BIND Is Most Popular DNS Server

bleachboy writes "Last week I completed a new DNS server survey, since D. J. Bernstein's hasn't been updated for years. Not surprisingly, BIND wins. Why is it so hard for alternate DNS servers to gain favor, especially when BIND can be so frustrating sometimes? And yes, I'm shilling."

probably

[greechneb]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Re:probably

[kinema]

People are lazy.

If laziness dictated what DNS server people ran I find it hard to believe that they would choose BIND. BIND is hardly the simplest DNS server out their to learn, setup and maintain.

Re:probably

[missing000]

It may not be "simple", but it is /powerful/.

Do you live in a DOS shell? It's "simple" - so is driving a golf cart or programming in BASIC.

Simple is not equal to good. Very few people would actually chose simple over capable any day.

Re:probably

[dasmegabyte]

So why not use tinyDNS...which is both simple AND powerful, AND fast, AND secure.

A good answer is "because the syntax is occasionally inscruitable." another would be "because DJB expects you by default to conform to HIS way of doing things, which is quite different from the bind way."

But if you don't already know the BIND syntax...and you want a DNS server you will NEVER have to think about...tinyDNS is goddamn fabulous. So is qmail. The combination of the two means the only things *I* think about on m

Re:probably

[tigga]

So why not use tinyDNS...which is both simple AND powerful, AND fast, AND secure.

You may use it at home.. That's it. I would not call powerful DNS server which does not have idea about zone-transfer requests, inverse queries, non-Internet-class queries (queries list from DJB's page).

As for qmail - it's pretty inconvenient to patch it every time I need any new functionality. Qmail is pretty simple and doing complex things is quite frustrating with it.

Re:probably

[kfg]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

Most lazy people create an extraordinary amount of needless labor for themselves and then berate people who have a lot of free time because of their efficiency "lazy."

It's very peculiar.

KFG

Re:probably

[swb]

An interesting observation. On a related note, I've noticed that a lot of "messy" people seem to know where everything is. I call it the chaos theory of organization; it can often be easier to remember where things are than to spend the effort to put them someplace. So you just put them where there's space, and remember where they went.

My wife has what I call the pro-aesthetic theory of organization; if a room or place appears to be neat, it's organized -- even if the stuff is put away without any regard to an organizational structure (eg, related items aren't in the same cabinet or closet). It's important for the room to look clean, even if in reality its a highly user unfriendly mode of organization.

When you contrast the former and the latter, it's an interesting mix -- on one hand, you have a visual mess but things are relatively easy to find. On the other hand, you have visual neatness, but things are hard to find since there's no scheme (other than size and volume) as to where things went.

As far as laziness goes, I've known neat freaks that never get anything done because the overhead cost of neatness eliminates their time.

Re:probably

[painandgreed]

It depends on what you mean by lazy.

Ever see someone toss a coat on the floor rather than hang it up, and then go back later to hang it up anyway?

That's not laziness. That's called "time management".

Re:probably

[Morth]

But it's not really that hard to get a basic setup either. The default configuration file is typically setup for caching, so all you have to do is add your own zones. Isn't exactly super hard to copy the zone file and edit the A entries (plus a few more).

Re:probably

[Anonymous Coward]

Exactly. What is so difficult about setting up BIND for an average site? I was able to set up BIND on Woody by installing the package, reading documentation for 15 minutes and then editing a few example zone files. And I have never ever set up a DNS server before (though I know quite a bit about how DNS protocol works).

Now, I clicked on one of the links in this story and found that to configure tinydns (as an example) you have to learn some strange sendmail-like syntax:
=www.panic.mil:1.8.7.99
@panic.mil:1.8.7 .88:mail.panic.mil.:0
Zpanic.mil:dns1.panic.mil:h ostmaster.panic.mil::72 00:3600:604800:3600

Heh, WTF? I would have to learn this syntax and how it relates to common DNS terminology (A, CN, MX, ...) AND learn what the common DNS terminology means. In the BIND case, I only need the common terminology.

All for all, I'd say BIND is used not only because it's default. It's default and sufficiently easy to use so most people do not feel the need to replace it. As a bonus, if there is a security problem, it is likely to be fixed REALLY fast upon discovery, which is a bit less probable for the other servers (because they are not used as frequently).

Re:probably

[olderchurch]

So I have to learn a more complex syntax. It took me half an hour (not taking the strange M$ lookup into account). The fact that you need to update your BIND software because of security related problems _at all_ is something I do not like. Take for example securtiyfocus' Vulnerabilities archive [securityfocus.com]:
BIND: 24 vulnerabilities (since 1999)
TinyDNS: 0 vulnerabilities

That's what I call a secure DNS server!

Re:probably

[bugnuts]

It may come standard on 99.9%, but it's only used by 70%, vs 15% tinydns. Plus, the source is not available on 99.9% of the distributions -- it's almost always a binary. E.g, I have NEVER seen sun distribute the source to it in their distributions.

Lots of people would've eyeballed tinydns for bugs, which IIRC (and I might not), is not available in binaries. Plus, the security is guaranteed! [cr.yp.to]

The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in t

Re:probably

[rthille]

Well, to be fair, you don't have to learn the syntax to get started, DJB created command line programs to do the 'normal' things like 'add-host' 'add-ns', etc.

I had trouble figuring out BIND's zone-file format when I first installed it. But the main thing I had trouble with was trying to figure out which packets I wanted my DNS server to be sending out.

DJB talks about not using CNAME, but it took me a long time to understand why.

Re:probably

[petard]

Not a separate computer, just a separate service. If you're running a public DNS service, you really should allow only recursive or authoritative queries. If you must service both, have the authoritative service listen on a 127.0.0.x IP and have the recursive one query that for the domain in question. But unless you're an ISP, there's really not a good reason to have your public nameserver handle recursive queries.

Here's a bit more discussion of why it's a good idea to split your DNS. [securityfocus.com] But like I said, it

Re:probably

[walt-sjc]

While bind may not be "super simple moron proof", It's also not that frigging hard either. Add on top all the various GUI management tools for it that make it not hard at all. Looking at some of the zones managed by clueless Windows (and linux) administrators using Active Directory or other tools, it's clear that some people need to read the O'Reilly DNS and BIND book. There is more to DNS than the server software - you need to understand WHAT the records do, and HOW to use them correctly. You also need to know how to use tools like dig and nslookup. Bind is only one part of the equation, and it's just not that hard to learn. While there are a lot of options, most people won't need but a few. There are MANY MANY good examples and tutorials.

Bind is also rock solid. It doesn't die. I have servers that run bind that have been running for YEARS without a reboot, and bind has never needed to be restarted. The answer is quite simple. It's not THAT hard, and it works. Why change? Occasionally someone will find a security hole, so you patch and move on, just like everything else.

Re:probably

[huge]

No matter which DNS server is the default in any distro. All of the DNS admins I know will compile or reinstall the server anyway.

It maybe true that some of the home users running a "server" in the closet may be using the default server of distro, but I think there aren't that many to make a difference.

Re:probably

[bryanp]

probably since most distros (BSD & Linux) include BIND as their default DNS server. People are lazy.

Probably since most retail desktop OS's (Mac & Windows) include IE as their default browser. People are lazy.

(sorry, I couldn't resist)

sendmail shows this to be true

[millahtime]

The fact that sendmail is also frustrating, is default install on Linux and BSD, and is the most popular for mail shows that this theory is pretty much true.

I also know I am amungst the lazy ranks.

Re:sendmail shows this to be true

[dekemoose]

Wrong. Bind and Sendmail are defaults because they are the most prevalent. They are the most prevalent because they've been around a long time. Sendmail was the MTA of choice on UNIX years before Linux was common, ditto Bind for dns. Since they have the history, there are a lot of people skilled with using both of these packages, despite the "difficulty" setting them up.

Re:sendmail shows this to be true

[idiotnot]

Many Linux distros have ditched sendmail by default, and NetBSD now ships postfix in the base system. In fact, the only big linux distros that I can think that still ship sendmail by default are slackware and redhat/fedora.

I *hate* bind with a neverending passion. I still use it because I'm not ambitious enough to change the environment I've got.

Is it laziness? No, not really. It's just not wanting to mess things up. I did recently move a large mail server off Irix/sendmail to FreeBSD/qmail, and, whi

Re:sendmail shows this to be true

[grahamlee]

sendmail...is default install on Linux and BSD

Oh? I appear to have Postfix as the default MTA on my SuSE and Darwin/BSD machines, not sendmail. The only machine I own with a sendmail default MTA is running NeXTSTEP 3. It didn't come with the m4 macros for editing sendmail.cf - now editing *that* was a fun half hour.

Re:sendmail shows this to be true

[stilwebm]

It's worth noting that as of OS X 10.3, Postfix has replaced Sendmail as the default MTA. NetBSD is integrating it in to the base install and letting the user decide between Sendmail or Postix, the default being neither is enabled at startup. Both use BIND 9 as their named by default, however.

One Ring

[soloport]

"To rule them all.
And in the darkness BIND them."

Like, Duh... So obvious.

Re:probably

[gclef]

No. I'm running BIND because I want "delegate only" zones. When the other DNS servers can handle Verisign's obnoxiousness gracefully like that, then I'll look at moving. Until then, BIND stays on my DNS server.

(ps: If there are any Gentoo folks reading, please get Bind 9.2.3 into portage properly. I got it installed on my machine by hand just fine, but emerge keeps trying to downgrade it to 9.2.2. That makes me unhappy.)

Re:probably

[mysticalreaper]

I know the problem, and i have a solution

A) the maintainer is a dink, and won't upgrade, plus the interested parties seem to like to whine and complain about weird craziness and misnamind of files (both problems non-existent IMHO) instead of upgrading. There's a bug about the compile problem, solaris only, as i remember. Why is it out of x86 then? Exactly. Gentoo was once great for being more current than anyone, but has been slipping, sometimes severely, as in this cae.

B) use the -U flag. like so "e

Re:probably

[dsojourner]

As I recall, djbdns has a licence that makes it hard to distribute: everything goes in weird places, and if you distribute the code you can't distribute changes (only patches). ... which might affect whether the major distributions would be interested.

De Facto

[the_mad_poster]

Becuase no matter what ridiculous flaws it has in it, it's the de facto standard by which all other (frequently superior) systems are measured. People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

It's the same flawed system that supports Windows, but executed to a much greater extent. People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

The geeks bitch about people using Windows even though "such far superior" systems exist as alternatives, but we keep using the horrendous abortion that is BIND even though there are superior alternatives that are free. I guess we can't stand the taste of our own medicine, hm?

Re:De Facto

[Tet]

People are familiar with it, so despite the fact that BIND and sendmail are absolute abominations, they get used.

Sigh. Y'know, I really should get used to sendmail FUD on Slashdot, but here I am feeding the trolls anyway. I use sendmail because it's better than the alternatives, and it's far from an abomination. I'm not going to claim the syntax looks good at first glance, but then most perl programs look like line noise too, yet the Slashdot crowd doesn't seem to have a problem with that. When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

Re:De Facto

[Psiren]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching. But not before.

I haven't used sendmail in years, having switched over to exim a long while ago. Out of interest, what does sendmail offer you that exim doesn't?

Re:De Facto

[walt-sjc]

what does sendmail offer you that exim doesn't

As someone who used to run sendmail (from the late 80's to 2002 before switching to exim) it gives you native support for UUCP!! It also gives you good brain excercises so you can do things like complex regular expressions, the US tax code, etc. :-)

Seriously, if you really need to customize sendmail, you need to understand the rewrite rules in depth which are quite bizzare to someone not familiar. Adding additional functionality like sql DB lookups for virtual users with SMTP Auth, etc. can be a challenge for even the more seasoned sendmail admin. Once you get beyond the simple soho stuff, sendmail becomes quite awkward to work with. Sendmail Milter's is a horrible interface. Add on message archiving, spam / virus filters, special handling for certain addresses / domains, etc. and exim really starts to look good. Unless you are a full time mail administrator, you probably have better things to learn than sendmail syntax, and that's the bottom line.

Bind is no sendmail. Bind's syntax is actually quite clean - more like apache or exim than sendmail. There are no bizzare ruleset's to learn - it's more like defining a structure in C.

Re:De Facto

[Total_Wimp]

When other MTAs can match Sendmail's flexibility, then maybe I'll consider switching.

I think you hit the nail on the head. These big, some would say bloated, systems end up getting used because they're flexible. Others are constantly writing 3rd party stuff that specifically use these systems.

Case in point: Microsoft ADS is very DNS dependant and the only DNS they support besides Microsoft DNS is BIND. BIND may, or may not be the best DNS out there, but because it's the standard people are building their systems to, it is almost certainly the most compatible and, by extension, the most flexible.

TW

Re:De Facto

[SWroclawski]

Please tell me something Sendmail does that Postfix doesn't.

I'd argue Postfix is more modular, more simple to configure, more respectful of system resources, more secure and more flexible than Sendmail.

Re:De Facto

[CrankyFool]

After about ten years of using Sendmail (I was using Sendmail back when you had to understand rulesets and how to hack LHS/RHS of rules), I switched to Postfix. I am happier than a pig in mud for a whole bunch of reasons and consider Postfix a superior MTA.

I have at least one acquaintance who, on his very large enterprise, runs Sendmail at the edge (and Exchange internally, but that's not his choice). Why? Because that way, he doesn't need to worry about separate patch management for his MTA -- Sun makes sure his MTA is up to date, and he doesn't have to document "this is how to install the MTA" separately.

Is he using an inferior MTA? I believe so. So does he. But the ways in which Sendmail is less good don't affect him nearly as much as the way in which it is better -- by lowering maintenance costs (or, really, just rolling them into the ridiculous amount he pays Sun -- though he could get the patches for free, of course).

With respects to my fellow sysadmins here -- obviously, some of you are vastly superior to me in all matters technical -- we really should know by now that sometimes, we make technical decisions for reasons that are not purely technical. The reasons people choose Sendmail over Postfix are usually in that sort of category, as well as the reason people choose BIND over other DNS servers (BTW, BIND is also the default DNS server on Solaris).

I don't see this as a huge problem, except for (I guess) people who take it personally that not 'enough' people use the software they developed with great effort (though I don't see Wietse complaining "more people should be using Postfix!"). Unlike the Windows situation, it's not like the fact that, likely, most people I communicate with use Sendmail means I'm forced into using Sendmail. UNIX-based MTAs (Sendmail, Postfix, qmail, exim, other custom MTAs) mostly seem to be fairly standards-compliant, much like DNS servers (go ahead. Point out some obscure thing that 99% of people don't use where BIND doesn't follow the spec, just so I can laugh at you). So BIND and Sendmail dominate? Fine. I'll still run Postfix and ... well, BIND. Who cares?

qmail: never a security lapse.

[Russ Nelson]

The question is whether the flexibility is worth the security cost imposed by the extra complexity required to get the flexibility. I say no, and run qmail. It's the only MTA that has never had a security lapse. (actually, Courier might not have had one either, but who runs Courier?)
-russ

Re:qmail: never a security lapse.

[richie2000]

who runs Courier?

*raises hand*

:-)

Re:qmail: never a security lapse.

[spacey]

I second that raised hand.

Went qmail->courier. A bunch of things the suite as a whole does makes it even easier to setup than postfix. I.e. I can set up virtual users and a virtual domain and have the mail server and lda and imap and pop3 server etc. etc. etc. all work from the same auth database with the same schema, whether the database is ldap, mysql or postgres with very little tweaking.

-Peter

Re:De Facto

[the_mad_poster]

Yea, ok Tet. I'm a troll and that's FUD. It's not like sendmail really is a total piece of shit [cr.yp.to].

Don't give me shit about Perl either. I can write totally unreadable code in C, Perl, Python, PHP, VBScript, Vb6, C++, Java, shell scripting, and QBASIC. I can also write clean code, readable code in all of them.

It's not FUD, most Slashdotters just have their heads so far up their own asses that it just looks like they sit on top of their necks. Morons around here bemoan Microsoft for its shitty security, then they run out every other day to patch BIND or sendmail. Even assuming you're the 1 in 20 person who actually has a need that only sendmail can meet (which I doubt you are given the odds), the fact that you would suggest that saying sendmail has shit poor security is just "FUD" just serves to prove the point that you're just another one of the idealogical nutjobs that frequent this place.

Give it a rest. It's not FUD because it's true. Sendmail blows a left donkey's swollen nut when it comes to security, usability, and reliability. Just deal with it. While you're at it, ask yourself if you even really need sendmail, or if you're just too lazy to make the switch to something that actually works.

Re:De Facto

[the_mad_poster]

Nice try, but my real world experience proves you to be wrong.

Holy shit... you're a real gem...

MY experience is that people who use sendmail might as well just generate their configuration files using /dev/urandom. I guess MY real world experience proves YOU to be wrong, so now you're going to stop using sendmail, right?

I also like how the guy that you responded to got pinned as a troll. See, on Slashdot, the fact that sendmail is a total piece of security shit doesn't matter. All that matters is that MICROSOFT programs have lousy security.

I suspect this is because 95% of the people on Slashdot that actually talk don't know shit about computing, but they spit the same old idealogical mind dumps that appear in every Microsoft/Linux/SCO article and get excellent karma and mod points. Then, they run around and mod down anyone who doesn't say exactly what they were saying before. I mean, god forbid an intelligent post appear that doesn't exhort the many virtues of OSS! After all, with a license like GPL/BSD, it HAS to be good..... right?

Re:De Facto

[robslimo]

...no matter what ridiculous flaws it has...

Did you see the version results for BIND? There are some really ancient ones out there. 1.971% are version 4.9.3 to 4.9.11

I haven't checked any vulnerability databases on it, but that seems pretty old... too old to have patches available?

Re:De Facto

[MrMickS]

The basic statement that BIND is used because it is a defacto standard is a good one. The rant that follows doesn't help the argument.

Could you please define what you mean by superior?

Re:De Facto

[winchester]

False arguments. At least the possibility for people to run other software in full compliance with the published standards (RFC's), thus providing full interoperability exists.

With windows, you do not get that choice... either you use what Microsoft provides you or you don't use it at all. There is no choice. On Unix, there is.

Re:De Facto

[stephenbooth]

There's also the fact that, due to it's current dominance, if I buy a book about DNS it probably assumes BIND. Therefore in a lot of people's heads BIND = DNS. Heck, for that very reason if I had to set up a DNS server (I'm not a networking expert) I'd select BIND as then I know that there's going to be examples in a book I can adapt to suit what I want to do. If it's not my core area then I don't want to have to spend hours learning how to configure a system, I just want to copy something out of a book and for it to work. Looking at the MyDNS site that has a second strike against it, it requires MySQL. Not only do I have to learn to setup and configure the product I actually want but I also have to learn another unrelated product! At least BIND uses text files, I know how to edit those.

Stephen

Re:De Facto

[Apreche]

True that. But in addition, because it is the de facto standard, its what they teach college students in IT classes. I'm a CS major, and I know quite a few IT majors around here. If you asked most of them to set up a DNS server they could. If you asked how they would say "the bind command". Because they are all windowsy, they don't realize bind is a piece of software that is replaceable. They were taught how to do things a certain way, and they don't know to do it differently.

Not all IT majors are that dumb, some of them deserve some credit.

The other problem is that old pain in the butt standard programs like bind and sendmail are feature complete. Because they are old and used by tons of people they have all the features in them, workin properly. It may be a horrid pain in the ass to make them work, but it can be done. And while there are many nice new alternative programs that serve the same functionality in an easy clean fast way. You'll be hard pressed to find one that can do everything. I can't tell you how often Who will use a piece of software that they know is terrible, will admit to it being terrible, even complain about it being terrible, because it is the only one with a single feature that is necessary. Made up Example: One website someone visits often only works in IE. They love Firefox, but its too much of a pain to visit that one site.

There's some guy out there using bind who wants to use something else, but can't because he needs one tiny feature that nothing else has. This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Re:De Facto

[daviddennis]

As others have said, I think the main reason people use BIND is that it's in all the examples in the standard books (mainly O'Reilly) we use to learn.

I was unaware DNS servers really needed much in the way of features for most people. In fact, I thought it was about the simplest thing in the world - get a request, look it up in a table and return the results. Not exactly rocket science, and the BIND configuration file's pretty ugly looking if my memory serves.

I think overcomplexity is one of the biggest problem with the software world as it is today. It's worst on Windows, of course, but Sendmail and BIND are proof that Unix has similar problems too.

D

Re:De Facto

[daviddennis]

Well, I meant that was what a DNS server does. It gets a request, and looks it up in a lookup table. That's all most people running DNS servers really need.

You're over-complicating things for simple applications if you use the software meant to distribute DNS over an entire network of servers for your single web site which just needs to receive a request for www.amazing.com and return an addresss.

D

Re:Feature Complete?

[symbolic]

This is a major weakness of Open Source because since software is under constant development and bug fixing and security hole patching is priority, few programs ever become feature complete.

Hm..I consider most software to be an evolutionary process. You start out with a need, you write the software, and then someone else sees a little bit further out and says, "gee, I like what you've done, but it would be so much more useful if it [insert most wanted feature here]". I can't think of a single piece of sof

Re:De Facto

[AKnightCowboy]

People figure "gee.... I wanna learn DNS servers", they think BIND. They think "gee.... I wanna learn SMTP servers". They think sendmail.

Naw, Bind 9.x is quite good and I love it. It probably helps that EVERYONE uses it so it's easy to standardize on it's zone file format. As for Sendmail, that's the biggest pile of shit mail system I've ever used and I have never looked back since switching my systems to Postfix. Bind on the other hand is acceptable.

Re:De Facto

[ahodgson]

djbdns supports zone transfers. The tcp server accepts AXFR commands, and axfr-get implements a client-side transfer into a djbdns-format zone file.

MyDNS

[Havokmon]

I've played with it.. it's defintely a nice DNS server.

But what I really want is something like EasyDNS provides: Aliases. I want to be able to 'clone' whole domains, because they're all going to the same place anyways based on the hostname.

Maybe EasyDNS just wipes out all the duplicate hostnames, and writes new records for them between the web interface and the backend when a host is changed or added..

Re:MyDNS

[boaworm]

You should try PowerDNS. It's entire records are located in MySQL database tables, enables very easy update/modify/add/delete scripts. Performance is great :-)

Re:MyDNS

[Havokmon]

You should try PowerDNS. It's entire records are located in MySQL database tables, enables very easy update/modify/add/delete scripts. Performance is great :-)

Yep played with that too.. but I'm kinda scripted out - I was hoping someone else already did all the work for once :P

Re:MyDNS

[Havokmon]

Bind provides easy data replication, that's how you make secondary dns servers :-)

Yeah, but I'm already replicating MySQL - so what's another table? :P

I can understand why some people would what to have dns information in a SQL database, but personally I feel that it's just adding a not piece of software that could potentially fail. Trust me, you don't what your dns to fail.

Ahhh. Actually, I run an email service. So I already have MySQL servers that need to be up 100% of the time. In fact, I'd wa

That's like...

[Simon Carr]

"air is most popular substance to breathe". :)

That being said, PowerDNS is pretty awesome as a master, very nice for front end interface building.

Not necessarily the best for all...

[Piranhaa]

Personally, I use one called djbdns. It's extremely small and basically bug free! The author actually will pay $50,000 to whoever finds the first exploit in it or something. If you don't need all the extra power that bind offers, this is a much better way to go. Less memory and space required, meaning cheaper systems may run it better. Even the config file can't be simpler!! cat /etc/tinydns/root/data .pnet:10.0.3.33:a:259200 .10.in-addr.arpa::ns.pnet: #Define hosts & aliases =pollux.pnet:10.0.3.1 =altair.pnet:10.0.3.2

Re:Not necessarily the best for all...

[Anonymous Coward]

You mean, $500 [cr.yp.to].

Re:Not necessarily the best for all...

[Russ Nelson]

Actually, your zone file looks like this:

.pnet:10.0.3.33:a:259200
.10.in-addr.arpa::a.ns.p net:
#Define hosts & aliases
=pollux.pnet:10.0.3.1
=altair.pnet:10.0. 3.2

Re:Not necessarily the best for all...

[Christianfreak]

I use djbdns as well. Very simple, very easy to use. I actually run about 100 domains off of it.

I can't say that I really like the separate cache/dns server but I've gotten used to it. I just wish my cache would immediatly pick up changes in my DNS. And I wish it was better documented.

Re:Not necessarily the best for all...

[geniusj]

As another testimonial, I use djbdns for over 900 domains and over 100,000 RRs. We receive about 300 queries/sec with tinydns using about 2% CPU and about 800K of memory. I love the rsync method of syncing dns data, it works especially well for Dynamic DNS (which is something I provide).

As an aside, long ago, ODS (the service I run) ran BIND. At the time BIND used 90+% CPU consistently. Mainly because of the constant dynamic updates being sent to BIND via the update daemon. It also used about 50MB of memory or so (back in 1999 or therabouts). The switch to djbdns came shortly thereafter and I haven't looked back. Granted, djbdns cannot provide immediate dynamic updates because of its use of CDB. However, I find that every 30 seconds proves to be sufficient, especially when the 'secondaries' get updated immediately as well (thanks to rsync). Building the cdb is also remarkably fast, with it taking 0.55 seconds to hash the cdb with over 100k records.

Overall, I'm quite happy.

Re:Not necessarily the best for all...

[Russ Nelson]

Uhhhhhhh, sorry, Anonymous Coward, but you don't get away with that accusation without more details than that. There have been no security lapses in tinydns or dnscache. Weasles is actually spelled Weasels. Googling for djbdns fraud gets me nothing. Honest up, dude!
-russ

It is the default, and not hard to understand

[hattig]

Unlike sendmail which can scare people away just with the configuration file, the BIND zone file layout and other stuff isn't hard to learn.

So people use what came with the box, what their book on "DNS & BIND" uses, and so on.

Also, everybody else uses it!

Re:It is the default, and not hard to understand

[Russ Nelson]

Actually, the BIND zone file layout is error prone. How many times have you forgotten to update a serial number? How many times have you forgotten to put a dot at the end of a name?

Also, BIND allows you to mix caching and authoritative services. Not only is this insecure in nature, it's insecure in BIND's implementation. Much safer to have them on different IP addresses.
-russ

Re:It is the default, and not hard to understand

[Nohea]

I really like BIND 9 - easy to use, the most features, plus a full rewrite since BIND 8.

DNS servers are low on resource usage anyway, so switching to a leaner daemon would always be a niche product (like Apache alternatives).

The only motivation for switching is the exploit issue. With the rewrite, its less of a case, and everyone should be keeping up to date w/security patches anyway.

You really see which DNS does heavy lifting.

[Inoshiro]

Ratio of BIND domains serviced to installs: 24,335,752 / 340,345 = 71.5 domains/server.

Ration of MS DNS domains to installs: 2,165,143 / 101,781 = 21.27 domains/server.

Ratio of TinyDNS domains to installs: 5,405,266 / 12,130 = 445.6 domains/server!

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

Because they haven't read how easy it is to setup! [kuro5hin.org]

Re:You really see which DNS does heavy lifting.

[James Youngman]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet.

Maybe that just means that TinyDNS is popular with domain squatters.

I think that the best definition of "heavy lifting" is not the size of the installed base or the average number of domains per server, but instead the total number of queries served. Those numbers of course are hard to estimate.

Re:You really see which DNS does heavy lifting.

[Florian Weimer]

Despite only having 2% of the installs, TinyDNS serves 15% of all domains on the internet. Obviousy it is very capable, and has few to no exploits available for it. Why don't more people use TinyDNS if it's so capable?

tinydns is unmaintained software. It does not compile out of the boxon modern systems. You don't have a license, so you can only do with it what your local copyright law permits (which may or may not be enough). The zone file format of tinydns is non-standard. The answers it generates are often excessively verbose (e.g. redundant NS records). Third-party documentation suggests a configuration that violates recommendations of TLD operators and most ISPs, which means that you have to redo parts of it once you receive your first delegation.

And so on. Go ahead and use BIND alternatives for authoritative name servers, but try to avoid tinydns.

Re:You really see which DNS does heavy lifting.

[Florian Weimer]

RFC 1035 (STD 13) describes the format of zone files (which are called "master files" in this document).

Re:You really see which DNS does heavy lifting.

[Florian Weimer]

It does compile out of the box on modern systems. I use it for 5 different domains that I administer. The latest time I set it up, it was on a Gentoo Linux box, I just had to emerge the package and was good to go.

In this case, you don't use the official version of tinydns, but a modified one which contains random patches. Others have patched GNU libc to increase interoperability with broken applications such as tinydns, too.

It is maintained, but the author doesn't see a pressing need for any changes to

Reasons why DJBDNS is not more common

[James Youngman]

1. Its config file syntax is even more human-unfriendly than BIND's
2. It doesn't allow free reign to set the records up exactly how you want (trivially for example, it forces you to adopt a mandatory naming convention for MX records - though the convention is pretty sensible)
3. It doesn't support caching, so you need a separate server for that (this is actually good, but it does add to the overall amount of work required to set up a set of DNS servers)
4. Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

Re:Reasons why DJBDNS is not more common

[embo]

Its config file syntax is even more human-unfriendly than BIND's

I've got to disagree with you when I can parse a zone file like this:

while (<STDIN>) {
$line = split(':', $_);
for $line[0] {
if (/Z/) { # Zone file }
elsif (/+/) { # A Record }
elsif (/\@/) { # MX Record }
etc. etc. etc.
}
}

All you need is this page to understand the entire format of any zone file: http://cr.yp.to/djbdns/tinydns-data.html [cr.yp.to] For BIND, I need the entire manual. Maybe it's just me.

Re:Reasons why DJBDNS is not more common

[ajs]

Some people find DJB difficult to get on with and/or were turned off by the whole problem around (non) distribution of modified versions of qmail, and so avoid DJB's other offerings

I have to say that this is the largest and most insurmountable reason for me against using either his DNS server or his mail server.

I was a big fan of his back in the days of UUCP, but his unwillingness to let distributions of BSD, Linux, etc. modify and distribute his software (without some kind of source-based patching hack sans binaries) was a snub to all of us who have contributed to open source software over the years, and a clear indication of a lack of concern over the larger needs of his audience.

Let me be clear: he's WELL WITHIN HIS RIGHTS, and he's even going out of his way to distribute his stuff, which is great. But to say "I'm going to play ball with you, but only if you use my ball, and in the following ways" doesn't fly for me. There are many good alternatives to his code, and they all have their own advantages and disadvantages. Thanks for playing, though.

BIND is like weeds!

[whitelabrat]

How the heck do you get rid of BIND? It's everywhere unless your a MS Windows shop that is ruled by DDNS... but most folks I know won't expose DDNS directly to the internet, cause you know why... BIND often acts as an intermediate.

I know there are better alternatives out there, but why aren't they more popular?

- When you insult a troll, he wins.

The reason DjbDNS hasn't been updated in forever..

[Sevn]

Is because it has been done forever. Instead of the exploit a year phenomenon you have with Bind, there haven't been any yet. When Bind can take 10,000 requests per second on a dual Xeon box (used for MAPS) and not melt into a smoky plastic dog treat, let me know. Don't get me wrong. Djb is slightly, well, he comes across as a bitter man with something to prove. And I can't stand qmail. But he hit the nail on the head with DjbDNS. I've got nearly 240 domains with a combined total of over 125,000 records hosted with no problem.

Why they keep BIND around

[reaper]

• It's in practically every distro by default
• Not a whole lot of people really need the hassle of installing another DNS server
• It is the standard by which other implementations get judged
• It supports just about every obscure feature known to the DNS world
• If you know how to hack the config files, it makes manually setting up tons of vhosts dirt simple
• The name is just so powerful
• Certain other dns server authors(*cough*djb*cough*) always manage to piss off too many people, even when they are proposing a superior solution to a problem.

Hasn't been updated in years??

[embo]

...since D. J. Bernstein's hasn't been updated for years...

Maybe because it hasn't needed updating.

http://cr.yp.to/djbdns/guarantee.html [cr.yp.to]

Re:Hasn't been updated in years??

[Anonymous Coward]

Maybe because it hasn't needed updating.

He meant the *survey* hasn't been updated, not the software. Even if it wasn't obvious from the language (and I think it was!) it should have been obvios from the link.

Re:Hasn't been updated in years??

[Lxy]

Maybe because it hasn't needed updating.

a qmail user are you? :-)

Re:Hasn't been updated in years??

[WoodstockJeff]

What needs updating with DJBDNS is DJB's attitude. If he'd allow binary distributions, I'm sure several major Linux distros would make it the DEFAULT DNS server for workstation installs, and optional for server installs.

As it is, I read the "quick how-to" files on setting your system up to work with djbdns, and find them far more confusing than BIND zone files and configuration files ever were. You don't just have to worry about one program - unless you're ONLY running the caching server.

This doesn't mean

If DJB were..

[jayminer]

If DJB were not such an ass, his software would be on everywhere now. He is smart, you can feel that. But come on, he thinks that if he has thought about something, it's right and it cannot be disproved. You simply can't. He won't accept a thing.

Look at where daemontools installs itself, and of course the other thingies from him, like djbdns and qmail. The default directories cannot be changed (/service, /package etc.), and if you change them from the source, you violate his license!
He's still refusing to fix the extern int errno; problem, because he thinks that it is not a problem. (Everybody should follow his standards, not glibc or anything like that) He still does not apply QMAILSCANNER patch into qmail. You need to go and get netqmail for that, or apply the patches it provices manually. You cannot distribute a patched qmail, therefore you cannot distribute a proper qmail package for your distribution without begging him!

djbdns assumes that you have a.ns.yourdomain.com b.ns.yourdomain.com etc. The add-ns program does not even get any argument about that. (Of course, you can edit the files manually).

And as far as I know, many distributions kicked his software out, including several *BSDs.

Re:If DJB were..

[arcade]

Normally I don't like AOL! -messages, but I really want to echo what you say. I used to love qmail back in '98, and love the rest of djb's software too.

After working with his software for some years, I've come to senses. His software is excellent, but he don't maintain it. He maintains that you have to apply a host of third party patches. You cannot modify the sources and redistribute them.

In the long run, it sucks.

Postfix and Exim are my current favorite MTA's. BIND is just the standard dns server.

Re:If DJB were..

[Paul Crowley]

What you can do with it is second only to sendmail

In what way is it behind sendmail? Genuinely curious...

Re:If DJB were..

[quantum bit]

How's postfix's security record? i.e. Can I set up a postfix server, then go on an 18-month holiday and be confident that my box will still be working when I get back (like I can with qmail)?

You can be very confident that it will be. Postfix uses privilege separation, runs as its own user account (not root), and is designed with a chroot environment in mind. It's also very componentized and designed so that a breach in one component can be isolated without a risk to the others. To the best of my knowledge, there has never been a remote code execution vulnerability in Postfix.

The last major security problem was a year ago and was just a DoS possibility. Even qmail has DoS problems [secunia.com]. Before the DoS, in 2002 there was a problem that might allow someone to use Postfix to portscan another system (no risk to the system running Postfix). Both of these were in the older 1.1 version. The 2.x series, released in 2002, has never had a security problem bad enough to warrant an advisory for.

The only other thing I could find is djb ranting [cr.yp.to] about a Postfix problem that has been fixed for over 6 years.

The alternatives

[Florian Weimer]

The alternatives have not-so-subtle incompatibilities with BIND and existing practice, are not proven in the field, or are unmaintained by the original developer. In fact, BIND is often deliberately incompatible with its previous versions, so it shouldn't be too hard to beat it in this area, but apparently it is.

tinydns, which was mentioned by the story submitter, is unmaintained, like most (if not all) software that Mr Bernstein has ever released. (This is especially problematic because Mr Bernstein refuses to license the software for a fork.) It does not even compile on modern systems, and it uses a non-standard zone file format. In the days of BIND 4 and BIND 8, all that pain was probably justified, but with BIND 9, things are rather different.

In my experience, in the area of caching full resolvers, BIND 9 simply lacks serious competition, feature-wise, and in terms of ease of administration and interoperability. For authoritative-only servers, RIPE's nsd is an alternative, but BIND 9 is typically not such a big trouble that running two different name servers is really needed.

Re:The alternatives

[quantum bit]

qmail was recently forked into something called 'netqmail' that integrates the most popular, bug-fix packages that are out there.

...which can only be distributed as a set of patches against the original code. This means no binary packages, either. djb's license forbids the distribution of modified versions. qmail is not open source. It's actually a lot closer to Microsoft's shared-source license.

Re:The alternatives

[Florian Weimer]

Um .... tinydns doesn't need to be maintained, because people aren't finding security holes or bugs in it on a weekly basis.

tinydns doesn't even compile on modern GNU/Linux systems. Surely this is a bug in tinydns, isn't it?

Re:The alternatives

[Florian Weimer]

Which modern systems are those exactly? I've never had any trouble getting it to compile...

Systems with a recent version of GNU libc.

When you say unmaintained ... surely that's just because there's been nothing to change about it? Are there outstanding bugs?

It's not bugs, it's lack of features: IPv6 support, CIDR support for dnscache configuration, maybe even DNSSEC even you want to give it a try.

Re:The alternatives

[Florian Weimer]

Yes, I know that DNSSEC has its drawbacks, but so far, DJB has only argued against it, without providing a real alternative (or even fully describing it).

Others offer (well, sort-of) working DNSSEC implementations, which might be a reason to use these implementations instead of tinydns. Of course, the overall need for DNSSEC implementations is pretty low on the current Internet, even though everyone wants a secure DNS (kind of a chicken-and-egg problem).

Because it works.

[morten poulsen]

BIND - like Sendmail - is popular because it works. They might be ugly, buggy (as in security problems), whatever, but they are old and people know them.

I need a new DNS server

[bgarcia]

I'm currently using bind, but it doesn't work well at all for my current situation.

I have a small home network. I also have a VPN to my work network. I would like to forward all DNS queries matching a particular domain or IP address range to the DNS servers at work.

For all other DNS queries, I probably should forward them to my ISP's DNS servers, but I'm not too particular about that.

My current problem is that my VPN isn't always running, and if BIND starts when the VPN is not up, then BIND doesn't

By that argument

[mrhandstand]

Windows is the most popular desktop environment!

Here at /. we all know how THAT article would go over!

Seriously, I have nothing against BIND. But you should always that there are liars, damn liars, and statictians.

We Tried BIND, but....

[buzzoff]

BIND just wouldn't work. It worked at first, until I dumped a bunch of hosts into my zone (only a couple thousand, which isn't much in the grand scheme of things). After it stopped working I happened to get in touch with some of the developers. They just kept telling me to upgrade to the next release.

Some of the problems? Sometimes the CPU would peg at 100% like the program was in a loop, the server would quit resolving after about ten minutes, and the server wouldn't replicate.

My zone files were standard and by the book. The particular developer I was talking to the most (generally) tried to blame the A records I had added (without knowing which ones). I quadruple-checked the entries, all of which followed the RFC. I reinstalled the program, tried it on totally different servers, etc. The problem persisted.

After screwing around with BIND for two weeks I gave up. I switched over to MSDNS. Guess what? The EXACT same file that wouldn't work with BIND worked with MSDNS. This was BIND 9.2. We've been running MSDNS for a few years now with hardly any issues. We ran into some cache pollution once, but once I checked the stupid box to prevent it the problem went away.

Its a pain having to mess with the registry for simple tasks, but I guess its worth it for a working product. We're building everything programatically just like we were for BIND. Microsoft did good when it decided to use flat zone files. If only they would make everything so simple...

BIND is ***MORE*** frustrating than SQL???

[swordgeek]

Seriously, MyDNS requires an SQL database. This is NOT a way of making things easier!

I've never understood what problem people have with BIND. It's as simple as it could possibly be. Everything makes clear sense. The config files are plaintext. It's backwards compatible almost to eternity. I use it because it's the best solution, not the only one.

Re:BIND is ***MORE*** frustrating than SQL???

[demon]

Yeah, except for the fact that (a) it's then incredibly difficult to allow customers to manage DNS on their own - something that I've come to really appreciate (we have several customers who host their DNS with us, but want to manage their zone contents themselves), and (b) the way that software like cPanel does it is not a good solution (we have one customer who handles his own DNS on a box running cPanel, and I'm regularly having to fix that for him). Also, (c) the half-way solutions of making a database,

External DB

[geohump]

One small reason your DNS server (MyDNS) isn't catching on is that it requires an external DB server process to be set up and running on the system.

I took a look at your system with the intent to try it out but I stopped as soon as I saw that requirement.

True, Its not that huge an extra requirement, but it is an extra step and an extra external dependency.

Adding an internal db (like dbm) to your system so that its self contained would increase the likelyhood of adoption for MyDNS.

Having to run a fairly costly, (In terms of system resources), 3rd party DBMS system in order to have an active DNS server seems a little upside down to me.

I USED to use djbdns...

[D'Arque Bishop]

Like the subject says, I USED to use djbdns for my home DNS server. After a while, when I upgraded the OS on said home DNS server, I got rid of djbdns and moved to BIND. Why, you may ask?

1) I didn't like the fact that I had to use two separate IP addresses for caching and domain hosting. Maybe there was a workaround for it, but at the time I didn't know what it was and it frustrated me to high heaven that I needed two IP addresses on a box that I would have liked to have only used one.

2) The log files didn't print out timestamps in any kind of human-readable format. If I want to see what my system's doing, I don't have time to run the timestamps through some kind of translator.

3) Due to a directory existing where axfrdns didn't expect one in the log directory (and it was a name that it didn't even use), axfrdns did not work at all. I didn't find that out until a power issue brought the DNS server down and the secondary servers didn't have the correct DNS information. Once I removed the directory, axfrdns started working again.

4) Believe it or not, I find BIND zone files to be a bit more readable than tinydns's zone files. It also helps when I'm not forced to name my domain name servers a.something-or-other in the zone file. (Why add a CNAME or A for the one you want to use in the first place?)

5) daemontools.... ugh. Let's not even go there.

Go ahead and mark me as flamebait or what you will. If djbdns works for you, great. But for me, I found djbdns to be much more frustrating than BIND, and since I've migrated over to BIND I haven't had a bit of problem.

Just my $.02...

Why I keep using it...

[Mustang Matt]

I see people bash bind and praise djbdns, but I personally have never had a problem with bind. It was relatively easy to setup and it's relatively easy to maintain and has a decent amount of power to it. Granted, I'm just doing simple tasks of dns for sites and nothing very complicated.

I'm not oppossed to switching but given that my time is already crunched, I will probably keep using bind so I don't have to spend the time learning how to setup djbdns.

Now if some huge security hole was discovered that affected me directly and there was an actual need to switch, I would spend the time and do it.

Until then I'll probably keep using bind since my distro gives me the choice to choose my dns server.

BTW, this same post could be used for sendmail.

Why am *I* using BIND?

[cduffy]

Simple: support for views, and licensing that allows redistribution.

I absolutely, positively require view support, which nobody but BIND that I know of supports. TinyDNS might, but I can't so much as consider it due to the license; we're distributing servers with a fairly custom software environment, and DJB's terms make that a no-no. (This is also why we're using runit [smarden.org] rather than daemontools [cr.yp.to]).

Support views in something that supports pulling info (not just zone info, but definition of what the zones are, what the views are, what the ACLs are, etc a la named.conf) directly from a database and I'll be happy as a clam. 'Till then, I run BIND.

Re:Dynamic DNS

[Russ Nelson]

Why not?? He's replaced the other major ISC-associated software. Plus you know there must be security holes in dhcpd.
-russ

Re:Far from accurate

[crimoid]

He used fpdns which is a well-known and accurate tool. http://www.rfc.se/fpdns/ [www.rfc.se]

Re:Far from accurate

[Sique]

Yes and now. Every chemical analysis is basicly guessing, because no substance presents itself: Hey, I am Carbonbihydroxide! There are several tests which can give you a quite conclusive set of clues, what substance you are looking at. "Quite conclusive" in this case means: Better than 0.999999... probability.

That's the same way server fingerprinting works. Run several tests, and each of them increases the probability for one and lowers the probability for others. It gets quite hard to modify a server in a

Re:Far from accurate

[Iamnoone]

Please explain how you managed to fingerprint DNS servers.
The same way you fingerprint OS's via there ip stack. Unusual queries and how the server reacts to them.
http://cr.yp.to/surveys/dns1.html is one among several fingerprinting methodologies.

The accuracy of the sample set is extremely questionable.
If you RTFS, he didn't take a sample, he used all the name servers. There aren't that many (which in itself is a interesting commentary on the true size of the internet) - for the .com, .net, .org, .info