BIND Is Most Popular DNS Server 452
bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."
Re:probably (Score:4, Interesting)
It maybe true that some of the home users running a "server" in the closet may be using the default server of distro, but I think there aren't that many to make a difference.
Re:De Facto (Score:5, Interesting)
Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.
You really see which DNS does heavy lifting. (Score:5, Interesting)
Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.
Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!
Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?
Because they haven't read how easy it is to setup! [kuro5hin.org]
Re:De Facto (Score:2, Interesting)
Did you see the version results for BIND? There are some really ancient ones out there. 1.971% are version 4.9.3 to 4.9.11
I haven't checked any vulnerability databases on it, but that seems pretty old... too old to have patches available?
Re:It is the default, and not hard to understand (Score:3, Interesting)
DNS servers are low on resource usage anyway, so switching to a leaner daemon would always be a niche product (like Apache alternatives).
The only motivation for switching is the exploit issue. With the rewrite, its less of a case, and everyone should be keeping up to date w/security patches anyway.
BIND is like weeds! (Score:2, Interesting)
I know there are better alternatives out there, but why aren't they more popular?
- When you insult a troll, he wins.
Re:Not necessarily the best for all... (Score:3, Interesting)
-russ
Hasn't been updated in years?? (Score:5, Interesting)
Maybe because it hasn't needed updating.
http://cr.yp.to/djbdns/guarantee.html [cr.yp.to]
Re:De Facto (Score:5, Interesting)
I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.
Anything but ... (Score:1, Interesting)
Re:Dynamic DNS (Score:2, Interesting)
It's really cool to see someone remaking it with a real database behind it, anyone who's made/makes major system changes has had LDAP problems and at the very best it is a marvle of 1960 db design. But... the "can even do AXFR to other servers" thing in the frill portion of his web site description is worrisome. AXFR is part of the DNS game, if you'r not going to play with other servers... well the whole point of the way DNS works is a -distributed- name system. How would you distribute load without standard zone transfer protocol? Far from a frill IMHO.
Re:probably (Score:3, Interesting)
(ps: If there are any Gentoo folks reading, please get Bind 9.2.3 into portage properly. I got it installed on my machine by hand just fine, but emerge keeps trying to downgrade it to 9.2.2. That makes me unhappy.)
We Tried BIND, but.... (Score:4, Interesting)
Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.
My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.
After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.
Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...
Re:De Facto (Score:2, Interesting)
For me, operational changes that would require programming in exim, but require only tweaking sendmail.cf.
Example: I recently added some anti-spam rules to restrict the HELO of connecting mailservers. If it's malformed, or matches against a blacklist of 'known bad' signatures, I reject the mail. In sendmail, this was trivial (err, well - as trivial as hacking your sendmail.cf can be
I'm not saying it's for everybody - it requires a very high level of knowledge - but it's safer (no worries about buffer overflows in code I add myself, etc.) and simpler than modifying the program itself.
Re:probably (Score:3, Interesting)
bernstein (Score:1, Interesting)
Bernstein seems to be a smart guy, but he sure is crazy.
External DB (Score:3, Interesting)
I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.
True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.
Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.
Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.
Re:probably (Score:4, Interesting)
My wife has what I call the pro-aesthetic theory of organization; if a room or place appears to be neat, it's organized -- even if the stuff is put away without any regard to an organizational structure (eg, related items aren't in the same cabinet or closet). It's important for the room to look clean, even if in reality its a highly user unfriendly mode of organization.
When you contrast the former and the latter, it's an interesting mix -- on one hand, you have a visual mess but things are relatively easy to find. On the other hand, you have visual neatness, but things are hard to find since there's no scheme (other than size and volume) as to where things went.
As far as laziness goes, I've known neat freaks that never get anything done because the overhead cost of neatness eliminates their time.
Re:probably (Score:3, Interesting)
BIND: 24 vulnerabilities (since 1999)
TinyDNS: 0 vulnerabilities
That's what I call a secure DNS server!
Re:sendmail shows this to be true (Score:3, Interesting)
I *hate* bind with a neverending passion. I still use it because I'm not ambitious enough to change the environment I've got.
Is it laziness? No, not really. It's just not wanting to mess things up. I did recently move a large mail server off Irix/sendmail to FreeBSD/qmail, and, while it worked pretty much as I wanted it to, wasn't a one-day task.
Re:sendmail shows this to be true (Score:3, Interesting)
Oh? I appear to have Postfix as the default MTA on my SuSE and Darwin/BSD machines, not sendmail. The only machine I own with a sendmail default MTA is running NeXTSTEP 3. It didn't come with the m4 macros for editing sendmail.cf - now editing *that* was a fun half hour.
Re:sendmail shows this to be true (Score:3, Interesting)
Re:De Facto (Score:4, Interesting)
Yea, ok Tet. I'm a troll and that's FUD. It's not like sendmail really is a total piece of shit [cr.yp.to].
Don't give me shit about Perl either. I can write totally unreadable code in C, Perl, Python, PHP, VBScript, Vb6, C++, Java, shell scripting, and QBASIC. I can also write clean code, readable code in all of them.
It's not FUD, most Slashdotters just have their heads so far up their own asses that it just looks like they sit on top of their necks. Morons around here bemoan Microsoft for its shitty security, then they run out every other day to patch BIND or sendmail. Even assuming you're the 1 in 20 person who actually has a need that only sendmail can meet (which I doubt you are given the odds), the fact that you would suggest that saying sendmail has shit poor security is just "FUD" just serves to prove the point that you're just another one of the idealogical nutjobs that frequent this place.
Give it a rest. It's not FUD because it's true. Sendmail blows a left donkey's swollen nut when it comes to security, usability, and reliability. Just deal with it. While you're at it, ask yourself if you even really need sendmail, or if you're just too lazy to make the switch to something that actually works.
Re:MyDNS (Score:3, Interesting)
Yeah, but I'm already replicating MySQL - so what's another table? :P
I can understand why some people would what to have dns information in a SQL database, but personally I feel that it's just adding a not piece of software that could potentially fail. Trust me, you don't what your dns to fail.
Ahhh. Actually, I run an email service. So I already have MySQL servers that need to be up 100% of the time. In fact, I'd wager that most websites would also run some type of SQL, and need to be up 100% of the time. So it's a natual fit.
Plus, DNS is cached. So depending on your traffic, odds are pretty good that you'll have your server up before your hostname's cache expires - and if necessary you can concentrate on what's probably a bigger problem than DNS ;)
Re:External DB (Score:2, Interesting)
It is sometimes convenient to be able to do updates using SQL. However, there is no dependency on the DB server for serving DNS - a very mission-critical service.
1. if the DB server dies, DNS will hum along normally.
2. If i get hit by a truck, any unix sysadmin can ignore the SQL DB and hand-edit the zone files.
Re:If DJB were.. (Score:3, Interesting)
In what way is it behind sendmail? Genuinely curious...
I USED to use djbdns... (Score:5, Interesting)
1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.
2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.
3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.
4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)
5) daemontools.... ugh. Let's not even go there.
Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.
Just my $.02...
Re:probably (Score:3, Interesting)
I had trouble figuring out BIND's zone-file format when I first installed it. But the main thing I had trouble with was trying to figure out which packets I wanted my DNS server to be sending out.
DJB talks about not using CNAME, but it took me a long time to understand why.
Switched from BIND to MSDNS? (Score:2, Interesting)
Personally, when I first encounter massive performance problems on a dedicated production-critical service, I would have contacted the developers and asked them what platform they recommend for running a dedicated server, and switched the base OS to the platform they best support.
Based on the above philosophy, I've ended up actually running more MS-Windows servers in the data center, as many speciality software vendors preferentially support Windows 2000 over UNIX-like systems. And of course any time you run two different applications from two different vendors on the same Windows box, antime a problem is encountered with Vendor A's application, as soon as the support engineer discovers that another package is running on the same box, Vendor B's application immediately becomes the root cause of the problem :)
Re:Not necessarily the best for all... (Score:5, Interesting)
As an aside, long ago, ODS (the service I run) ran BIND. At the time BIND used 90+% CPU consistently. Mainly because of the constant dynamic updates being sent to BIND via the update daemon. It also used about 50MB of memory or so (back in 1999 or therabouts). The switch to djbdns came shortly thereafter and I haven't looked back. Granted, djbdns cannot provide immediate dynamic updates because of its use of CDB. However, I find that every 30 seconds proves to be sufficient, especially when the 'secondaries' get updated immediately as well (thanks to rsync). Building the cdb is also remarkably fast, with it taking 0.55 seconds to hash the cdb with over 100k records.
Overall, I'm quite happy.
Re:probably (Score:3, Interesting)
A good answer is "because the syntax is occasionally inscruitable." another would be "because DJB expects you by default to conform to HIS way of doing things, which is quite different from the bind way."
But if you don't already know the BIND syntax...and you want a DNS server you will NEVER have to think about...tinyDNS is goddamn fabulous. So is qmail. The combination of the two means the only things *I* think about on my webservers are Apache, Tomcat and Courier-IMAP (which loves to crap out unprovoked, once every three months or so).
Re:probably (Score:3, Interesting)
Lots of people would've eyeballed tinydns for bugs, which IIRC (and I might not), is not available in binaries. Plus, the security is guaranteed! [cr.yp.to]
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
Why I keep using it... (Score:3, Interesting)
I'm not oppossed to switching but given that my time is already crunched, I will probably keep using bind so I don't have to spend the time learning how to setup djbdns.
Now if some huge security hole was discovered that affected me directly and there was an actual need to switch, I would spend the time and do it.
Until then I'll probably keep using bind since my distro gives me the choice to choose my dns server.
BTW, this same post could be used for sendmail.