Slashdot Mirror


BIND Is Most Popular DNS Server

bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."

19 of 452 comments (clear)

  1. probably by greechneb · · Score: 5, Insightful

    probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

    1. Re:probably by kfg · · Score: 5, Insightful

      It depends on what you mean by lazy.

      Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

      Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."

      It's very peculiar.

      KFG

    2. Re:probably by Anonymous Coward · · Score: 5, Informative

      Exactly. What is so difficult about setting up BIND for an average site? I was able to set up BIND on Woody by installing the package, reading documentation for 15 minutes and then editing a few example zone files. And I have never ever set up a DNS server before (though I know quite a bit about how DNS protocol works).

      Now, I clicked on one of the links in this story and found that to configure tinydns (as an example) you have to learn some strange sendmail-like syntax:
      =www.panic.mil:1.8.7.99
      @panic.mil:1.8.7 .88:mail.panic.mil.:0
      Zpanic.mil:dns1.panic.mil:h ostmaster.panic.mil::72 00:3600:604800:3600

      Heh, WTF? I would have to learn this syntax and how it relates to common DNS terminology (A, CN, MX, ...) AND learn what the common DNS terminology means. In the BIND case, I only need the common terminology.

      All for all, I'd say BIND is used not only because it's default. It's default and sufficiently easy to use so most people do not feel the need to replace it. As a bonus, if there is a security problem, it is likely to be fixed REALLY fast upon discovery, which is a bit less probable for the other servers (because they are not used as frequently).

  2. De Facto by the_mad_poster · · Score: 5, Insightful

    Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

    It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

    The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
    1. Re:De Facto by Tet · · Score: 5, Interesting
      People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

      Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    2. Re:De Facto by Total_Wimp · · Score: 5, Informative

      When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching.

      I think you hit the nail on the head. These big, some would say bloated, systems end up getting used because they're flexible. Others are constantly writing 3rd party stuff that specifically use these systems.

      Case in point: Microsoft ADS is very DNS dependant and the only DNS they support besides Microsoft DNS is BIND. BIND may, or may not be the best DNS out there, but because it's the standard people are building their systems to, it is almost certainly the most compatible and, by extension, the most flexible.

      TW

    3. Re:De Facto by SWroclawski · · Score: 5, Interesting

      Please tell me something Sendmail does that Postfix doesn't.

      I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.

    4. Re:De Facto by Apreche · · Score: 5, Insightful

      True that. But in addition, because it is the de facto standard, its what they teach college students in IT classes. I'm a CS major, and I know quite a few IT majors around here. If you asked most of them to set up a DNS server they could. If you asked how they would say "the bind command". Because they are all windowsy, they don't realize bind is a piece of software that is replaceable. They were taught how to do things a certain way, and they don't know to do it differently.

      Not all IT majors are that dumb, some of them deserve some credit.

      The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.

      There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

      --
      The GeekNights podcast is going strong. Listen!
  3. MyDNS by Havokmon · · Score: 5, Informative
    I've played with it.. it's defintely a nice DNS server.

    But what I really want is something like EasyDNS provides: Aliases. I want to be able to 'clone' whole domains, because they're all going to the same place anyways based on the hostname.

    Maybe EasyDNS just wipes out all the duplicate hostnames, and writes new records for them between the web interface and the backend when a host is changed or added..

    --
    "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  4. You really see which DNS does heavy lifting. by Inoshiro · · Score: 5, Interesting

    Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.

    Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.

    Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!

    Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

    Because they haven't read how easy it is to setup!

    --
    --
    Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
    1. Re:You really see which DNS does heavy lifting. by Florian+Weimer · · Score: 5, Informative

      Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

      tinydns is unmaintained software. It does not compile out of the boxon modern systems. You don't have a license, so you can only do with it what your local copyright law permits (which may or may not be enough). The zone file format of tinydns is non-standard. The answers it generates are often excessively verbose (e.g. redundant NS records). Third-party documentation suggests a configuration that violates recommendations of TLD operators and most ISPs, which means that you have to redo parts of it once you receive your first delegation.

      And so on. Go ahead and use BIND alternatives for authoritative name servers, but try to avoid tinydns.

  5. Reasons why DJBDNS is not more common by James+Youngman · · Score: 5, Informative
    1. Its config file syntax is even more human-unfriendly than BIND's
    2. It doesn't allow free reign to set the records up exactly how you want (trivially for example, it forces you to adopt a mandatory naming convention for MX records - though the convention is pretty sensible)
    3. It doesn't support caching, so you need a separate server for that (this is actually good, but it does add to the overall amount of work required to set up a set of DNS servers)
    4. Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings
  6. The reason DjbDNS hasn't been updated in forever.. by Sevn · · Score: 5, Informative

    Is because it has been done forever. Instead of the exploit a year phenomenon you have with Bind, there haven't been any yet. When Bind can take 10,000 requests per second on a dual Xeon box (used for MAPS) and not melt into a smoky plastic dog treat, let me know. Don't get me wrong. Djb is slightly, well, he comes across as a bitter man with something to prove. And I can't stand qmail. But he hit the nail on the head with DjbDNS. I've got nearly 240 domains with a combined total of over 125,000 records hosted with no problem.

    --
    For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
  7. Why they keep BIND around by reaper · · Score: 5, Insightful
    • It's in practically every distro by default
    • Not a whole lot of people really need the hassle of installing another DNS server
    • It is the standard by which other implementations get judged
    • It supports just about every obscure feature known to the DNS world
    • If you know how to hack the config files, it makes manually setting up tons of vhosts dirt simple
    • The name is just so powerful
    • Certain other dns server authors(*cough*djb*cough*) always manage to piss off too many people, even when they are proposing a superior solution to a problem.
    --
    - Dan
  8. Hasn't been updated in years?? by embo · · Score: 5, Interesting

    ...since D. J. Bernstein's hasn't been updated for years...

    Maybe because it hasn't needed updating.

    http://cr.yp.to/djbdns/guarantee.html

  9. If DJB were.. by jayminer · · Score: 5, Insightful

    If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.

    Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service, /package etc.), and if you change them from the source, you violate his license!
    He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!

    djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).

    And as far as I know, many distributions kicked his software out, including several *BSDs.

    1. Re:If DJB were.. by quantum+bit · · Score: 5, Insightful

      How's postfix's security record? i.e. Can I set up a postfix server, then go on an 18-month holiday and be confident that my box will still be working when I get back (like I can with qmail)?

      You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.

      The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.

      The only other thing I could find is djb ranting about a Postfix problem that has been fixed for over 6 years.

  10. The alternatives by Florian+Weimer · · Score: 5, Insightful

    The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.

    tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.

    In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.

    1. Re:The alternatives by Florian+Weimer · · Score: 5, Informative

      Which modern systems are those exactly? I've never had any trouble getting it to compile...

      Systems with a recent version of GNU libc.

      When you say unmaintained ... surely that's just because there's been nothing to change about it? Are there outstanding bugs?

      It's not bugs, it's lack of features: IPv6 support, CIDR support for dnscache configuration, maybe even DNSSEC even you want to give it a try.