huge problem, except for (I guess) people who take it personally that not 'enough' people use the software they developed with great effort (though I don't see Wietse complaining "more people should be using Postfix!"). Unlike the Windows situation, it's not like the fact that, likely, most people I communicate with use Sendmail means I'm forced into using Sendmail. UNIX-based MTAs (Sendmail, Postfix, qmail, exim, other custom MTAs) mostly seem to be fairly standards-compliant, much like DNS servers (go ahead. Point out some obscure thing that 99% of people don't use where BIND doesn't follow the spec, just so I can laugh at you). So BIND and Sendmail dominate? Fine. I'll still run Postfix and ... well, BIND. Who cares?

Re:De Facto

[jonadab]

> I'm not going to claim the syntax looks good at first glance

The major objection to sendmail isn't syntax; it's security. sendmail is on
the very short list of programs I disallow on my network for security reasons.
Its security track record is every bit as bad as IIS, and the problem is a
core problem with the philosophy of the developers: they patch specific
vulnerabilities, but they don't have any interest in fixing the core design
that _leads_ to all those vulnerabilities.

Fundamentally, sendmail runs as root while processing untrusted data arriving
from the internet. That's a major fundamental security no-no. You just don't
*do* that. Apache doesn't do that. proftpd doesn't do that. There's no
*need* to do that, but sendmail does it anyway for arcane historical reasons.

> but then most perl programs look like line noise too

Now *you're* trolling. The only Perl programs that look like line noise
are the ones that are deliberately obfuscated, like my signature.

Re:De Facto

[daviddennis]

As others have said, I think the main reason people use BIND is that it's in all the examples in the standard books (mainly O'Reilly) we use to learn.

I was unaware DNS servers really needed much in the way of features for most people. In fact, I thought it was about the simplest thing in the world - get a request, look it up in a table and return the results. Not exactly rocket science, and the BIND configuration file's pretty ugly looking if my memory serves.

I think overcomplexity is one of the biggest problem with the software world as it is today. It's worst on Windows, of course, but Sendmail and BIND are proof that Unix has similar problems too.

D

Re:De Facto

[daviddennis]

Well, I meant that was what a DNS server does. It gets a request, and looks it up in a lookup table. That's all most people running DNS servers really need.

You're over-complicating things for simple applications if you use the software meant to distribute DNS over an entire network of servers for your single web site which just needs to receive a request for www.amazing.com and return an addresss.

D

Re:It is the default, and not hard to understand

[Russ+Nelson]

Actually, the BIND zone file layout is error prone. How many times have you forgotten to update a serial number? How many times have you forgotten to put a dot at the end of a name?

Also, BIND allows you to mix caching and authoritative services. Not only is this insecure in nature, it's insecure in BIND's implementation. Much safer to have them on different IP addresses.
-russ

sendmail shows this to be true

[millahtime]

The fact that sendmail is also frustrating, is default install on Linux and BSD, and is the most popular for mail shows that this theory is pretty much true.

I also know I am amungst the lazy ranks.

Re:sendmail shows this to be true

[dekemoose]

Wrong. Bind and Sendmail are defaults because they are the most prevalent. They are the most prevalent because they've been around a long time. Sendmail was the MTA of choice on UNIX years before Linux was common, ditto Bind for dns. Since they have the history, there are a lot of people skilled with using both of these packages, despite the "difficulty" setting them up.

Re:sendmail shows this to be true

[random_static]

as has been noted, postfix seems to be edging out sendmail as the default MTA in most distros.

i don't think the situation is all that analogous with DNS servers, though. sendmail is and always was an unbelievable mess to set up and maintain; the mere fact that a bunch of m4 macros was considered an improvement on the config system that preceded them should tell you something. (if it doesn't, you haven't had much exposure to m4. count that a blessing and keep away from the thing.)

by comparison, BIND versions >= 8 are simple, straightforward and eminently sensible both to configure and to keep running. as well, BIND's had its share of security problems, but nothing has nearly as awful a security track record as sendmail, not by a long shot.

finally, the cricket book is about half the size of the bat book, maybe less. i don't know about you, but that tells me BIND is a smaller, easier to learn system than sendmail.

Why they keep BIND around

[reaper]

• It's in practically every distro by default
• Not a whole lot of people really need the hassle of installing another DNS server
• It is the standard by which other implementations get judged
• It supports just about every obscure feature known to the DNS world
• If you know how to hack the config files, it makes manually setting up tons of vhosts dirt simple
• The name is just so powerful
• Certain other dns server authors(*cough*djb*cough*) always manage to piss off too many people, even when they are proposing a superior solution to a problem.

Re:You really see which DNS does heavy lifting.

[James+Youngman]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet.

Maybe that just means that TinyDNS is popular with domain squatters.

I think that the best definition of "heavy lifting" is not the size of the installed base or the average number of domains per server, but instead the total number of queries served. Those numbers of course are hard to estimate.

Other Servers?

You mean there are other DNS servers? Holy sh*t! I've actually used a couple of different ones on pre OS X Macs. DNS servers more than most other pieces of software are invisible until it breaks. You just never really think about it once you get the sucker running(unless you do something serious as opposed to what I do). Plus in the early days, the Internet was large public research project whose infrastructure was made by task forces rather than market forces, so a task force made a tool for the job and that was that. Combine that with the inertia that builds up behind a successful product and there's little incentive to change. We know it, we like it, it works, and it's free. Why bother with anything else unless you're running Mac OS 8 or something funky like that?

If DJB were..

[jayminer]

If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.

Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service, /package etc.), and if you change them from the source, you violate his license!
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!

djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).

And as far as I know, many distributions kicked his software out, including several *BSDs.

Re:If DJB were..

[quantum+bit]

How's postfix's security record? i.e. Can I set up a postfix server, then go on an 18-month holiday and be confident that my box will still be working when I get back (like I can with qmail)?

You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.

The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.

The only other thing I could find is djb ranting about a Postfix problem that has been fixed for over 6 years.

The alternatives

[Florian+Weimer]

The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.

tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.

In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.

Re:The alternatives

[quantum+bit]

qmail was recently forked into something called 'netqmail' that integrates the most popular, bug-fix packages that are out there.

...which can only be distributed as a set of patches against the original code. This means no binary packages, either. djb's license forbids the distribution of modified versions. qmail is not open source. It's actually a lot closer to Microsoft's shared-source license.

Re:The alternatives

[Florian+Weimer]

Yes, I know that DNSSEC has its drawbacks, but so far, DJB has only argued against it, without providing a real alternative (or even fully describing it).

Others offer (well, sort-of) working DNSSEC implementations, which might be a reason to use these implementations instead of tinydns. Of course, the overall need for DNSSEC implementations is pretty low on the current Internet, even though everyone wants a secure DNS (kind of a chicken-and-egg problem).

Because it works.

[morten+poulsen]

BIND - like Sendmail - is popular because it works. They might be ugly, buggy (as in security problems), whatever, but they are old and people know them.

By that argument

[mrhandstand]

Windows is the most popular desktop environment!

Here at /. we all know how THAT article would go over!

Seriously, I have nothing against BIND. But you should always that there are liars, damn liars, and statictians.

They use BIND for same reason others use Windows

[Secrity]

I believe that most people use BIND because it is already used by most people. For the most part, people are afraid of being different. There are some things the people just use blindly even though there may be superior alternatives available; such as BIND, MS Windows, MS Office, Sendmail.

BIND is ***MORE*** frustrating than SQL???

[swordgeek]

Seriously, MyDNS requires an SQL database. This is NOT a way of making things easier!

I've never understood what problem people have with BIND. It's as simple as it could possibly be. Everything makes clear sense. The config files are plaintext. It's backwards compatible almost to eternity. I use it because it's the best solution, not the only one.

Some other reasons

"Why is it so hard for alternate DNS servers to gain favor ?"

Can be rewritten as:

"Why people don't switch to djdns (which install in stupid places, is mostly unmaintained, is written by an offensive asshole, and that you cannot fork/modify) ?"

or

"Why people don't switch to MyDNS (that just reached version 0.11, indicating that it is really stable) ?"

Jezus. What are people thinking ? He versions his software as 0.11 and then complains publically on /. that people don't want to use it for the most core function of the Internet.

Re:Reasons why DJBDNS is not more common

He said "human-friendly". That's a computer program.

That's a hallmark of djb programs. File formats are very easy for machines to parse. Easy to parse tends to equate with being less human friendly.

Re:Reasons why DJBDNS is not more common

[ajs]

Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

I have to say that this is the largest and most insurmountable reason for me against using either his DNS server or his mail server.

I was a big fan of his back in the days of UUCP, but his unwillingness to let distributions of BSD, Linux, etc. modify and distribute his software (without some kind of source-based patching hack sans binaries) was a snub to all of us who have contributed to open source software over the years, and a clear indication of a lack of concern over the larger needs of his audience.

Let me be clear: he's WELL WITHIN HIS RIGHTS, and he's even going out of his way to distribute his stuff, which is great. But to say "I'm going to play ball with you, but only if you use my ball, and in the following ways" doesn't fly for me. There are many good alternatives to his code, and they all have their own advantages and disadvantages. Thanks for playing, though.

Re:MyDNS/MySQL

[ScytheBlade1]

Random question: am I the only one who loves MySQL to death, but thinks that it's also horribly overused for EVERYTHING?

I mean....yes, it's incredibly fast. Scalable. Low overhead. But when everything from e-mail to DNS depends on MySQL....it gets a little sickening :P

You don't need a datbase server for everything, no matter how it is that you can say "I run my DNS servers off of a MySQL database." It's still way overused.

Re:Feature Complete?

[symbolic]

This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Hm..I consider most software to be an evolutionary process. You start out with a need, you write the software, and then someone else sees a little bit further out and says, "gee, I like what you've done, but it would be so much more useful if it [insert most wanted feature here]". I can't think of a single piece of software I've used that had everything I wanted. I don't think there will ever by one, either. It's like the bear and the mountain - each new version is another mountain, and once we get to the other side, we're apt to see more things we'd like the software to do for us.

Re:dude, tinydns syntax is WAY better

[NoMercy]

by actually using the words instead of symbols? Also you neglect the ::'s and :'s which is probably even more confusing when youve got IPv6 addresses thown in too :/