BIND Is Most Popular DNS Server

bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."

probably

[greechneb]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Re:probably

[kinema]

People are lazy.

If laziness dictated what DNS server people ran I find it hard to believe that they would choose BIND. BIND is hardly the simplest DNS server out their to learn, setup and maintain.

Re:probably

[huge]

No matter which DNS server is the default in any distro. All of the DNS admins I know will compile or reinstall the server anyway.

It maybe true that some of the home users running a "server" in the closet may be using the default server of distro, but I think there aren't that many to make a difference.

Re:probably

[missing000]

It may not be "simple", but it is /powerful/.

Do you live in a DOS shell? It's "simple" - so is driving a golf cart or programming in BASIC.

Simple is not equal to good. Very few people would actually chose simple over capable any day.

Re:probably

[kfg]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."

It's very peculiar.

KFG

Re:probably

Exactly. What is so difficult about setting up BIND for an average site? I was able to set up BIND on Woody by installing the package, reading documentation for 15 minutes and then editing a few example zone files. And I have never ever set up a DNS server before (though I know quite a bit about how DNS protocol works).

Now, I clicked on one of the links in this story and found that to configure tinydns (as an example) you have to learn some strange sendmail-like syntax:
=www.panic.mil:1.8.7.99
@panic.mil:1.8.7 .88:mail.panic.mil.:0
Zpanic.mil:dns1.panic.mil:h ostmaster.panic.mil::72 00:3600:604800:3600

Heh, WTF? I would have to learn this syntax and how it relates to common DNS terminology (A, CN, MX, ...) AND learn what the common DNS terminology means. In the BIND case, I only need the common terminology.

All for all, I'd say BIND is used not only because it's default. It's default and sufficiently easy to use so most people do not feel the need to replace it. As a bonus, if there is a security problem, it is likely to be fixed REALLY fast upon discovery, which is a bit less probable for the other servers (because they are not used as frequently).

Re:probably

[dsojourner]

As I recall, djbdns has a licence that makes it hard to distribute: everything goes in weird places, and if you distribute the code you can't distribute changes (only patches). ... which might affect whether the major distributions would be interested.

Re:probably

[swb]

An interesting observation. On a related note, I've noticed that a lot of "messy" people seem to know where everything is. I call it the chaos theory of organization; it can often be easier to remember where things are than to spend the effort to put them someplace. So you just put them where there's space, and remember where they went.

My wife has what I call the pro-aesthetic theory of organization; if a room or place appears to be neat, it's organized -- even if the stuff is put away without any regard to an organizational structure (eg, related items aren't in the same cabinet or closet). It's important for the room to look clean, even if in reality its a highly user unfriendly mode of organization.

When you contrast the former and the latter, it's an interesting mix -- on one hand, you have a visual mess but things are relatively easy to find. On the other hand, you have visual neatness, but things are hard to find since there's no scheme (other than size and volume) as to where things went.

As far as laziness goes, I've known neat freaks that never get anything done because the overhead cost of neatness eliminates their time.

Re:probably

[olderchurch]

So I have to learn a more complex syntax. It took me half an hour (not taking the strange M$ lookup into account). The fact that you need to update your BIND software because of security related problems _at all_ is something I do not like. Take for example securtiyfocus' Vulnerabilities archive:
BIND: 24 vulnerabilities (since 1999)
TinyDNS: 0 vulnerabilities

That's what I call a secure DNS server!

Re:probably

[walt-sjc]

While bind may not be "super simple moron proof", It's also not that frigging hard either. Add on top all the various GUI management tools for it that make it not hard at all. Looking at some of the zones managed by clueless Windows (and linux) administrators using Active Directory or other tools, it's clear that some people need to read the O'Reilly DNS and BIND book. There is more to DNS than the server software - you need to understand WHAT the records do, and HOW to use them correctly. You also need to know how to use tools like dig and nslookup. Bind is only one part of the equation, and it's just not that hard to learn. While there are a lot of options, most people won't need but a few. There are MANY MANY good examples and tutorials.

Bind is also rock solid. It doesn't die. I have servers that run bind that have been running for YEARS without a reboot, and bind has never needed to be restarted. The answer is quite simple. It's not THAT hard, and it works. Why change? Occasionally someone will find a security hole, so you patch and move on, just like everything else.

De Facto

[the_mad_poster]

Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?

Re:De Facto

[Tet]

People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

Re:De Facto

[Psiren]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

I haven't used sendmail in years, having switched over to exim a long while ago. Out of interest, what does sendmail offer you that exim doesn't?

Re:De Facto

[stephenbooth]

There's also the fact that, due to it's current dominance, if I buy a book about DNS it probably assumes BIND. Therefore in a lot of people's heads BIND = DNS. Heck, for that very reason if I had to set up a DNS server (I'm not a networking expert) I'd select BIND as then I know that there's going to be examples in a book I can adapt to suit what I want to do. If it's not my core area then I don't want to have to spend hours learning how to configure a system, I just want to copy something out of a book and for it to work. Looking at the MyDNS site that has a second strike against it, it requires MySQL. Not only do I have to learn to setup and configure the product I actually want but I also have to learn another unrelated product! At least BIND uses text files, I know how to edit those.

Stephen

Re:De Facto

[Total_Wimp]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching.

I think you hit the nail on the head. These big, some would say bloated, systems end up getting used because they're flexible. Others are constantly writing 3rd party stuff that specifically use these systems.

Case in point: Microsoft ADS is very DNS dependant and the only DNS they support besides Microsoft DNS is BIND. BIND may, or may not be the best DNS out there, but because it's the standard people are building their systems to, it is almost certainly the most compatible and, by extension, the most flexible.

TW

Re:De Facto

[SWroclawski]

Please tell me something Sendmail does that Postfix doesn't.

I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.

Re:De Facto

[Apreche]

True that. But in addition, because it is the de facto standard, its what they teach college students in IT classes. I'm a CS major, and I know quite a few IT majors around here. If you asked most of them to set up a DNS server they could. If you asked how they would say "the bind command". Because they are all windowsy, they don't realize bind is a piece of software that is replaceable. They were taught how to do things a certain way, and they don't know to do it differently.

Not all IT majors are that dumb, some of them deserve some credit.

The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.

There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Re:De Facto

[CrankyFool]

After about ten years of using Sendmail (I was using Sendmail back when you had to understand rulesets and how to hack LHS/RHS of rules), I switched to Postfix. I am happier than a pig in mud for a whole bunch of reasons and consider Postfix a superior MTA.

I have at least one acquaintance who, on his very large enterprise, runs Sendmail at the edge (and Exchange internally, but that's not his choice). Why? Because that way, he doesn't need to worry about separate patch management for his MTA -- Sun makes sure his MTA is up to date, and he doesn't have to document "this is how to install the MTA" separately.

Is he using an inferior MTA? I believe so. So does he. But the ways in which Sendmail is less good don't affect him nearly as much as the way in which it is better -- by lowering maintenance costs (or, really, just rolling them into the ridiculous amount he pays Sun -- though he could get the patches for free, of course).

With respects to my fellow sysadmins here -- obviously, some of you are vastly superior to me in all matters technical -- we really should know by now that sometimes, we make technical decisions for reasons that are not purely technical. The reasons people choose Sendmail over Postfix are usually in that sort of category, as well as the reason people choose BIND over other DNS servers (BTW, BIND is also the default DNS server on Solaris).

I don't see this as a huge problem, except for (I guess) people who take it personally that not 'enough' people use the software they developed with great effort (though I don't see Wietse complaining "more people should be using Postfix!"). Unlike the Windows situation, it's not like the fact that, likely, most people I communicate with use Sendmail means I'm forced into using Sendmail. UNIX-based MTAs (Sendmail, Postfix, qmail, exim, other custom MTAs) mostly seem to be fairly standards-compliant, much like DNS servers (go ahead. Point out some obscure thing that 99% of people don't use where BIND doesn't follow the spec, just so I can laugh at you). So BIND and Sendmail dominate? Fine. I'll still run Postfix and ... well, BIND. Who cares?

Re:De Facto

[daviddennis]

As others have said, I think the main reason people use BIND is that it's in all the examples in the standard books (mainly O'Reilly) we use to learn.

I was unaware DNS servers really needed much in the way of features for most people. In fact, I thought it was about the simplest thing in the world - get a request, look it up in a table and return the results. Not exactly rocket science, and the BIND configuration file's pretty ugly looking if my memory serves.

I think overcomplexity is one of the biggest problem with the software world as it is today. It's worst on Windows, of course, but Sendmail and BIND are proof that Unix has similar problems too.

D

Re:De Facto

[the_mad_poster]

Yea, ok Tet. I'm a troll and that's FUD. It's not like sendmail really is a total piece of shit.

Don't give me shit about Perl either. I can write totally unreadable code in C, Perl, Python, PHP, VBScript, Vb6, C++, Java, shell scripting, and QBASIC. I can also write clean code, readable code in all of them.

It's not FUD, most Slashdotters just have their heads so far up their own asses that it just looks like they sit on top of their necks. Morons around here bemoan Microsoft for its shitty security, then they run out every other day to patch BIND or sendmail. Even assuming you're the 1 in 20 person who actually has a need that only sendmail can meet (which I doubt you are given the odds), the fact that you would suggest that saying sendmail has shit poor security is just "FUD" just serves to prove the point that you're just another one of the idealogical nutjobs that frequent this place.

Give it a rest. It's not FUD because it's true. Sendmail blows a left donkey's swollen nut when it comes to security, usability, and reliability. Just deal with it. While you're at it, ask yourself if you even really need sendmail, or if you're just too lazy to make the switch to something that actually works.

Re:De Facto

[the_mad_poster]

Nice try, but my real world experience proves you to be wrong.

Holy shit... you're a real gem...

MY experience is that people who use sendmail might as well just generate their configuration files using /dev/urandom. I guess MY real world experience proves YOU to be wrong, so now you're going to stop using sendmail, right?

I also like how the guy that you responded to got pinned as a troll. See, on Slashdot, the fact that sendmail is a total piece of security shit doesn't matter. All that matters is that MICROSOFT programs have lousy security.

I suspect this is because 95% of the people on Slashdot that actually talk don't know shit about computing, but they spit the same old idealogical mind dumps that appear in every Microsoft/Linux/SCO article and get excellent karma and mod points. Then, they run around and mod down anyone who doesn't say exactly what they were saying before. I mean, god forbid an intelligent post appear that doesn't exhort the many virtues of OSS! After all, with a license like GPL/BSD, it HAS to be good..... right?

Re:De Facto

[walt-sjc]

what does sendmail offer you that exim doesn't

As someone who used to run sendmail (from the late 80's to 2002 before switching to exim) it gives you native support for UUCP!! It also gives you good brain excercises so you can do things like complex regular expressions, the US tax code, etc. :-)

Seriously, if you really need to customize sendmail, you need to understand the rewrite rules in depth which are quite bizzare to someone not familiar. Adding additional functionality like sql DB lookups for virtual users with SMTP Auth, etc. can be a challenge for even the more seasoned sendmail admin. Once you get beyond the simple soho stuff, sendmail becomes quite awkward to work with. Sendmail Milter's is a horrible interface. Add on message archiving, spam / virus filters, special handling for certain addresses / domains, etc. and exim really starts to look good. Unless you are a full time mail administrator, you probably have better things to learn than sendmail syntax, and that's the bottom line.

Bind is no sendmail. Bind's syntax is actually quite clean - more like apache or exim than sendmail. There are no bizzare ruleset's to learn - it's more like defining a structure in C.

MyDNS

[Havokmon]

I've played with it.. it's defintely a nice DNS server.

But what I really want is something like EasyDNS provides: Aliases. I want to be able to 'clone' whole domains, because they're all going to the same place anyways based on the hostname.

Maybe EasyDNS just wipes out all the duplicate hostnames, and writes new records for them between the web interface and the backend when a host is changed or added..

Re:MyDNS

[boaworm]

You should try PowerDNS. It's entire records are located in MySQL database tables, enables very easy update/modify/add/delete scripts. Performance is great :-)

That's like...

[Simon+Carr]

"air is most popular substance to breathe". :)

That being said, PowerDNS is pretty awesome as a master, very nice for front end interface building.

Not necessarily the best for all...

[Piranhaa]

Personally, I use one called djbdns. It's extremely small and basically bug free! The author actually will pay $50,000 to whoever finds the first exploit in it or something. If you don't need all the extra power that bind offers, this is a much better way to go. Less memory and space required, meaning cheaper systems may run it better. Even the config file can't be simpler!! cat /etc/tinydns/root/data .pnet:10.0.3.33:a:259200 .10.in-addr.arpa::ns.pnet: #Define hosts & aliases =pollux.pnet:10.0.3.1 =altair.pnet:10.0.3.2

Re:Not necessarily the best for all...

[geniusj]

As another testimonial, I use djbdns for over 900 domains and over 100,000 RRs. We receive about 300 queries/sec with tinydns using about 2% CPU and about 800K of memory. I love the rsync method of syncing dns data, it works especially well for Dynamic DNS (which is something I provide).

As an aside, long ago, ODS (the service I run) ran BIND. At the time BIND used 90+% CPU consistently. Mainly because of the constant dynamic updates being sent to BIND via the update daemon. It also used about 50MB of memory or so (back in 1999 or therabouts). The switch to djbdns came shortly thereafter and I haven't looked back. Granted, djbdns cannot provide immediate dynamic updates because of its use of CDB. However, I find that every 30 seconds proves to be sufficient, especially when the 'secondaries' get updated immediately as well (thanks to rsync). Building the cdb is also remarkably fast, with it taking 0.55 seconds to hash the cdb with over 100k records.

Overall, I'm quite happy.

You really see which DNS does heavy lifting.

[Inoshiro]

Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.

Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.

Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

Because they haven't read how easy it is to setup!

Re:You really see which DNS does heavy lifting.

[James+Youngman]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet.

Maybe that just means that TinyDNS is popular with domain squatters.

I think that the best definition of "heavy lifting" is not the size of the installed base or the average number of domains per server, but instead the total number of queries served. Those numbers of course are hard to estimate.

Re:You really see which DNS does heavy lifting.

[Florian+Weimer]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

tinydns is unmaintained software. It does not compile out of the boxon modern systems. You don't have a license, so you can only do with it what your local copyright law permits (which may or may not be enough). The zone file format of tinydns is non-standard. The answers it generates are often excessively verbose (e.g. redundant NS records). Third-party documentation suggests a configuration that violates recommendations of TLD operators and most ISPs, which means that you have to redo parts of it once you receive your first delegation.

And so on. Go ahead and use BIND alternatives for authoritative name servers, but try to avoid tinydns.

Re:You really see which DNS does heavy lifting.

[Florian+Weimer]

RFC 1035 (STD 13) describes the format of zone files (which are called "master files" in this document).

Re:It is the default, and not hard to understand

[Nohea]

I really like BIND 9 - easy to use, the most features, plus a full rewrite since BIND 8.

DNS servers are low on resource usage anyway, so switching to a leaner daemon would always be a niche product (like Apache alternatives).

The only motivation for switching is the exploit issue. With the rewrite, its less of a case, and everyone should be keeping up to date w/security patches anyway.

Reasons why DJBDNS is not more common

[James+Youngman]

1. Its config file syntax is even more human-unfriendly than BIND's
2. It doesn't allow free reign to set the records up exactly how you want (trivially for example, it forces you to adopt a mandatory naming convention for MX records - though the convention is pretty sensible)
3. It doesn't support caching, so you need a separate server for that (this is actually good, but it does add to the overall amount of work required to set up a set of DNS servers)
4. Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

Re:Reasons why DJBDNS is not more common

[embo]

Its config file syntax is even more human-unfriendly than BIND's

I've got to disagree with you when I can parse a zone file like this:

while (<STDIN>) {
$line = split(':', $_);
for $line[0] {
if (/Z/) { # Zone file }
elsif (/+/) { # A Record }
elsif (/\@/) { # MX Record }
etc. etc. etc.
}
}

All you need is this page to understand the entire format of any zone file: http://cr.yp.to/djbdns/tinydns-data.html For BIND, I need the entire manual. Maybe it's just me.

Re:Reasons why DJBDNS is not more common

[ajs]

Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

I have to say that this is the largest and most insurmountable reason for me against using either his DNS server or his mail server.

I was a big fan of his back in the days of UUCP, but his unwillingness to let distributions of BSD, Linux, etc. modify and distribute his software (without some kind of source-based patching hack sans binaries) was a snub to all of us who have contributed to open source software over the years, and a clear indication of a lack of concern over the larger needs of his audience.

Let me be clear: he's WELL WITHIN HIS RIGHTS, and he's even going out of his way to distribute his stuff, which is great. But to say "I'm going to play ball with you, but only if you use my ball, and in the following ways" doesn't fly for me. There are many good alternatives to his code, and they all have their own advantages and disadvantages. Thanks for playing, though.

The reason DjbDNS hasn't been updated in forever..

[Sevn]

Is because it has been done forever. Instead of the exploit a year phenomenon you have with Bind, there haven't been any yet. When Bind can take 10,000 requests per second on a dual Xeon box (used for MAPS) and not melt into a smoky plastic dog treat, let me know. Don't get me wrong. Djb is slightly, well, he comes across as a bitter man with something to prove. And I can't stand qmail. But he hit the nail on the head with DjbDNS. I've got nearly 240 domains with a combined total of over 125,000 records hosted with no problem.

Why they keep BIND around

[reaper]

• It's in practically every distro by default
• Not a whole lot of people really need the hassle of installing another DNS server
• It is the standard by which other implementations get judged
• It supports just about every obscure feature known to the DNS world
• If you know how to hack the config files, it makes manually setting up tons of vhosts dirt simple
• The name is just so powerful
• Certain other dns server authors(*cough*djb*cough*) always manage to piss off too many people, even when they are proposing a superior solution to a problem.

Hasn't been updated in years??

[embo]

...since D. J. Bernstein's hasn't been updated for years...

Maybe because it hasn't needed updating.

http://cr.yp.to/djbdns/guarantee.html

Re:Hasn't been updated in years??

Maybe because it hasn't needed updating.

He meant the *survey* hasn't been updated, not the software. Even if it wasn't obvious from the language (and I think it was!) it should have been obvios from the link.

Re:Hasn't been updated in years??

[Lxy]

Maybe because it hasn't needed updating.

a qmail user are you? :-)

If DJB were..

[jayminer]

If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.

Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service, /package etc.), and if you change them from the source, you violate his license!
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!

djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).

And as far as I know, many distributions kicked his software out, including several *BSDs.

Re:If DJB were..

[quantum+bit]

How's postfix's security record? i.e. Can I set up a postfix server, then go on an 18-month holiday and be confident that my box will still be working when I get back (like I can with qmail)?

You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.

The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.

The only other thing I could find is djb ranting about a Postfix problem that has been fixed for over 6 years.

The alternatives

[Florian+Weimer]

The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.

tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.

In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.

Re:The alternatives

[Florian+Weimer]

Which modern systems are those exactly? I've never had any trouble getting it to compile...

Systems with a recent version of GNU libc.

When you say unmaintained ... surely that's just because there's been nothing to change about it? Are there outstanding bugs?

It's not bugs, it's lack of features: IPv6 support, CIDR support for dnscache configuration, maybe even DNSSEC even you want to give it a try.

Re:Far from accurate

[Iamnoone]

Please explain how you managed to fingerprint DNS servers.
The same way you fingerprint OS's via there ip stack. Unusual queries and how the server reacts to them.
http://cr.yp.to/surveys/dns1.html is one among several fingerprinting methodologies.

The accuracy of the sample set is extremely questionable.
If you RTFS, he didn't take a sample, he used all the name servers. There aren't that many (which in itself is a interesting commentary on the true size of the internet) - for the .com, .net, .org, .info, and .biz TLDs 37 million domains -> 1 million name server names -> 646,524 unique name server IPs.

The interesting part is is the 27 percent that can't be fingerprinted. My guess is that they would follow a similar pattern to the fingerprintable ones but their firewalls block some of the unusual queries.

We Tried BIND, but....

[buzzoff]

BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.

Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.

My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.

After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.

Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...

External DB

[geohump]

One small reason your DNS server (MyDNS) isn't catching on is that it requires an external DB server process to be set up and running on the system.

I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.

True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.

Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.

Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.

Re:sendmail shows this to be true

[dekemoose]

Wrong. Bind and Sendmail are defaults because they are the most prevalent. They are the most prevalent because they've been around a long time. Sendmail was the MTA of choice on UNIX years before Linux was common, ditto Bind for dns. Since they have the history, there are a lot of people skilled with using both of these packages, despite the "difficulty" setting them up.

I USED to use djbdns...

[D'Arque+Bishop]

Like the subject says, I USED to use djbdns for my home DNS server. After a while, when I upgraded the OS on said home DNS server, I got rid of djbdns and moved to BIND. Why, you may ask?

1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.

2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.

3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.

4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)

5) daemontools.... ugh. Let's not even go there.

Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.

Just my $.02...