Open Source BIND Alternative Launches

← Back to Stories (view on slashdot.org)

Open Source BIND Alternative Launches

Posted by kdawson on Wednesday May 21, 2008 @12:04AM from the ties-that-bind dept.

bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."

22 of 162 comments (clear)

Min score:

Reason:

Sort:

It's not... by cosmocain · 2008-05-21 00:10 · Score: 5, Informative

...a DNS-Server.

Taken from here: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.
1. Re:It's not... by zn0k · 2008-05-21 00:42 · Score: 3, Informative
  
  That might be due to the website of the distributor calling the product a DNS server.
  
  Taken from http://www.nlnetlabs.nl/:
  
  Recent Software Updates
  Unbound 1.0.0
  Tue May 20 2008
  The public release of Unbound, a fast recursive validating caching DNS server.
2. Re:It's not... by spinkham · 2008-05-21 00:48 · Score: 4, Informative
  
  It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
  Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server.
  The end user has a "stub resolver", which does not qualify as a server.
  
  For a more indepth discussion of DNS architecture and DNSSEC, you can check out "DNS for Rocket Scientists" here http://www.zytrax.com/books/dns/ or a talk I gave on DNS security here:
  http://www.mavensecurity.com/presentations
  
  --
  Blessed are the pessimists, for they have made backups.
djbdns by khundeck · 2008-05-21 00:14 · Score: 3, Informative

I've been using djbdns as my BIND alternative for the last couple of years, and I've been very happy with it. Technically it was pretty straightforward to build/install. The only consideration seems to be whether you like the djb way of doing things (I do!) and the few Freedom wrinkles in the license. :-)

http://cr.yp.to/djbdns.html

Kurt
1. Re:djbdns by oyenstikker · 2008-05-21 00:24 · Score: 5, Informative
  
  the few Freedom wrinkles in the license.
  
  djbdns is now in the public domain (as of December 2007). Before that, there was no license.
  
  http://cr.yp.to/distributors.html
  
  --
  The masses are the crack whores of religion.
2. Re:djbdns by Anonymous Coward · 2008-05-21 01:53 · Score: 1, Informative
  
  djbdns won't support DNSSEC and Dan J. Bernstein made a detailed explanation about that:
  
  http://cr.yp.to/djbdns/forgery.html
3. Re:djbdns by Anonymous Coward · 2008-05-21 06:06 · Score: 1, Informative
  
  "Before that, there was no license."
  
  Actually, there was, but it was informal and grossly restrictive. They were also not free software licenses because they didn't permit modification of sources.
FYI, bind9 is already open source by molo · 2008-05-21 00:19 · Score: 5, Informative

This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.

Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.

-molo

Copyright (C) 1996-2001 Internet Software Consortium.

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

--
Using your sig line to advertise for friends is lame.
maradns by TheSlashaway · 2008-05-21 00:34 · Score: 3, Informative

This is one of the best: http://www.maradns.org/
1. Re:maradns by EllynGeek · 2008-05-21 03:13 · Score: 2, Informative
  
  I agree, Maradns is an excellent authoritative name server and caching resolver. Unlike the horrid lardy mess that is BIND, it handles very large loads, and it is easy to configure. BIND is a gawdawful bloated mess that should have been laughed into oblivion years ago. Maradns, NSD, and Powerdns are all far superior to BIND. They're sane to administer and much more robust. For LAN DHCP and DNS, try Dnsmasq. Friends don't let friends use BIND.
  
  --
  we will end no whine before its time
For those of you wondering what the difference is: by an.echte.trilingue · 2008-05-21 00:35 · Score: 4, Informative
For those of you who (like me) don't know the difference between the two, from wikipedia:
DNS servers
The Domain Name System consists of a hierarchical set of DNS servers. Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD).

DNS resolvers
A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

A DNS query may be either a recursive query or a non-recursive query:
- A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
- A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.
The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can communicate only with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.
--
weirdest thing I ever saw: scientology advertising on slashdot.
Re:Java based DNS server? by morgan_greywolf · 2008-05-21 00:44 · Score: 3, Informative

Is there anything out there?
Actually, yes, yes there is.

--
My blog
Because kdawson is a troll by Anonymous Coward · 2008-05-21 01:16 · Score: 2, Informative

Plain and simple.
Re:DNS is a big problem and it's getting bigger by darkuncle · 2008-05-21 03:01 · Score: 3, Informative

yes, yes there are lots of DNS requests. And there is cacheing at every single layer of the infrastructure, including most importantly:
* client resolver library
* client's upstream nameservers (recursive-only generally, operated by their ISP)
* any add'l upstream DNS architecture between the client's nameservers and the SOA

point being that billions of DNS requests generated daily for e.g. google.com are NOT all individually served by Google's nameservers. A small percentage of the total actually comes all the way through; the rest are handled by cacheing (one of the primary design goals of the protocol).

A proper architecture will do more to improve site performance (and reduce burden on the network) than any amount of changes to the software you're using to serve DNS. The slowdown you're referring to is much more likely to occur closer to the edge than in the core of the ISP (where DNS server performance are a factor).

BIND is not the problem. DNS isn't even the problem (unless you've got some really boneheaded setups). _architecture_, in a general sense (from systems to storage to networking to web page content to CDN to GSLB to peering to geographic distribution of datacenters), is the problem. DNS is a very small facet of the overall problem (it can be a problem, granted - but it's hardly the most significant one, or even in the top 5 the vast majority of the time).

--
illum oportet crescere me autem minui
Re:djbdns is abandonware by EllynGeek · 2008-05-21 03:03 · Score: 3, Informative

djbdns is abandonware. It hasn't had an update since 2001, and you can believe in perfect code that doesn't ever need updating if you want to, but I don't. DJB's crazy licensing meant that only patches could be distributed, not modified sources or binaries, which effectively killed any community support. Now that it's public domain it's possible for someone to pick it up and start maintaining it again, and I'll wait until that happens before using it again. I can live with DJB's complete disregard of filesystem conventions and stuffing a whole lot of new top-level directories for no good reason into the system, and creating a bunch of unnecessary new management daemons (daemontools). But not maintaining his own software makes it a no-go, especially something as crucial as name services.

--
we will end no whine before its time
Re:ldapdns by peterbye · 2008-05-21 03:32 · Score: 2, Informative

Only if you change all the zones at once.
Re:DNS is a big problem and it's getting bigger by mseeger · 2008-05-21 04:08 · Score: 4, Informative
80 large for software? , and DNS software? are you nuts?
I do IT as a living for 25 years now, so the answer to your question is YES.
Do you realize how fast a computer you can get for $80K?
The answer is YES again. I sell it too...
Its just DNS software , why would you want to pay ANYTHING let along that much? Buying a faster computer to do the same thing makes a whole lot more scene.
The answer here is NO. The problem with this thread and the discussion here is, that you underestimate the problem.
Example: It's 2007. You have 4 Caching DNS servers on 3Ghz Dual Xeon, each runs a two BIND 8 processes. Each BIND process is bound to a specific IP address. The servers really work hard, but the DNS performance (time to answer, percentage of queries ansered) doesn't satisfy you. What do you do?
OK, let's start:
- The clever guy says: Dude, you're still running BIND 8. That's outdated. Switch to the new BIND 9! It's got multithreading. Use it and all you're sorrows are gone.
  The real world says: BIND 9 on a Dual CPU system brings you 140% of the performance of BIND 8. But you're running 2 processes on each system. Switching to BIND 9 decreases your performance per CPU for about 30%.
- The clever guys replies: OK, buy four more machines. Use one BIND 9 on each of them.
  The real world says: OK, you increased your capacity by 40% while doubling the costs. This is a workaround but no solution...
- The clever guy says: OK, buy 12 machines, put BIND 9 on all of them.
  The real world says: OK, no you qadruppeled your costs. Are you aware that managing a hardware costs more than the iron itself. And how, by the way, do you distribute the load?
- The clever guy says: Oh, just use a load balancer.
  The real world takes it spreadsheet and says: Well a load balancer for that load costs something too. Any one here knows how to setup and configure ACME load balancer?
- The clever guy says: OK, drop the load balancer. Just give the users the address of the new name servers by PPPoE.
  Ar this point the real world sighs: Ah, and you are aware that about 30+% have hardwired the name server.
Believe me, this is the simplified version for beginners.
Regards, Martin
try nsd instead by frn123 · 2008-05-21 04:45 · Score: 2, Informative

If you need a small and simple authorative DNS server, i suggest
# apt-get install nsd

Simple to install. Simple to configure.

According to the homepage, it can handle big loads too.
http://www.nlnetlabs.nl/nsd/
Re:DNS is a big problem and it's getting bigger by mibh · 2008-05-23 05:49 · Score: 2, Informative

PowerDNS works quite well at those scles, FWIW. It's also Free
PowerDNS is GPL. BIND and Unbound (and NSD) are BSDL. Many users or operators will choose one or the other based on license alone. All of these servers work fine according to the people who are using them.
Re:Are we supposed to trust.. by mibh · 2008-05-23 05:53 · Score: 2, Informative

Anything with Verisign's named attached to it?
yes. verisign provided some funding, and the executive who championed this is a good guy, and the NLNetLabs folks who took that money and wrote this code are good guys. it's also BSDL, and will be studied. even if verisign wanted to put some kind of bomb in the code and even if NLNetLabs somehow permitted it, external reviewers would find it straightaway. so, yes, in this case you are supposed to trust something that has VeriSign's name attached to it.
Re:DNS is a big problem and it's getting bigger by mibh · 2008-05-23 06:03 · Score: 2, Informative

If you run BIND with 100K zones, it takes quite some time to come up and starts answering queries. If you do a reload, it has a dead time in between. Try it..
please try 9.4.latest and 9.5.0-RC (or 9.5.latest, when it comes out of RC) and report back here. in particular, try it with the binary zone precompilation feature. make sure you build it with threads, on a system with good kernel-supported threads. even if you don't have multiple cores, though if you do, your QPS will improve (though your zone loading speed probably won't.)
As secondary it has bugs (for more than 12 months now) that may crash it. I just had customer who paid a lot of money to get it fixed by an external company. Of course the fix was sent to the BIND maintainers.
if you have a bug number, please post it here and i'll find out what happened with it. note that the BIND maintainers (http://www.isc.org/) also offer commercial support and feature development (that's largely how BIND is funded).
[BIND] has a performance problem as a caching nameserver and a severe one.
please post your queryperf results here, along with a pointer to your dataset, a description of your methodology, and comparative results from other name servers. we regularly stress-test BIND9 looking for bottlenecks, and we think the current version is pretty much competitive on modern hardware, software, compiler combinations.
Re:DNS is a big problem and it's getting bigger by mibh · 2008-05-23 10:15 · Score: 2, Informative

Believe me, this is the simplified version for beginners.
i asked the BIND development team to comment on this and the consensus is you must have been running an older version. one person said:
This guy should provide more details. He should at least show the version(s) of BIND; I've heard that even a distributor of CNS noticed that threaded BIND 9.4 (not 9.3) could beat (Nominum)CNS in some workloads.
another said:
The first comment suggests he misunderstands multi-threading. It appears he's considering replacing 2xBIND8 processes with 1xBIND9 multi-threaded process. That would be suboptimal. 2xBIND9 multi-threaded would likely yeild increased performance.
finally, someone noted:
I admit: BIND9 (before 9.5) isn't perfect as a caching server with a very large cache (e.g., over 1GB of it) due to its inefficient cleaning mechanism. BIND 9.5 should solve this problem.
feel free to post additional questions or observations here, or contact me privately (paul@vix.com), as you choose.