Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source BIND Alternative Launches

Posted by kdawson on from the ties-that-bind dept.

bednarz writes "A group of experts on Tuesday released an open source alternative to the BIND DNS server. The new software — dubbed Unbound 1.0 — is a recursive DNS server. From its first prototype in 2004, Unbound was designed to be a faster, more secure replacement for BIND. Unbound supports DNS security extensions (DNSSEC), which authenticate DNS lookups but are not yet widely deployed because they rely on a public key infrastructure. Unbound was released to open source developers by NLnet Labs, VeriSign, Nominet and Kirei."

18 of 162 comments (clear)

  1. It's not... by cosmocain · · Score: 5, Informative

    ...a DNS-Server.

    Taken from here: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.

    1. Re:It's not... by value_added · · Score: 4, Interesting

      I've only had a quick glance, but it appears you're correct.

      Seems this is a first: both the submission and the article are absurdly wrong.

    2. Re:It's not... by spinkham · · Score: 4, Informative

      It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
      Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server.
      The end user has a "stub resolver", which does not qualify as a server.

      For a more indepth discussion of DNS architecture and DNSSEC, you can check out "DNS for Rocket Scientists" here http://www.zytrax.com/books/dns/ or a talk I gave on DNS security here:
      http://www.mavensecurity.com/presentations

      --
      Blessed are the pessimists, for they have made backups.
    3. Re:It's not... by Omnifarious · · Score: 4, Interesting

      Perhaps most pieces of DNS software can do both. But actual DNS installations should not be configured that way. In fact, I've seen a rise in DNS cache poisoning attempts against my authoritative DNS server.

      --
      Need a Python, C++, Unix, Linux develop
  2. Java based DNS server? by Anonymous Coward · · Score: 5, Funny

    Java seems like a logical way to go with this, considering the great track record of other Java web technologies (Tomcat, Jetty, etc).

    Is there anything out there?

  3. FYI, bind9 is already open source by molo · · Score: 5, Informative

    This posting makes it sound like bind9 is not sufficiently open/free. That is not correct, and kdawson should do a better job of editing to prevent biased postings like this.

    Bind9 is licensed under the ISC license, a BSD-like license. The full text of the license follows.

    -molo

    Copyright (C) 1996-2001 Internet Software Consortium.

    Permission to use, copy, modify, and distribute this software for any
    purpose with or without fee is hereby granted, provided that the above
    copyright notice and this permission notice appear in all copies.

    THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
    DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
    INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
    INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
    FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
    NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
    WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

    --
    Using your sig line to advertise for friends is lame.
  4. Are we supposed to trust.. by bleh-of-the-huns · · Score: 5, Interesting

    Anything with Verisign's named attached to it?

    --
    I came, I conquered, I coredumped
    1. Re:Are we supposed to trust.. by richie2000 · · Score: 4, Funny

      Anything with Verisign's named attached to it? No, this isn't a named.
      --
      Money for nothing, pix for free
  5. Both Open Source, Both BSD... by Manip · · Score: 4, Insightful

    Both pieces of software are released under the same open source license, namely BSD.

    On top of that, given the history of security problems in this line of software I would wait a while before deploying Unbound on anything serious.

    Especially given the fact it sells its self as being more complex and big than its predecessor.

  6. Re:djbdns by oyenstikker · · Score: 5, Informative

    the few Freedom wrinkles in the license.

    djbdns is now in the public domain (as of December 2007). Before that, there was no license.

    http://cr.yp.to/distributors.html
    --
    The masses are the crack whores of religion.
  7. For those of you wondering what the difference is: by an.echte.trilingue · · Score: 4, Informative
    For those of you who (like me) don't know the difference between the two, from wikipedia:

    DNS servers
    The Domain Name System consists of a hierarchical set of DNS servers. Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD).

    DNS resolvers
    A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

    A DNS query may be either a recursive query or a non-recursive query:
    • A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
    • A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.
    The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

    Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can communicate only with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  8. Re:Powerdns anyone? by Anonymous Coward · · Score: 5, Funny

    We use powerdns_recursor which seems very similar, and is very good.

    Return to parent comment.

  9. Slashdot Barbie... by argent · · Score: 5, Funny

    Slashdot Barbie says "research is hard".

  10. Re:djbdns by Anonymous Coward · · Score: 5, Insightful

    It's also very small, extremely fast, highly modular, and extraordinarily robust. It could take the load of a root name server, if you had the bandwidth. It actually approaches the almost-mythical status of "bug-free software"; I certainly would be surprised by any remaining security or stability issues being discovered in it.

    The man himself can often come across as arrogant - but you can't deny with djbdns he's written extraordinarily stable, virtually bug-free code that he has now (along with almost all of his other work) explicitly gifted to the public domain. He deserves a little credit for that, imho, and djbdns certainly deserves being considered alongside any other DNS server.

  11. Re:DNS is a big problem and it's getting bigger by mseeger · · Score: 4, Insightful
    Hi,

    Here we go the the "commercial software is better than open source" argument.

    Neither is open source better thean comercial nor is comercial better than open source. It all depends on the use. As i wrote, if you are a small ISP or a medium ISP and (e.g. 5K Zones, 10K DNS requests per second) BIND suits your needs. If you have 100K zones and 100K DNS requests per second, i doesn't. I mentioned Nominum because it's the best solution i have seen till today and i will benchmark Outbound against CNS and not BIND. Beating BIND is IMHO not a challenge....

    I personally hate BIND, and BIND is open source, but some secret sauce being twice as fast? I don't think so.

    I'm not in the secret sauce business ;-). I speak numbers and statistics. E.g. CNS is for high loads 10-20 times more CPU efficent than BIND as caching nameserver on the same hardware. The cache handling of BIND 8/9 really, really sucks :-(. A customer doesn't pay 80K $ just on my say so (unluckily). They run tests and to prove the business case.

    Remark: 90% of my customers run BIND and are happy with it. I do OSS and comercial software in a happy mix. Ideology is not my thing. Use the software (FOSS or comercial) that's better for the problem.

    Regards, Martin

  12. Re:Powerdns anyone? by num42 · · Score: 4, Interesting

    When we - which you can read as 'i' btw. ;-) - were still on BIND9.(3|4) i had crashing named processes at least once a day, never had a single crash of a pdns_recursor process that wasn't my own fault until this day. Just as a funny sidenote i thought i should share with you what happened when i grabbed myself a heart and switched from BIND8 to BIND9 one day. ;-) This was the result: http://zaphods.net/~zaphodb/high-performance-bind9.html
    --
    "morning is a state of mind ;)"
  13. Re:DNS is a big problem and it's getting bigger by mseeger · · Score: 5, Interesting
    Hi, If bind is your problem, your doing it wrong. Root F runs bind and I'm betting it does far more than your trivially small organisation with only 100k zones. Root F and its mirrors answer somewhere in excess of 1/3 of all top level queries.

    If you run BIND with 100K zones, it takes quite some time to come up and starts answering queries. If you do a reload, it has a dead time in between. Try it...As secondary it has bugs (for more than 12 months now) that may crash it. I just had customer who paid a lot of money to get it fixed by an external company. Of course the fix was sent to the BIND maintainers.

    As always, you can work around the problem. E.g. for the startup/reload problem you can use multiple server and load balancers, switch ip addresses, pull a rabbit out of your hat... It's all possible. The question is always: is it cost efficent? If you have to adopt your procedures to work with BIND, you may do so. A lot of companys prefer paying money and adopt the software to their procdures. Both ways may work.

    BIND doesn't have a performance problem as primary nameserver or secondary nameserver. It has a performance problem as a caching nameserver and a severe one. This is why i'm happy about Unbound.

    At last: Some root nameservers should always run BIND. We need at huge diversity of software for root server, even if it creates pains. Just for security reasons....

    Regards, Martin

    Disclaimer: I don't hate BIND, i don't love specific comercial products. The decision is always based on a lot of parameters. Price, FOSS vs. comercial, hardware or software based solution, Know How of the administrators... All goes into one pot. There is no one size fits all.

  14. Re:DNS is a big problem and it's getting bigger by mseeger · · Score: 4, Informative
    80 large for software? , and DNS software? are you nuts?

    I do IT as a living for 25 years now, so the answer to your question is YES.

    Do you realize how fast a computer you can get for $80K?

    The answer is YES again. I sell it too...

    Its just DNS software , why would you want to pay ANYTHING let along that much? Buying a faster computer to do the same thing makes a whole lot more scene.

    The answer here is NO. The problem with this thread and the discussion here is, that you underestimate the problem.

    Example: It's 2007. You have 4 Caching DNS servers on 3Ghz Dual Xeon, each runs a two BIND 8 processes. Each BIND process is bound to a specific IP address. The servers really work hard, but the DNS performance (time to answer, percentage of queries ansered) doesn't satisfy you. What do you do?

    OK, let's start:

    • The clever guy says: Dude, you're still running BIND 8. That's outdated. Switch to the new BIND 9! It's got multithreading. Use it and all you're sorrows are gone.
      The real world says: BIND 9 on a Dual CPU system brings you 140% of the performance of BIND 8. But you're running 2 processes on each system. Switching to BIND 9 decreases your performance per CPU for about 30%.
    • The clever guys replies: OK, buy four more machines. Use one BIND 9 on each of them.
      The real world says: OK, you increased your capacity by 40% while doubling the costs. This is a workaround but no solution...
    • The clever guy says: OK, buy 12 machines, put BIND 9 on all of them.
      The real world says: OK, no you qadruppeled your costs. Are you aware that managing a hardware costs more than the iron itself. And how, by the way, do you distribute the load?
    • The clever guy says: Oh, just use a load balancer.
      The real world takes it spreadsheet and says: Well a load balancer for that load costs something too. Any one here knows how to setup and configure ACME load balancer?
    • The clever guy says: OK, drop the load balancer. Just give the users the address of the new name servers by PPPoE.
      Ar this point the real world sighs: Ah, and you are aware that about 30+% have hardwired the name server.

    Believe me, this is the simplified version for beginners.

    Regards, Martin