Slashdot Mirror
Open Source BIND Alternative Launches
bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."
We use powerdns_recursor which seems very similar, and is very good.
...a DNS-Server.
Taken from here: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.
I've been using djbdns as my BIND alternative for the last couple of years, and I've been very happy with it. Technically it was pretty straightforward to build/install. The only consideration seems to be whether you like the djb way of doing things (I do!) and the few Freedom wrinkles in the license. :-)
http://cr.yp.to/djbdns.html
Kurt
Java seems like a logical way to go with this, considering the great track record of other Java web technologies (Tomcat, Jetty, etc).
Is there anything out there?
This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.
Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.
-molo
Copyright (C) 1996-2001 Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Using your sig line to advertise for friends is lame.
Anything with Verisign's named attached to it?
I came, I conquered, I coredumped
Because this new delegate-only option in bind is making me miss out if i typo a domain.
They are the guys that wrote and support nsd (http://www.nlnetlabs.nl/nsd/), the software used on at least 2 root servers (k.root-servers.org and l.root-servers.org).
Those are some mighty fine credentials.
Both pieces of software are released under the same open source license, namely BSD.
On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.
Especially given the fact it sells its self as being more complex and big than its predecessor.
Well it's obviously a standards compliant web page that renders well in standards compliant browsers, such as Firefox :)
If you insist upon using a flawed implementation of a web browser, such as IE7 then that's your own problem, don't ruin it for the rest of us!
All your base belong to BIND.
I use a perhaps not-well-known alternative called ldapdns, which used to be based on the DJBDNS code. It gets its DNS information from LDAP, which is very, very nice -- I can make a change in LDAP and the change is instant as opposed to making a change to the BIND stuff, which I then have to restart BIND, etc.
My blog
but what if I like bondage? What would the Internet be without a little (okay, well, a lot) of bondage?!
Dan Bernstein's public demeanor makes Theo de Raadt look like Miss Manners. I'll stick with bind, thanks. It just plain works and I'm not stuck with an angry maintainer for updates. :D
This is one of the best: http://www.maradns.org/
weirdest thing I ever saw: scientology advertising on slashdot.
DNS is one of the bottlenecks to come. For nearly every ISP, DNS traffic grows faster than the overall traffic.
i'm doing a lot of consulting for large ISPs on DNS problems. BIND is good for small and medium ISPs but bad for large ones (as resolver, as primary or secondary nameserver).
It doesn't work very well with Cache above 1GB and the multithreading is not very efficent. Startup (for servers with 100K zones) is very slow, restart (after changing the configuration) is risky if you decreased the number of masters for a secondary zone (core dump). The readability of the code is far from perfect and it doesn't seperate different functions very well (e.g. you cannot easily replace the caching algorithm). The handling of slow or dead servers could be improved too...
So, i personaly welcome the new contender in the OSS nameserver arena ;-). Let the games begin...
The best results (up today) i got with Nominum ANS and CNS. It's neither FOSS nor cheap but really, really fast. We replaced at one customer 4 overloaded BIND systems (3 Ghz Dual Xeon, 4GB RAM, 2 BIND processes per system) with CNS on the same hardware (but only 2 systems) and the load barely reached 10%.
Sincerely yours, Martin
Using DNSSEC it is possible to send out special replies to known or not yet known users. In that way authorization based on DNS is possible. This will also open possibilities to use ENUM how it is supposed to.
Support Eachother, Copy Dutch Property!
I can't decide if that should be a new emo superhero or a BOFH-themed ceiling-cat variant.
"Angry Maintainer is watching you masturbate." "Eww." "Why do you think he's angry?"
Am I missing something, when did BIND not qualify as Open Source?
I mostly agree, but it happens that their HTML doesn't validate. Also, their CSS is a little weird for the three column layout. They have a float: right for the rightmost column (the one that overlaps on this guys site), but position: absolute as well. I don't know what that's supposed to mean, but it can't be good.
Slashdot Barbie says "research is hard".
Haha, you use Windows.
Everyone point and laugh.
My initial thoughts before RTFA...
1) Why re-invent BIND? Which has been beaten up so much over the past decade that it's now (probably) pretty secure with most of the bugs worked out. Plus there are lots of resources out there that can be used to solve problems or help with setup questions.
2) OTOH, options are good, it prevents a mono-culture and makes it harder for exploits to take out everything.
Of course, in this particular case, they haven't re-invented BIND. They've simply developed another DNS resolver which can't be authoritative for DNS records. So what's the draw of using BIND for your authoritative servers and then using something different for your resolver servers?
I use Microsoft. Its vendor lock-in strategy surpasses every bondage artist's skill and administering Windows boxen makes my inner masochist cry from glee. And pain, of course.
They also eat cute little puppies, which is fine with me as I'm a cat person.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Plain and simple.
Well that that is not a very high bar. Writing a better DNS server than bind is very welcome but not actually a daunting feat. I did this several years ago as an undergrad. I had set out only to modify BIND 8 only to find the source is a big ball of spaghetti code. It then became pretty obvious why there were regular exploits.
As long as you don't GPL them.
Being real software, though, I doubt whether they tested their page with any Windows based browser :P
One swallow does not a fellatrix make
Why can't IE6 handle simple web pages written to widely-accepted standards?
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
So for you a security expert must know html and all the bull crap around it? Well, I'm sorry but one has nothing to do with the other.
I bet they can't write a first person shooter either.
We definately shouldn't trust their ability to write DNS servers.
(Hint for the humour impaired: Apples != Oranges)
djbdns is abandonware. It hasn't had an update since 2001, and you can believe in perfect code that doesn't ever need updating if you want to, but I don't. DJB's crazy licensing meant that only patches could be distributed, not modified sources or binaries, which effectively killed any community support. Now that it's public domain it's possible for someone to pick it up and start maintaining it again, and I'll wait until that happens before using it again. I can live with DJB's complete disregard of filesystem conventions and stuffing a whole lot of new top-level directories for no good reason into the system, and creating a bunch of unnecessary new management daemons (daemontools). But not maintaining his own software makes it a no-go, especially something as crucial as name services.
we will end no whine before its time
Rendering "correctly" on IE is a BAD sign, not a good one.
Have you forgotten the big fiasco about IE deliberately NOT honoring standards?
IE is, in short, a proprietary piece of shit that makes up its own rules, and I've heard many cases where web pages must be deliberately broken just so they can be spoonfed to IE.
I understand they may be experts on Tuesday, but they know jack shit about the rest of the week.
AT&ROFLMAO
If you need a small and simple authorative DNS server, i suggest
# apt-get install nsd
Simple to install. Simple to configure.
According to the homepage, it can handle big loads too.
http://www.nlnetlabs.nl/nsd/
public domain as of december
Unbound is a DNS resolver, not a server. PowerDNS will do both. As a server, it's technically offtopic, but...
I love the fact that there are pluggable backends. More than that, I love the pipe backend. I realize this is an "everything looks like a nail" scenario, but I actually wrote a PowerDNS->REST client with that, and then a Rails server behind it.
Slow? Sure, but I can always setup a slave -- either someone like DynDNS, or another PowerDNS server with a faster backend (MySQL, Postgres, maybe even SQLite?)
Overkill? Sure, but I can't get over the fact that I've written a DNS server in Rails.
Don't thank God, thank a doctor!
Maybe you can give me a list of all the bugs filed against djbdns? The security prize is still up for grabs. If it ain't broke, don't fix it.
I have to agree with his software not having any sane install path. And though daemontools may be unnecessary, I'm sure djb has some ego-centric reason why existing management daemons are insufficient with a hint of truth to it.
Isn't it funny how Dan Bernstein is the only guy to develop a bulletproof mail and DNS server, yet all he gets is criticism for his work?
Maybe he didn't want his sources modified because nobody else seems to be able to write secure software, and he doesn't want his name on a security bulletin for someone else's Qmail/DJBDNS mistake.
Tell me again how many mail and DNS servers have had zero security holes?
Not that it matters anymore, as these have all been placed in the public domain.
One might request new features in these applications, but patches are often to fix bugs.
If there haven't been any official patches since 2001, maybe it's because there haven't been any bugs.
DJB my not agree with the GPL and may like to do things in a very non-standard way, but damn, the proof is in the product.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
kdawson is one of the worst offenders of shitty, incorrect, or biased summaries and is one of the worst editors. ever. anywhere.
True, there has been only one security hole I can recall, where a correctly-formed "packet of death" cleared the recursive cache. The result is like a DoS attack. There was a third-party patch released, but then there's the same old problem of having to manually apply the patches, and knowing which third-party patches to trust. But it's not just bugs or security problems that make it a no-go for me- it's out of date as well.
It doesn't support IPv6, or SRV, NAPTR, or RP records and other new record types, and the root servers list is hardcoded and out of date. It also has problems with correctly tracking domains that move. Yes, there is a workaround for supporting new record types with some config file tweaks, but really now- that's the sort of thing that a maintainer should be handling, and adding native support for. 7 years of no maintenance is like dog's years in software time.
we will end no whine before its time
It's not about "servers" vs. "resolvers". All DNS Servers ARE servers. That's where the confusion comes from! It's really not that complex, though. In fact, the concepts are familiar to anyone who knows the difference between a web server and a web proxy.
The most important kind of DNS servers -- the ones that make up the DNS hierarchy -- are called AUTHORITATIVE servers. These are what actually provide information about domains' hosts. You set one up when you're serving DNS for a domain (an internet domain, a lan domain, or both).
RECURSIVE (not "resolver") DNS Servers, on the other hand, are more like caching proxies. They don't know anything by themselves. Instead, they accept DNS queries, consult the worldwide hierarchy of DNS servers for them, and then pass the answer to the client that made the request. Often, they'll cache that request for a certain time, in case any other client asks the same thing. You set one of these up when you want to cache requests within your organisation for efficiency reasons, or when you want to bypass your upstream so-called DNS servers (which are actually recursive servers/resolvers) for some reason.
The main thing to watch out for is setting up a server that's supposed to be authoritative for your internet domain, answering queries about it for the world, but is ALSO a recursive server, which answers queries about any other domain too.
Who would trust a new DNS server for production use until it has been around for some years.
I made the mistake of trusting djbdns for an important deployment until I started to realize limitation after limitation caused by djb's mental illness. (similar to the qmail story, I guess).
Microsoft DNS was pretty scary - although now I see real networks built around it. They convinced people to switch because of the vague threat that they might break other DNS server's ability to co-exist with Active Directory. But it worked and an alternative DNS server managed to take over significant market share very quickly.
To defeat BIND, Microsoft also provided both a GUI and a command-line interface to alter records.
isn't that one old l.root server was lost ?
http://blog.icann.org/?p=309
developer http://flamerobin.org
That's why it being public domain helps, but there's still the problem of either dealing with DJB or forking it.
Sounds like you need the solution applied by the Invisible Hand Society. Government is part of the market and if the government hasn't been deposed it's because the cost of deposing it is still higher than the cost of government interference, therefore there is no such thing as government interference. (TANSTAGI)
If the Angry Maintainer doesn't make you decide it's easier to fork than deal with him, then the Maintainer isn't Angry enough yet.
You kids these days. In my day I had to write my own mail server as a shell script running out of inetd! Now you get to choose between Angry Maintainers!