DNS Server (and Related) Software for Unix
[Message quoted below has been re-edited to update it.]
From: Rick Moen (rick@linuxmafia.com)
To: SlugLUG (sluglug@hermosa.cse.ucsc.edu)
Subject: Re: [SlugLUG] DNS links
User-Agent: Mutt/1.4i
Date: Sat, 23 Nov 2002 14:51:17 -0800
[...]
(Referring to Albitz and Liu's DNS and BIND.) This edition (4th) struck me as weak on new BIND 9.x features; frustrating, because there's not enough available on-line about that, either.
Anyhow, one limitation of both the Albitz book and troubleshooters.com's DNS page is that they concern BIND, solely. Even after the from-scratch 9.x rewrite, BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. Pity that most DNS information is BIND-specific; that's held us back.
Here is a list of the real choices, comparing and contrasting BIND9 with all known alternative DNS server implementations for Unixes -- many that in particular deployments will prove superior:
Table of Contents
Maintained open source packages:
- BIND9: authoritative, recursive, AXFR, client
- Bundy: authoritative, recursive, AXFR, DHCPd, forwarder
- CurveDNS: forwarder
- Deadwood: recursive
- djbdns: authoritative,
recursive, AXFR, client, other (modular; needs patching)
- Debian djbdns: authoritative, recursive, AXFR, client, other
- ndjbdns aka N-DJBDNS: authoritative, recursive, AXFR, client, other
- LolDNS: authoritative, recursive, AXFR, client, other
- dnsjava: authoritative, AXFR (modular)
- DNRD: forwarder
- Dnsmasq: forwarder
- dnsproxy: proxy
- dproxy: forwarder
- gdnsd: authoritative
- Ironsides: authoritative, recursive
- Knot DNS: authoritative, AXFR
- Knot Resolver: recursive
- ldapdns: authoritative, AXFR
- MaraDNS: authoritative, recursive, AXFR
- MyDNS-NG: authoritative, outgoing AXFR
- NSD: authoritative, AXFR
- pdnsd: forwarder
- PowerDNS Authoritative Server: authoritative, AXFR
- PowerDNS Recursor: recursive
- rbldnsd: authoritative
- Technitium DNS Server: forwarder, DHCPd
- Twisted Names: authoritative, forwarder, client
- Unbound: recursive
- YADIFA: authoritative, AXFR
Unmaintained open source packages (deprecated!):
- BIND8: authoritative, recursive, AXFR
- CustomDNS: authoritative, AXFR (modular)
- dents: authoritative, recursive
- Eddieware Enhanced DNS Server (aka "lbdns"): authoritative
- GnuDIP: authoritative
- lbnamed: authoritative
- lwresd: recursive
- moodns: authoritative, recursive
- MyDNS: authoritative, outgoing AXFR
- Oak DNS Server: authoritative, recursive
- Pliant DNS Server: forwarder
- Posadis: authoritative, AXFR
- SDNS (Secure DNS): authoritative
- Stanford::DNSserver: authoritative
- Trick or Treat Daemon (ToTD): forwarder
- Yaku-NS: authoritative, forwarder, AXFR
- zinq-djbdns: authoritative, recursive, AXFR, client, other
Related Software:
- GNU adns: client
- Ares: client
- BIND DLZ: authoritative (patch)
- Constrict: client
- dnsibs: authoritative (non-standard data)
- dnspython: client, AXFR
- FireDNS: client
- LDAP sdb: authoritative (patch)
- ldns: client
- nscd: cache
- Net::DNS: client
- Poslib: authoritative, client
- Resolvconf: client-side utility
- skadns: client
- systemd-resolved: cache
- unscd: cache
Proprietary Software:
(See list at page bottom.)
Guide for the Perplexed
If like most people you are unclear on how a recursive nameserver, an authoritative nameserver, and a forwarding nameserver differ, please see my explanatory anecdote: 1, 2.
Maintained open source packages:
BIND9 (link) is a full-featured recursive server, authoritative, and caching nameserver, bundled with a resolver client library. This is a from-scratch rewrite of the hopelessly spaghetti-coded legacy BIND8 codebase that Paul Vixie inherited from UC Berkeley: Vixie commissioned its creation by Nominum, Inc., who wrote it solely from the BIND8 specifications without reference to the old codebase.
Coded in C. (Win32 binaries are also available.)
http://www.isc.org/software/bind/
Licence: ISC Licence, a simple permissive licence with warranty disclaimer.Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): Code relies on several ISC wrapper libraries for key functions, code has lots of asserts and sanity check, "in general the code just feels heavy — functions have tons of variables, some functions are huge, locks for thread safety, lots of goto jumping to deinitialization parts if something went wrong".
BIND9 is slow and large compared to many competitors, and the monolithic codebase seems overfeatured.
Bundy (link) is an modular, multidaemon suite including a EDNS0- and DNSSEC-capable authoritative server, a caching recursive server, a DHCPv4 daemon, a DHCPv6 daemon, and a forwarder initially (2010) developed as BIND10 at ISC, and then handed off (in 2014) to third-party developers when ISC decided to refocus on improving BIND9.
Coded in C++ and Python3. Runtime requires Python 3.1+, the Botan v. 1.8+ crypto library for C++, the log4cplus 1.0.3+ logging library, and SQLite 3.3.9+ if running the authoritative server. Sundry Python3 standard libraries and modules are also needed.
http://bundy-dns.de/
Licence: ISC Licence, a simple permissive licence with warranty disclaimer.CurveDNS (link) is a caching forwarder server capable of either forwarding regular (non-authenticated) DNS packets, or of boxing DNSCurve-authenticated queries and forwarding the resulting regular DNS packets and then boxing the resulting regular DNS responses to DNSCurve-authenticated responses. It supports both DNSCurve's streamlined and TXT formats, caching of shared secrets, both UDP and TCP, and both IPv4 and IPv6. Thus, you would normally deploy it as the DNSCurve-supporting front-end to a different authoritative nameserver.
Coded in C by Harm van Tilborg, Jeroen Scheerder, and Lieuwe Jan Koning. Compilation requires Marc Lehmann's libev and the Computer Aided Cryptography Engineering project's NaCl (Networking and Cryptography library). Daniel J. Bernstein's daemontools are recommended but not required for management.
http://curvedns.on2it.net/
Licence: 2-clause BSD licence.Deadwood (link) is a recursive server with several enhancements, for Unix and Win32, by Sam Trenholme, author of MaraDNS (for whose recursive component it's a compatible replacement). Deadwood is implemented as a non-threading daemon.
At this writing (2010-10-05), Deadwood v. 3.0.01 is a feature-complete release. It's very small and fast: One 2.9 beta was the second smallest executable among recursive nameservers for Unix at 64,418 bytes as compiled for CentOS 5, versus zinq-djbdns's dnscache at 45,016 bytes, compiling using "-Os" optimisation and stripping the binary. (Unmodified dnscache v. 1.05, not recommended on account of unfixed bugs, weighs in at 43,644 bytes using the same options.)
Comparing Win32 versions, the Deadwood beta's binary was 144,237 bytes (-O3 compiler optimisation and unstripped), PowerDNS recursor is 503,860 bytes (prebuilt binary), Unbound is 1,745,920 bytes (prebuilt binary), and BIND9 is 4,055,552 bytes (prebuilt binary).
Enhancements over dnscache's basic recursive service:
- "DNS wall" that filters any private IP addresses out of DNS responses to protect networks against DNS rebinding attacks.
- Ability to read and write the cache to disk.
- Optional ability to "resurrect" domains by serving expired data from cache if no data within TTL can be fetched.
- Ability to filter out AAAA IPv6 responses (or to compile in full IPv6 support if desired).
- Code that stops AR-injection spoof attacks.
- Multiple inflight merging.
- Flexible parser for server configuration files.
- Support for DNS responses over TCP transport.
- Caching of CNAME responses.
- Caching of SOA responses.
- Ability to countermand upstream NXDOMAIN redirections (ip_blacklist feature).
Deadwood can be compiled for either Win32 or for Linux, and is available as source code. (Win32 binaries are available for download.) Linux functionality has been (thus far) author-tested on CentOS 5 only.
Coded in C by Sam Trenholme. (Win32 binaries are also available.)
http://maradns.samiam.org/deadwood/
Licence: Two-clause BSD licence.djbdns (link) is a suite of specialised-role, related DNS server utilities (and two client pieces) by Daniel J. Bernstein, Research Professor, Department of Computer Science, University of Illinois at Chicago and author of the qmail MTA.
(I'm being charitable in classifying djbdns as a "maintained offering", because, even though it was orphaned in 2001, its newly (a/o 2007) open-source (arguably) legal status permits third-party maintainers to put together an unofficial 1.06 release to bring it into the 21st century -- which may or may not happen but is worth hoping for.)
- djbdns is an omnibus package of all of Bernstein's DNS server software.
- tinydns is the authoritative-only DNS daemon.
- dnscache is the caching recursive server. It is so far (2008) unique among *ix recursive nameservers in implementing this functionality without needing to use threading.
- walldns is the specialised authoritative-only DNS daemon for reverse-zone data, designed to minimise public leakage of inside host data.
- rbldns is the specialised authoritative-only DNS daemon for DNS blocklist data about blocks of IP addresses such as dial-up IP lists.
- axfrdns is the TCP-based AXFR zone-transfer server. It also handles some other TCP-based queries, such as requests for SOA records and (rare) DNS replies exceeding the 512-byte maximum size of a (regular, non-EDNS0) UDP datagram. As a consequence of its ability to output RFC 1035 ("BIND") zonefiles for AXFR zone transfers, axfrdns is also usable as a format converter. (NOTE: Absent third-party patches, the various djbdns utilities omit support for IETF NOTIFY, IXFR, outgoing AXFR, DNSSEC, TSIG, A6, DNAME, bitstring labels, Dynamic DNS, negative TTLs (NCACHE), and other modern DNS features.) It is generally a good idea to set up axfrdns running on the same IP as tinydns, if you want support for large packets, or will offer zone transfers.
- axfr-get is the AXFR zone-transfer client, pulling down other authoritative servers' data in RFC 1035 ("BIND") format and writing that data in tinydns's database format.
- dns is the DNS client library.
- pickdns was the DNS load-balancing utility, but its functions were merged into tinydns as of djbdns v. 1.04 and above.
Through 2007, fans of djbdns (and components thereof) would often assert that it was "free software" or "open source". It was not. However, in late 2007, Bernstein asserted that djbdns (like qmail) would prospectively become public domain by his own fiat.
Dovecot imapd author Timo Sirainen posted in 2005 some comments (warning: unmaintained page).
Recommended patches: Codebase has been unmaintained since v. 1.05 in 2001, except for through third-party patches. In consequence, until someone collects, merges, and harmonises a reasonable set of those patches (2009-09-08 note: There are now four forks, as noted below) , users must collect and apply the following fixes to the v. 1.05 source tree, and compile locally:
- Do 'echo "include /usr/include/errno.h >> conf-cc"', to make the djbdns tools' source code compilable with modern Linux C libraries (updating the errno definitions in djbdns and tcpserver),
- apply a dnscache patch to prevent it from dying if it is remotely DoSed by an attacker sending it the SIGPIPE signal and then closing the socket before the write finishes (i.e., the patch makes dnscache ignore SIGPIPE),
- apply a tinydns patch to reduce mmap() overhead,
- apply a dnscache patch to add support for negative TTLs (caching of unsuccessful lookup results),
- apply a dnscache patch (1, 2) to prevent it erroneously returning SERVFAIL on some queries over TCP,
- apply a dnscache patch to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP),
- apply two dnscache patches to make it become willing to cache SOA records, and to send only one response back to each flood of identical requests, thus greatly reducing the program's resistance to cache poisoning,
- apply a tinydns patch (1, 2) to add native support for SRV RRs (not strictly necessary for creation of SRV records or other unsupported types such as AAAA, SPF, TXT, NAPTR, and DomainKeys, as you can always use the generic record format for arbitrary data types -- but nice to have as "syntactic sugar" -- and please note that proper native support for IPv6 has larger issues than just AAAA support),
- apply a tinydns patch to fix a file-descriptor leak,
- apply a tinydns patch making its error-handling on zonefile syntax errors more robust (obviously not an essential patch, but helpful),
- apply a dnscache patch to make its logging less chatty,
- apply two patches to fix dnscache's, tinydns's, and axfrdns's erroneous treatment of CNAMEs (1, 2),
- apply (on Linux only) an epoll patch (to speed up various djbdns tools by using Linux 2.6.x's "epoll(4)" I/O event notification facility instead of "poll(2)"),
- apply one of two patches (where one's usage model makes this useful) to make the various djbdns tools support binding to multiple IPs (1, 2) -- and, in fairness, the Bernstein-recommended alternative of running multiple daemon instances, one per IP, is usually fairly practical and has operational advantages,
- apply a dnscache patch to update the (obsolete) root servers list,
- apply a dnscache patch to its use of the Recursion Desired ("RD") bit, to make dnscache able to function correctly in a pure forwarding role (if you happen to need it in that role),
- apply a "dns" (djbdns client library, if you happen to use that module) patch to correct a bad coding choice that makes it unable to correctly deal with the hostname of a recursive or forwarding server that maps to multiple IP addresses,
- either tune dnscache's fixed-upper-bounded (but configurable) cache size to local requirements, or comment out dnscache's cache.c source line that limits the upper bound on cache size to 10^9 bytes by default ("if (cachesize > 1000000000) cachesize = 1000000000;"), to let it float, and
- apply an axrfdns and tinydns patch to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
- Patch dnscache to add use of SipHash, a pseudo-random function useful for fixiing a problem discovered in 2012 with dnsccache's djb33 hash function that makes dnscache vulnerable to cache poisoning (by inducing collisions in the hash table).
- You also might want manpages, which, unbelievably, are deliberately missing from most of Bernstein's software.
(Caveat coder: I cannot vouch for the quality of those code snippets, nor guarantee that they won't cause other problems or be mutually incompatible. I know only that they were efforts to address real deficiencies in the base code.)
Also tinydns.org and Jonathan de Boyne Pollard's page document other problems that might warrant patching before compilation. Some problems will remain, such as frequent failure to resolve Akamai and some other companies' DNS (on account of their use of admittedly ugly and baroque delegations without glue records), where other nameservers will have no problems.
It should also be noted that, by default, djbdns requires ancillary package ucspi-tcp (Bernstein's idiosyncratic superserver, though there are ways to substitute xinetd/inetd, etc.) and also recommends daemontools (Bernstein's idiosyncratic toolset for managing system services, though there are workarounds (1, 2) to avoid most of that need). Daemontools, if used, enforces a non-standard filesystem hierarchy for its and djbdns's components.
djbdns (specifically, dnscache) was the first recursive nameserver to randomise query source UDP ports as a security precaution, and to separate recursive and authoritative service, which is best practices.
Critical claims to the contrary notwithstanding, it is indeed possible to run dnscache and tinydns on the same IP. See Felix von Leitner's djbdns FAQ for that and other common questions.
Coded in C by Daniel J. Bernstein.
http://cr.yp.to/djbdns.html
Licence: Asserted to be "public domain".Debian djbdns: (link) Debian developer Gerrit Pape maintained sundry Debian binary packages (axfrdns, djbdns-conf, djbdns-utils, dnscache, rbldns, tinydns, and walldns) based on one Debian source package (djbdns). Pape applied these changes to Bernstein's v. 1.05:
In the various binary packages:
Supplied manpages (by Gerrit Pape).
Patched to use glibc, system errno.h headers.
Updated the /etc/dnsroots.global configuration file to replace obsolete root nameservers list.
Patched to support parallel build through "make -j".
Patched to install binaries into /usr/bin.
Patched to make daemontools, ucspi-tcp "Recommends" rather than "Depends" packages.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
I haven't worked through binary package dnscache's and tinydns's metadata to see what patches Pape applied to it, but it's whichever subset of his patches are applicable from those used ot create binary package "djbdns".
djbdns missed the Debian "jessie" 8.0 (2015) and "Stretch" 9.0 (2017) releases, and was removed entirely from Debian's collections in 2017. However, it's subsequently been updated and re-added.
Coded in C by Gerrit Pape and Daniel J. Bernstein.
http://packages.qa.debian.org/d/djbdns.html
https://tracker.debian.org/pkg/djbdns
Licence: Asserted to be "public domain".ndjbdns aka N-DJBDNS: (link) Red Hat developer Prasad J. Pandit has created a djbdns fork and proposed it (2009-03) for inclusion in Fedora Project. Prasad's fork was named RH-djbdns until July 2011, when he renamed it njbdns (new djbdns), later modified to N-DJBDNS (but the earlier naming remains more common). It's been included in Fedora since Fedora 15, and is in the EPEL collection for other Red Hat-family distributions. As of v. 1.05.3 (2009-08-17), it adds these changes to Bernstein's v. 1.05:
Uses automake/autoconf, instead of Bernstein's build process.
Works with /sbin/service.
No longer requires daemontools.
tinydns now reads /etc/djbdns/tinydns.conf and logs to /var/log/tinydns.log. Default installation destination prefix is /usr/ (in the RPM .spec file).
Changed dnscache conffile to /etc/djbdns/dnscache.conf
Changed dnscache to log to /var/log/dnscache.log", write PID file to /var/run/dnscache.pid, and accept some command-line options.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
Patched dnscache to update obsolete root nameservers list.
Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
Patched to use system errno.h headers.
Renamed CHANGES to ChangeLog, added Pandit's entries.
Changed various utils to use system header files.
Some comments added, and a more-conventional coding style applied. All coding made portable to FreeBSD and probably other Unixes. New manuals for several commands. Commands now accept command-line options.As of 1.05.3, only the following djbdns tools are (thus far) compiled/installed: dnscache, dnsipq, dnsq, dnstracesort, tinydns, tinydns-data, tinydns-edit, tinydns-get, dnstrace, and a couple more. Pandit is proceeding to revamp the other pieces, gradually.
As of 2019, the most recent maintenance was in 2016.
Coded in C by Prasad J. Pandit and Daniel J. Bernstein.
http://pjp.dgplug.org/djbdns/
(.spec file, source, SRPM, bugzilla)
Licence: GNU GPLv2 or later. (See .spec file.)LolDNS: (link) Joshua Small created the LolDNS fork of djbdns 1.05 in February 2009, to "go beyond the many current forks of just perpetuating the product, and to actually do away with the things that djbdns used to get slammed for."
Patched to use glibc, system errno.h headers.
Patched to no longer require daemontools, ucspi-tcp.
Patched to add an equivalent to BIND9's $GENERATE auto-generated entry directive.
Patched to add support for SRV records.
Patched to support binding to multiple IP addresses.
Patched to call chroot() before dropping privilege.
Adds new management and logging daemons.Coded in C by Joshua Small and Daniel J. Bernstein.
https://lolware.net/2013/09/23/loldns.html
http://lolware.net/loldns-STABLE5.tar.gz
https://github.com/technion/loldns
Note: Small recommends checking out the latest gitsvntrunk snapshot, instead of using tarball code. As of 2019, there have been no code updates since 2013.
Licence: Joshua Small has specified a licence of his own devising for his additions to Bernstein's code, the first two clauses of which grant a simple BSDish permissive licence (making code usable for any purpose; derivative works can be created and distributed by anyone), provided that there is no warranty (third clause) and that Small's small graphical "so much win" image remains included in some way (the fourth and final clause). Daniel Bernstein has asserted his v. 1.05 base code to be public domain".
DNRD (Domain Name Relay Daemon) (link) is a small caching-only server for NAT / IPmasq networks.
Coded in C by Natanael Copa, Brad Garcia, and Nathan Angelacos.
https://github.com/benjaminpetrin/dnrd, formerly at
http://dnrd.sourceforge.net/.
Licence: GNU GPLv2 or later.dnsjava (link) is an authoritative-only server, DDNS client, and related tools, written in Java by Brian Wellington. Patched only on Aug. 6, 2008 to randomise UDP source ports for recursive queries as a security precaution.
http://www.dnsjava.org/
Licence: Newer BSD licence.Dnsmasq (link) is a small caching forwarder server (no recursive service -- iterative queries only) with local-only authoritative service for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases).
This package is often embedded in firewall/gateway appliance boxes. Did not implement serious randomisation of source UDP ports on outgoing recursive queries as a security precaution until July 11, 2008 (v. 4.3), when the use of inadequate system-libc random number generators was junked and replaced with Dan Bernstein's SURF random number generator, borrowed from dnscache.
Coded in C by Simon Kelley.
http://www.thekelleys.org.uk/dnsmasq/
Licence: GNU GPLv2 or later.dnsproxy (link) is is a proxy daemon that answers 53/tcp & 53/udp DNS queries, and forwards the recursive and authoritative queries separately so a pair of specialised daemons (e.g., NSD and Unbound, or tinydns and dnscache) can handle each, but still only use a single public-facing IP address. The two daemons accepting the forwards may be local or they might be elsewhere (as in a firewall situation). Requires libevent. Runs chrooted and unprivileged.
Coded in C by Armin Wolfermann.
http://wolfermann.org/dnsproxy.html
Licence: MIT Licence.dproxy (link) was/is a small caching forwarder server with a disk-based cache, suitable for small networks and workstations.
Coded in C by Matthew Pratt. As of 2016, the legacy dproxy 1.x code has been unmaintained since 2005, but the dproxy-nexgen code at GitHub appears to be maintained (updated 2014).
https://github.com/vicgarin/Actiontec-V1000H/tree/master/bcm963xx_V1000H-31-121L-11/userspace/gpl/apps/dproxy-nexgen
https://sourceforge.net/projects/dproxy/
Licence: GNU GPLv2 or later.gndsd (Geographic DNS Daemon) (link) is an authoritative-only non-caching server with native support for DNSCurve authentication of DNS contents. The "geographic" in its name refers to its plugin interface for geographic (or other sorts of) balancing, redirection, and service-state-conscious failover, which is an optional capability. Several example plugins are provided, including gdnsd-plugin-georeg, which uses MaxMind's commercial Region-format database to do geographic balancing and failover of a given hostname to a set of geographically dispersed IP addresses. A basic HTTP monitoring service for failover is included, as are hooks for implementing other failover methods. Compilation requires pthread suppor, Marc Lehmann's libev, and the Computer Aided Cryptography Engineering project's NaCl (Networking and Cryptography library).
Coded in C by Brandon Black for Logitech, Inc.
https://github.com/gdnsd/gdnsd, formerly at
http://code.google.com/p/gdnsd/
Licence: GNU GPLv3 or later.Knot DNS (link) is an authoritative-only server developed by CZ.NIC, the .CZ domain registry, originally with particular emphasis on suitability for TLD operators, more recently an all-around DNSSEC-capable authoritative daemon with good performance. It is implemented as a threaded daemon using a number of programming techniques to make it very fast, notably read-copy-update. Code is mostly lock-free, scales well on SMP systems, and operates non-stop even when adding or removing zones. Supports DNSSEC and EDNS0 extensions including NSEC3. Does AXFR/IXFR. Supports dynamic updates, response rate limiting, automatic DNSSEC signing.
Runtime depends on several libraries including userspace-rcu. Configuration files use simplified YAML format.Knot DNS was quite extensively covered (2014) in an article for LWN.net by Ondřej Surý, Chief Scientist at CZ.NIC.
Coded in C by the CZ.NIC team.
https://www.knot-dns.cz
Licence: GNU GPLv3 or later.Knot Resolver (link) is a recursive server designed with a tiny core and with most features implemented as optional modules, which limits attack surface and improves performance. Supports modern nameserver features such as DNSSEC, DNS-over-TLS server, DNS-over-HTTP, newer DNS-over-TCP enhancements (TCP Fast-Open, query pipelining and deduplication, and response reordering), EDNS, Response Policy Zones, DNS64/IPv6, and Name Server Identifier (NSID). Provides for Web management of the daemon and control sockets. Designed to be scripting-friendly. (Rulesets can be coded in the Lua programming language.) Provides for writing of custom modules. Does not use threading, it runs one process on one CPU core instead. It allows resolver to survive crash in any single process.
Coded in C and LuaJIT by the CZ.NIC team.
https://www.knot-resolver.cz/
Licence: GNU GPLv3 or laterIronsides (link) is an authoritative / recursive DNS daemon pair, written in Ada using the SPARK 2012 libraries, written to be immune to many of the security-sensitive and other bugs of DNS software by using formal methods in its design, while still yielding markedly better performance than BIND9.
Codebase is reported to support a large but not exhaustive subset of all possible reference record types, and not yet provide for AXFR/IXFR zone transfers. DNSSEC support is said to be under development.
Coded in Ada by Martin C. Carlisle and Barry Fagin of the US Air Force Academy.
https://ironsides.martincarlisle.com/
Licence: Public domain (as this is a work directly produced by the US Federal government).ldapdns (link) is an LDAP database-based authoritative and caching server (no recursive service -- iterative queries only). Despite use of a database, it's much faster than BIND9.
Coded in C by "Mrs. Brisby".
http://ldapdns.sourceforge.net/
Licence: GNU GPLv2 or later.MaraDNS (link) is a general-purpose, fast, lightweight, authoritative, caching forwarder, and recursive server, fully supporting zone transfers, which runs unprivileged, performs its own chroot, and includes its own buffer-overflow-resistant string library and random number generator. Module "zoneserver" does authoritative service only. Module "maradns" can do both recursive and authoritative DNS. Includes a converter Python script to convert zonefiles from RFC 1035 ("BIND") format to MaraDNS's similar "csv2" format. Code uses RAM-based caching. Daemon must currently be restarted if any zonefile records are changed, currently requires the OS have robust threading support for its recursive service, and currently doesn't support NOTIFY or IXFR.
Starting with the 2.0 release, MaraDNS defaults to using the provided Deadwood recursive nameserver code (see separate entry) for its recursive functionality.
As of June 21, 2015, there is no security or maintenance support for the obsolete 1.x branch, and it is strongly deprecated.
Excellent security history. Among other things, MaraDNS's recursive module randomised source UDP ports on outgoing recursive queries using a strong RNG from the very beginning. Also, recursive server attempts to be careful about cache poisoning resulting from trusting glue records passed out-of-bailiwick.
Code is written in C by Sam Trenholme. (Win32 binaries are also available.)
http://maradns.samiam.org
Licence: Two-clause BSD licence, on v. 1.1 and later.Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): "Should be secure. Code doesn't look too bad, but it's using a lot of gotos."
MyDNS-NG (link) is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache.
Coded in C by Howard Wilkinson and Dan Moore.
http://www.mydns-ng.com/
Licence: GPLv2 or later.NSD (link) is a high-performance, small, authoritative-only daemon, with DNSSEC support, and able to directly re-use RFC 1035 ("BIND") zonefiles (which it compiles to binary format for speed). Package includes the zonefile compiler ("zonec"), the core nsd daemon, the zoneserver, and a zone transfer program.
Coded in C by a number of authors including Alexis Yushin and Erik Rozendaal.
http://www.nlnetlabs.nl/nsd/
Licence: Newer BSD licence.pdnsd (link) is a small caching forwarder server, coded in C by Paul A. Rombouts and Thomas Moestl, with a disk-based cache, suitable for small networks and workstations. Has had some buffer-overflow and stability problems, in the past, but in general has sound design (e.g., always randomised source UDP ports for recursive queries).
http://members.home.nl/p.a.rombouts/pdnsd/
Licence: GNU GPLv3 or later.PowerDNS: Was a combined authoritative and recursive nameserver package through v. 2.9.20. Starting with the next releases (April 21, 2007), those functions were split into new packages "PowerDNS Authoritative Server" and "PowerDNS Recursor", which please see.
PowerDNS was originally proprietary software, open-sourced under GNU GPLv2 on 2002-11-25.
PowerDNS Authoritative Server (link) is an authoritative-only server with modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), RFC 1035 ("BIND") zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers. Partial DNSSEC support. Fast but also a bit bloated. Compiling the package requires satisfying some convoluted dependencies, notably the need for Boost C++ class libraries. Default configuration assumes propagation of nameservers to related hosts via replication at the level of the back-end database store, but optionally the adminstrator can also enable RFC 1034 / RFC 1995 "zone transfers" (using NOTIFY/AXFR) as implemented in BIND9. Package can be configured to refer incoming recursive queries to a (any) separate recursive nameserver by a specified IP/port. Has internal chroot function. Does not support BIND9-style "views": One can emulate that mode by running multiple nameserver instances. (Copy /etc/init.d/pdns to /etc/init.d/pdns-[name]. The script automatically parses $0 for "name" and reads /etc/pdns/pdns-[name].conf as its configuration file.)
Coded in C++ by Norbert Sendetzky and others.
http://www.powerdns.com/en/products.aspx
Licence: GNU GPLv2.PowerDNS Recursor (link) is a recursive nameserver. Has a programming interface for scripting in the Lua programming language. Pleasantly small and fast. Did not meaningfully randomise UDP source ports on outgoing recursive queries until March 2008, after Dan Kaminsky's private warnings about DNS security problems, at which time the authors added a strong random-number generator.
Coded in C++ by Norbert Sendetzky and others.
http://www.powerdns.com/en/products.aspx
Licence: GNU GPLv2.In January 2010, PowerDNS Recursor (through v. 3.1.7.1) was discovered to be vulnerable to being buffer-overflowed by deliberately bad public DNS data or queries being aimed at it, leading to possible full system compromise, cache poisoning, and redirection of users to IPs controlled by attackers. This horrific bug was fixed as of v. 3.1.7.2, but is not a reassuring sign about PowerDNS Recursor's code quality.
rbldnsd (link) is a small, fast authoritative-only server for DNS blocklist information (and can also serve other types of zone data).
Coded in C by Michael Tokarev.
http://www.corpit.ru/mjt/rbldnsd.html
Licence: GNU GPLv2 or later.Technitium DNS Server (link) is a specialised forwarder with filtering ("ad blocking") optionally supporting DNS-over-TLS and DNS-over-HTTPS transports. Includes DHCPd, SOCKS5 proxy support, local authoritative stub zones.
Coded in C# using .NET Standard 2.0. Runs on Linux using Mono Framework or .NET Core.
https://technitium.com/dns/
Licence: GNU GPLv3Twisted Names (link) is an authoritative, caching forwarder, and recursive server, also functioning as a resolver library
Coded in Python by Twisted Matrix Laboratories (Jp Calderone and others).
http://twistedmatrix.com/trac/wiki/TwistedNames
Licence: MIT/X.Unbound (link) is a fast, small, modular caching, recursive server, from the same people (NLnet Labs) who produced the excellent NSD authoritative-only nameserver, with additional help from VeriSign, Inc. and Kirei. Unbound does not itself do authoritative service, but does do "stub-zones" (local data or AS112 zones). It is claimed to be fully RFC-compliant, including DNSSEC validation.
Also of possible interest is Dnssec-Trigger, an add-on for Unbound running on an end-host (laptop or desktop computer), signaling Unbound to use DHCP-obtained forwarders for DNSSEC-capable nameservice of that has been probed and found accessible, or failing that to use Unbound's own AUTH queries, or failing that to notify the user and switch to unauthenticated DNS only. (As of 2016, this code is experimental.)
Coded in C. (Win32 binaries are also available.)
http://unbound.net/
Licence: BSD.YADIFA (Yet Another DNS Implementation for All (link) is an authoritative server developed by the operators of the .eu TLD. Supports EDNS0, DNSSEC with NSEC and NSEC3. Includes a SQL back-end alongside an RFC 1035 ("BIND") zonefile back-end, and dynamic zone updates. Future versions are planned to include recursive service, caching, validation of zone data, split horizon, dynamic provisioning of new domains without restart, forwarding, and a DNSSEC signing service.
Coded in C by EURid coders.
http://www.yadifa.eu/
Licence: 3-clause BSD.
Unmaintained open source packages:
(The July 2008 DNS security blowup made starkly obvious that it's in general dangerous to run poorly maintained DNS nameserver software. Some of the below-cited, unmaintained or apparently neglected codebases may be of interest for other reasons, e.g., adoption for revival & update by sufficiently interested coders.)
BIND8 (link) should be scrupulously avoided, for reasons cited above. (Some BIND8 code still lives on, in the DNS resolver library libresolv, shipped as part of GNU libc = glibc in typical Linux and BSD distributions. This is regrettable, but the occasional security failures in that codebase should not be attributed to BIND9. Note that the BIND8-derived 'stub resolver' in glibc does not enable EDNS0 in its queries.)
Licence: Simple permissive licence with warranty disclaimer.Note that it is possible via NSS calls (and /etc/nsswitch.conf configuration) to call the BIND9-derived lwresd lightweight recursive daemon (entry about which, please see, below), instead of the legacy BIND8-based code furnished with glibc.
CustomDNS (link) was/is an authoritative-only daemon, based on dnsjava, for both static addresses and its variant form of dynamic DNS. Java and Perl code by Eric Kidd, based in part on Brian Wellington's dnsjava package. Unmaintained since July 2000.
http://customdns.sourceforge.net/
Licence: LGPL and MIT/X.dents (link) was an authoritative, caching forwarder, and recursive server, fully supporting zone transfers, but is perennially unfinished, and is almost certainly dead, at this point. Coded in C by Johannes Erdfelt.
http://sourceforge.net/projects/dents/
Licence: GNU GPLv2 or later.Eddieware Enhanced DNS Server (aka "lbdns") (link) was/is a load-balancing authoritative DNS server. Coded in Erlang by the Eddie Team. Unmaintained since 2003.
http://eddie.sourceforge.net/lbdns.html
Licence: Erlang Public Licence, a Swedish variant of MPL 1.0.GnuDIP (link) was/is an authoritative-only server for Dynamic DNS (supporting the RFC 2136/3147 DNS Dynamic Update protocol) coded in Perl by Mike Machado, but only "minimally maintained" and needing a new primary maintainer, a/o 2003.
http://gnudip2.sourceforge.net/gnudip-www/
Licence: GNU GPLv2 or later.lbnamed (link) was/is a authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture, written in Perl by Roland Schemers. Unmaintained since 2005: See replacement "Standard::DNSServer.
http://www.stanford.edu/~riepel/lbnamed/
Licence: Newer BSD licence.lwresd (link) was/is a lightweight recursive[-resolver] daemon (thus the name) with caching, created by ISC (maintainers of BIND9) by stripping down the recursive and caching code in BIND9 and making it available separately (as a library). It is local-only, being capable only of listening for UDP-type port 921 DNS queries on IPv4 loopback address 127.0.0.1 (or one or more different address specified using "lwserver" lines in /etc/resolv.conf). It is also capable of handing off queries to separate nameservers listed via "nameserver" lines in /etc/resolv.conf, as forwarders, but, if there are none such, or if forwarding fails, falls back on its own internal recursive routines, starting with a built-in roster of root server hints. Configuration file, closely following BIND9's named.conf format, is /etc/lwresd.conf.
Because lwresd returns queried values in its own format ("lightweight resolver protocol"), Linux systems will need to also install library nss_lwres, which unfortunately currently (2008) has been unmaintained since 2001 at upstream location ftp://sources.redhat.com/pub/glibc/old-releases/. That "glue" library being present, in turn, permits modifying /etc/nsswitch.conf to call a "lwres" routine (when available) in place of the legacy BIND8-based "dns" routine in glibc. Suggested format for /etc/nsswitch.conf is: "hosts: files lwres [NOTFOUND=return] dns"
As of 2005, lwresd is said to be "stale code" that hasn't been touched in a year or two, doesn't respect DNS TTL, and has a few other issues. Upstream source code is available inside ISC's BIND9 package.
http://www.isc.org/software/bind/
Licence: Simple permissive licence with warranty disclaimer.moodns (link) was meant to be a authoritative and recursive server, but never passed alpha state. Discontinued. Coded in C by Michael Wolf.
http://sourceforge.net/projects/moodns/ and http://www.maradns.org/download/non-maradns/
Licence: Newer BSD licence, GNU GPLv2 or later.MyDNS (link) was/is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache. Unmaintained since 2006, so interested parties should probably look at MyDNS-NG or PowerDNS, instead. Coded in C by Dan Moore.
http://mydns.bboy.net/
Licence: GPLv2 or later.Oak DNS Server (link) was/is an authoritative and recursive server, supporting dynamic DNS updates and AAAA records. Doesn't need to run privileged. Development release as of August 2008 is still being [re-]written to take advantage of the dnspython libraries, and still lacks recursive service or update support. Coded in Python by Ed Stoner.
http://www.maradns.org/download/non-maradns/ (Gone from http://www.digitallumber.com/oak .)
Licence: GNU LGPL.Pliant DNS Server (link) was/is an authoritative and caching forwarder server (no recursive service -- iterative queries only). Written in the Pliant language by Hubert Tonneau. Seems to be unmaintained.
http://fullpliant.org/pliant/protocol/dns/
Licence: GNU GPLv2.Posadis (link) was/is a fast authoritative, caching server, written in C++ by Meilof Veeningen. Sadly unmaintained since 2004.
http://posadis.sourceforge.net/
http://www.posadis.org/
Licence: GNU GPLv2 or later.SDNS (Secure DNS) (link) was/is an authoritative-only server, created directly by the US Federal government (and thus genuinely public domain) by Anthony Carathimas, Eric Thomas, Fred Cohen, and Darrian Hale at Sandia Labs in the 1990s, with the specific aim of high security. Last maintained, 2001.
http://www.maradns.org/download/non-maradns/sdns.tar.bz2
Licence: Actual, real public domain.Stanford::DNSserver (link) was/is lbnamed (see separate entry), reworked and packaged as a Perl module by Rob Riepel and others. Last maintained April 2006.
http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
Licence: Newer BSD licence.Trick or Treat Daemon (ToTD) (link) was/is a small caching forwarder server, suitable for small networks and workstations. Coded in C by Feike W. Dillema and members of the WIDE Project.
http://www.vermicelli.pasta.cs.uit.no/software/totd.html Last maintained August 2006.
Licence: Simple permissive licence (Dillema's code) and older BSD licence (WIDE Project code).Yaku-NS (formerly ENS) (link) was/is a small, fast authoritative, caching forwarder, fully supporting zone transfers, aimed at embedded use. Does internal chroot, and attempts to prevent stack-smashing. Coded in C by Salvatore Sanfilippo. Appears to be unmaintained.
https://github.com/antirez/yaku-ns
Licence: GNU GPLv2 or later.zinq-djbdns: (link) Mark Johnson created a maintained fork of djbdns as part of his umbrella project of adopting Dan Bernstein's unmaintained software. Thus the term "zinq", which is from Zinq Is Not Qmail. As of v. 0.05, it adds these changes to Bernstein's v. 1.05:
Updated obsolete root-nameservers roster "dnsroots.global"
Uses automake/autoconf, instead of Bernstein's build process, and got rid of spurious compiler warnings.
Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
Patched dnscache to quadruple its upper bound on cache size from 10^9 bytes to 4x10^9 bytes.
Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
Patched dnscache to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP).
Patched tinydns to add native support for SRV and NAPTR records.
Supplied manpages, from Gerrit Pape's set.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.Coded in C by Mark Johnson and Daniel J. Bernstein.
Formerly at http://sourceforge.net/projects/zinq/ (which no longer exists); seems to have moved a/o 2010 to https://github.com/tenchman/TTLinux/tree/master/apps/dns/zinq-djbdns . As of 2019, there no longer appears to be a maintainer site or code repo.
Last maintained in 2010.
Licence: Asserted to be "public domain".
Related software:
GNU adns (link) is a resolver library for C (and C++) programs, and a collection of useful resolver utilities, coded in C by Ian Jackson.
http://www.chiark.greenend.org.uk/~ian/adns/
Licence: GNU GPLv2 or later.Ares (link) is an asynchronous resolver library in C by Greg Hudson.
ftp://athena-dist.mit.edu/pub/ATHENA/ares/
Licence: MIT/X.BIND DLZ (BIND Dynamically Loadable Zones) (link) is a set of patches for BIND9 to make it use your choice of numerous back-end databases instead of flatfile RFC 1035 ("BIND") zonefiles, and reduce memory usage (since BIND9 no longer needs to load everything into RAM at once). Coded in C by Rob Butler.
http://bind-dlz.sourceforge.net/
Licence: Simple permissive licence with warranty disclaimer.Constrict (link) is a Python library for access to information parsed from the libbind library provided by BIND8. Coded in Python by Jason Smith.
http://www.oes.co.th/projects/Constrict
Licence: GNU GPLv2.dnsibs (link) is a daemon offering Perl/CPAN code (notably the Mail::SpamCannibal anti-spam tool and dbtarpit) access to DNS blocklist data stored in a BerkeleyDB database. (It apparently doesn't serve up normal sorts of DNS information, which is why I put it in the "related" category.) It's coded in C by Michael Robinton.
http://www.spamcannibal.org/docs/dnsbls.html
Licence: GNU GPLv2 or later.dnspython (link) is a Python toolkit for programmatic access to DNS functions, by Bob Halley.
http://www.dnspython.org/
Licence: Simple permissive licence with attribution requirement and warranty disclaimer.FireDNS (link) is a resolver library with emphasis on speed and asynchronous processing. Has low-timeout blocking functions. Can be used to replace standard libc resolver library functions like getbyhostname with much faster equivalent code. Written in C by Ian Gulliver.
http://firestuff.org/projects/firedns/
Licence: GNU GPLv2.LDAP sdb (link) is a patch to enable BIND9 to reach an LDAP back-end database instead of flatfile RFC 1035 ("BIND") zonefiles, using the simplified database interface "sdb". Coded in C by Stig Venaas.
http://www.venaas.no/ldap/bind-sdb/
Licence: Simple permissive licence with warranty disclaimer.ldns (link) is a library for access to DNS/DNSSEC data, relying on CPAN's NET::DNS module. Written in C by NLnet Labs.
http://www.nlnetlabs.nl/ldns/ Licence: Newer BSD licence.nscd (link), name service caching daemon, is a local cache with no other nameserver functionality, providing caching of host, passwd, and group database data. The hosts data caches both positive and negative results data, in separate caches. nscd is furnished as part of the glibc codebase, and is a reimplementation of an idea first provided in Sun Solaris. It is needed primarily on hosts using slow authentication services such as NIS, NIS+, and LDAP. The glibc/Linux implmentation is notorious for being a bit buggy. Licence: GNU GPLv2.
Net::DNS (link) is a resolver library, coded in Perl by Michael Fuhr, Olaf Kolkman, and Chris Reinhardt.
http://www.net-dns.org/
Licence: GNU GPLv2 or later, or Artistic Licence.Poslib (link) is a resolver library and authoritative-server library in C++ by Meilof Veeningen.
http://posadis.sourceforge.net/poslib/
Licence: GNU GPLv2 or later.Resolvconf (link) is a client- (resolver-) side utility to mediate write access to the DNS client's /etc/resolv.conf file, keeping track of nameservers listed there and preventing multiple packages (DHCP clients, system-local nameservers, other) updating that file from interfering with each other. For it to work, software touching /etc/resolv.conf must be Resolvconf-aware. At this writing (2009-08), most but not all such software is Resolvconf-aware. There are two implementations: Original/Debian Resolvconf, http://packages.qa.debian.org/r/resolvconf.html coded in C by Thomas Hood; and Openresolv, http://roy.marples.name/projects/openresolv, coded in C by Ray Marples.
Licence: GPLv2 (Hood's).
Licence: BSD Licence (Marples's)skadns (link) is a small, asynchronous resolver library, coded in C by Laurent Bercot.
http://www.skarnet.org/software/skadns/
Licence: Original BSD licence with advertising clause.systemd-resolved (link), one of the constituent binaries in systemd, has included a caching stub resolver routine since August 2014. GNU LGPLv2.1 or later.
unscd (link), micro name service caching daemon, is a local cache with no other nameserver functionality, providing caching of host, passwd, and group database data. The hosts data caches both positive and negative results data, in separate caches. unscd is a from-scratch reimplmentation by Denys Vlasenko of the design of glibc's nscd, with the aim of avoiding nscd's bugs and offering more crashproof operation by running a threaded process that offloads NSS lookups to child worker processes. It is needed primarily on hosts using slow authentication services such as NIS, NIS+, and LDAP.
Licence: GNU GPLv2.
--
Cheers, Before enlightenment, caffeine. Rick Moen After enlightenment, caffeine. rick@linuxmafia.com
Proprietary software:
- ANS: Authoritative Name Server (Nominum, Inc.) http://www.nominum.com/products/authoritative_name_server.php
- AnswerX (Akamai) - https://www.akamai.com/us/en/products/network-operator/dnsi-cacheserve.jsp
- ATLAS (Verisign) - http://www.verisign.com/information-services/ATLAS/ Appears to be a Verisign-hosted service offering, only, not an externally available software product.
- BINDPlus (Information Network Eng. Gruup, Inc.) (appears to be defunct since late 1990s; was promoted by Jeffrey A. Williams)
- Cisco Network Registrar (Cisco Systems, Inc.) - http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
- CNS: Caching Name Server (Nominum, Inc.) https://partners.nominum.com/products.php?id=1
- Global Name Service (Nominum, Inc.): Was a hosted service only, and is now discontinued.
- IPControl (BT Global Services, formerly International Network Services, Inc.) - proprietary extensions to BIND9 http://www.globalservices.bt.com/LeafAction.do?RecNo=33: available lately only as "IP ControlSapphire Appliances" embedded appliance code, no longer just as software.
- NeDNS (Neteka, Inc.) - company's Web site has disappeared; product is apparently discontinued. Cited at http://directory.fsf.org/project/NeDNS/ (and was a patched version of BIND8 with support for "ACE-encoded" name records)
- Men & Mice Suite (formerly QuickDNS Pro, formerly QuickDNS; from Men&Mice) http://www.menandmice.com/
- Name Commander (formerly DNS Commander; from Incognito Software, Inc.) - http://www.incognito.com/products/name-commander/
- NxFilter from Jahastech is a forwarding, caching, authoritative DNS server primarily intended for filtering of DNS, coded in Java. https://nxfilter.org/p3/
- SheerDNS is an authoritative-only server with to unique distinction of having its zone records stored each in its own separate file, to facilitate atomic updates without restarting. Author probably intended to create open source but failed to specify a licence. (2009 update: I've talked about this problem, via e-mail, with author Paul Sheer. He is aware of not granting the right to independently maintain or redistribute this code, and has no intention to grant any additional rights to it.) Unmaintained since 2005. http://threading.2038bug.com/sheerdns/
- sqldjbdns/sqldns/pgsqldns http://untroubled.org/sqldjbdns/: a patched version of djbdns 1.02 that back-ends data into PostgreSQL. Author's patch code is under GPL v. 2 or later, but Daniel J. Bernstein has never purported to put djbdns 1.02 into "public domain", only v. 1.05.
- Secure64 DNS Authority (Secure64) https://secure64.com/products/secure64-dns-authority/ is an authoritative nameserver bundled with a custom Linux distribution.
- Secure64 DNS Cache (Secure64) https://secure64.com/products/secure64-dns-cache/ is a recursive server bundled with a custom Linux distribution.
- UltraDNS (UltraDNS Corporation) http://ultradns.com/: Appears to be a hosted service offering, only, not an externally available software product.
- Vantio Base Server (Nominum, Inc.) - http://www.nominum.com/products/vantio_base_server.php
- VitalQIP (Alcatel-Lucent, formerly Lucent Technologies, Inc.) - proprietary extensions to BIND9 to support names from DHCP and integrate with Microsoft Active Directory / Microsoft DNS http://enterprise.alcatel-lucent.com/?product=VitalQIP&page=overview
See also:
Stephane Bortzmeyer's article "The choices for a nameserver", comparing BIND9, NSD, and PowerDNS.
Brad Knowles's "Domain Name Server Comparison" presentations at LISA 2002 and RIPE 44.
To do: http://www.corpit.ru/mjt/udns.html http://daniel.haxx.se/projects/c-ares/ c-ares by by Daniel Stenberg and others (derived from ares library written by Greg Hudson at MIT. Asyncrhonous. See notes on http://www.corpit.ru/mjt/udns.html about it and adns. Notes about libresolv at https://lwn.net/Articles/665055/ . ldns https://www.nlnetlabs.nl/projects/ldns/ systemd-resolved.service stub resolver, etc. https://github.com/coredns/coredns More at https://packages.gentoo.org/categories/net-dns