Slashdot Mirror
BIND Is Most Popular DNS Server
bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."
No matter which DNS server is the default in any distro. All of the DNS admins I know will compile or reinstall the server anyway.
It maybe true that some of the home users running a "server" in the closet may be using the default server of distro, but I think there aren't that many to make a difference.
-- Reality checks don't bounce.
Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.
Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.
Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!
Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?
Because they haven't read how easy it is to setup!
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
...no matter what ridiculous flaws it has...
Did you see the version results for BIND? There are some really ancient ones out there. 1.971% are version 4.9.3 to 4.9.11
I haven't checked any vulnerability databases on it, but that seems pretty old... too old to have patches available?
I really like BIND 9 - easy to use, the most features, plus a full rewrite since BIND 8.
DNS servers are low on resource usage anyway, so switching to a leaner daemon would always be a niche product (like Apache alternatives).
The only motivation for switching is the exploit issue. With the rewrite, its less of a case, and everyone should be keeping up to date w/security patches anyway.
How the heck do you get rid of BIND? It's everywhere unless your a MS Windows shop that is ruled by DDNS... but most folks I know won't expose DDNS directly to the internet, cause you know why... BIND often acts as an intermediate.
I know there are better alternatives out there, but why aren't they more popular?
- When you insult a troll, he wins.
Uhhhhhhh, sorry, Anonymous Coward, but you don't get away with that accusation without more details than that. There have been no security lapses in tinydns or dnscache. Weasles is actually spelled Weasels. Googling for djbdns fraud gets me nothing. Honest up, dude!
-russ
Don't piss off The Angry Economist
...since D. J. Bernstein's hasn't been updated for years...
Maybe because it hasn't needed updating.
http://cr.yp.to/djbdns/guarantee.html
Please tell me something Sendmail does that Postfix doesn't.
I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.
... djbdns. Nothing to do with the software and everything to do with the attitude of its author.
You've got to be talking about some other ISC. The ISC I know is a non profit, they make the open source BIND product by paying some of the guys who wote (pretty much with volunteered time to) the open standard for DNS. It needs help IMHO but vendor lock in it isn't.
It's really cool to see someone remaking it with a real database behind it, anyone who's made/makes major system changes has had LDAP problems and at the very best it is a marvle of 1960 db design. But... the "can even do AXFR to other servers" thing in the frill portion of his web site description is worrisome. AXFR is part of the DNS game, if you'r not going to play with other servers... well the whole point of the way DNS works is a -distributed- name system. How would you distribute load without standard zone transfer protocol? Far from a frill IMHO.
No. I'm running BIND because I want "delegate only" zones. When the other DNS servers can handle Verisign's obnoxiousness gracefully like that, then I'll look at moving. Until then, BIND stays on my DNS server.
(ps: If there are any Gentoo folks reading, please get Bind 9.2.3 into portage properly. I got it installed on my machine by hand just fine, but emerge keeps trying to downgrade it to 9.2.2. That makes me unhappy.)
BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.
Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.
My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.
After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.
Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...
"Never tell me the odds"
Out of interest, what does sendmail offer you that exim doesn't?
:o)
For me, operational changes that would require programming in exim, but require only tweaking sendmail.cf.
Example: I recently added some anti-spam rules to restrict the HELO of connecting mailservers. If it's malformed, or matches against a blacklist of 'known bad' signatures, I reject the mail. In sendmail, this was trivial (err, well - as trivial as hacking your sendmail.cf can be
I'm not saying it's for everybody - it requires a very high level of knowledge - but it's safer (no worries about buffer overflows in code I add myself, etc.) and simpler than modifying the program itself.
As I recall, djbdns has a licence that makes it hard to distribute: everything goes in weird places, and if you distribute the code you can't distribute changes (only patches). ... which might affect whether the major distributions would be interested.
the guy who wrote this is a cs prof at my university. He's a nut. They actually put him on probation after he failed most of his undergrad classes. The head of the CS dept attempted to take the final exam for a *freshman* class bernstein was teaching and determined he couldn't do it.
Bernstein seems to be a smart guy, but he sure is crazy.
One small reason your DNS server (MyDNS) isn't catching on is that it requires an external DB server process to be set up and running on the system.
I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.
True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.
Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.
Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.
An interesting observation. On a related note, I've noticed that a lot of "messy" people seem to know where everything is. I call it the chaos theory of organization; it can often be easier to remember where things are than to spend the effort to put them someplace. So you just put them where there's space, and remember where they went.
My wife has what I call the pro-aesthetic theory of organization; if a room or place appears to be neat, it's organized -- even if the stuff is put away without any regard to an organizational structure (eg, related items aren't in the same cabinet or closet). It's important for the room to look clean, even if in reality its a highly user unfriendly mode of organization.
When you contrast the former and the latter, it's an interesting mix -- on one hand, you have a visual mess but things are relatively easy to find. On the other hand, you have visual neatness, but things are hard to find since there's no scheme (other than size and volume) as to where things went.
As far as laziness goes, I've known neat freaks that never get anything done because the overhead cost of neatness eliminates their time.
BIND: 24 vulnerabilities (since 1999)
TinyDNS: 0 vulnerabilities
That's what I call a secure DNS server!
Disclaimer: This opinion was created without the use of any facts
Many Linux distros have ditched sendmail by default, and NetBSD now ships postfix in the base system. In fact, the only big linux distros that I can think that still ship sendmail by default are slackware and redhat/fedora.
I *hate* bind with a neverending passion. I still use it because I'm not ambitious enough to change the environment I've got.
Is it laziness? No, not really. It's just not wanting to mess things up. I did recently move a large mail server off Irix/sendmail to FreeBSD/qmail, and, while it worked pretty much as I wanted it to, wasn't a one-day task.
Oh? I appear to have Postfix as the default MTA on my SuSE and Darwin/BSD machines, not sendmail. The only machine I own with a sendmail default MTA is running NeXTSTEP 3. It didn't come with the m4 macros for editing sendmail.cf - now editing *that* was a fun half hour.
It's worth noting that as of OS X 10.3, Postfix has replaced Sendmail as the default MTA. NetBSD is integrating it in to the base install and letting the user decide between Sendmail or Postix, the default being neither is enabled at startup. Both use BIND 9 as their named by default, however.
Yea, ok Tet. I'm a troll and that's FUD. It's not like sendmail really is a total piece of shit.
Don't give me shit about Perl either. I can write totally unreadable code in C, Perl, Python, PHP, VBScript, Vb6, C++, Java, shell scripting, and QBASIC. I can also write clean code, readable code in all of them.
It's not FUD, most Slashdotters just have their heads so far up their own asses that it just looks like they sit on top of their necks. Morons around here bemoan Microsoft for its shitty security, then they run out every other day to patch BIND or sendmail. Even assuming you're the 1 in 20 person who actually has a need that only sendmail can meet (which I doubt you are given the odds), the fact that you would suggest that saying sendmail has shit poor security is just "FUD" just serves to prove the point that you're just another one of the idealogical nutjobs that frequent this place.
Give it a rest. It's not FUD because it's true. Sendmail blows a left donkey's swollen nut when it comes to security, usability, and reliability. Just deal with it. While you're at it, ask yourself if you even really need sendmail, or if you're just too lazy to make the switch to something that actually works.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Yeah, but I'm already replicating MySQL - so what's another table? :P
I can understand why some people would what to have dns information in a SQL database, but personally I feel that it's just adding a not piece of software that could potentially fail. Trust me, you don't what your dns to fail.
Ahhh. Actually, I run an email service. So I already have MySQL servers that need to be up 100% of the time. In fact, I'd wager that most websites would also run some type of SQL, and need to be up 100% of the time. So it's a natual fit.
Plus, DNS is cached. So depending on your traffic, odds are pretty good that you'll have your server up before your hostname's cache expires - and if necessary you can concentrate on what's probably a bigger problem than DNS ;)
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
What you can do with it is second only to sendmail
In what way is it behind sendmail? Genuinely curious...
Xenu loves you!
Like the subject says, I USED to use djbdns for my home DNS server. After a while, when I upgraded the OS on said home DNS server, I got rid of djbdns and moved to BIND. Why, you may ask?
1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.
2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.
3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.
4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)
5) daemontools.... ugh. Let's not even go there.
Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.
Just my $.02...
Well, to be fair, you don't have to learn the syntax to get started, DJB created command line programs to do the 'normal' things like 'add-host' 'add-ns', etc.
I had trouble figuring out BIND's zone-file format when I first installed it. But the main thing I had trouble with was trying to figure out which packets I wanted my DNS server to be sending out.
DJB talks about not using CNAME, but it took me a long time to understand why.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Personally, when I first encounter massive performance problems on a dedicated production-critical service, I would have contacted the developers and asked them what platform they recommend for running a dedicated server, and switched the base OS to the platform they best support.
Based on the above philosophy, I've ended up actually running more MS-Windows servers in the data center, as many speciality software vendors preferentially support Windows 2000 over UNIX-like systems. And of course any time you run two different applications from two different vendors on the same Windows box, antime a problem is encountered with Vendor A's application, as soon as the support engineer discovers that another package is running on the same box, Vendor B's application immediately becomes the root cause of the problem :)
I do not deploy Linux. Ever.
As another testimonial, I use djbdns for over 900 domains and over 100,000 RRs. We receive about 300 queries/sec with tinydns using about 2% CPU and about 800K of memory. I love the rsync method of syncing dns data, it works especially well for Dynamic DNS (which is something I provide).
As an aside, long ago, ODS (the service I run) ran BIND. At the time BIND used 90+% CPU consistently. Mainly because of the constant dynamic updates being sent to BIND via the update daemon. It also used about 50MB of memory or so (back in 1999 or therabouts). The switch to djbdns came shortly thereafter and I haven't looked back. Granted, djbdns cannot provide immediate dynamic updates because of its use of CDB. However, I find that every 30 seconds proves to be sufficient, especially when the 'secondaries' get updated immediately as well (thanks to rsync). Building the cdb is also remarkably fast, with it taking 0.55 seconds to hash the cdb with over 100k records.
Overall, I'm quite happy.
So why not use tinyDNS...which is both simple AND powerful, AND fast, AND secure.
A good answer is "because the syntax is occasionally inscruitable." another would be "because DJB expects you by default to conform to HIS way of doing things, which is quite different from the bind way."
But if you don't already know the BIND syntax...and you want a DNS server you will NEVER have to think about...tinyDNS is goddamn fabulous. So is qmail. The combination of the two means the only things *I* think about on my webservers are Apache, Tomcat and Courier-IMAP (which loves to crap out unprovoked, once every three months or so).
Hey freaks: now you're ju
It may come standard on 99.9%, but it's only used by 70%, vs 15% tinydns. Plus, the source is not available on 99.9% of the distributions -- it's almost always a binary. E.g, I have NEVER seen sun distribute the source to it in their distributions.
Lots of people would've eyeballed tinydns for bugs, which IIRC (and I might not), is not available in binaries. Plus, the security is guaranteed!
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
I see people bash bind and praise djbdns, but I personally have never had a problem with bind. It was relatively easy to setup and it's relatively easy to maintain and has a decent amount of power to it. Granted, I'm just doing simple tasks of dns for sites and nothing very complicated.
I'm not oppossed to switching but given that my time is already crunched, I will probably keep using bind so I don't have to spend the time learning how to setup djbdns.
Now if some huge security hole was discovered that affected me directly and there was an actual need to switch, I would spend the time and do it.
Until then I'll probably keep using bind since my distro gives me the choice to choose my dns server.
BTW, this same post could be used for sendmail.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin