[Message quoted below has been re-edited to update it.]

From: Rick Moen (rick@linuxmafia.com)
To: SlugLUG (sluglug@hermosa.cse.ucsc.edu)
Subject: Re: [SlugLUG] DNS links
User-Agent: Mutt/1.4i
Date: Sat, 23 Nov 2002 14:51:17 -0800

[...]

(Referring to Albitz and Liu's DNS and BIND.) I have an earlier edition, and have looked at this one on the shelves: This edition (4th) struck me as being a little weak on the new features of BIND 9.x, which is frustrating because there's not enough available on-line about that, either. I'll have to look at it again, but was disappointed at the time I looked.

Anyhow, one limitation of both the Albitz book and the troubleshooters.com DNS page is that they concern BIND, solely. Even after the from-scratch rewrite for the v. 9.x series, BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. It's a shame that most DNS information is BIND-specific, since that's held us back.

There are now a number of alternative packages that may have advantages for many deployments. E.g.:

• CustomDNS is a authoritative-only daemon, based on dnsjava, for both static addresses and its variant form of dynamic DNS. Java and Perl code by Eric Kidd, based in part on Brian Wellington's dnsjava package. Unmaintained since July 2000.
  http://customdns.sourceforge.net/
  Licence: LGPL and MIT/X.

• dproxy is a small caching forwarder server with a disk-based cache, suitable for small networks and workstations. Coded in C by Matthew Pratt.
  http://dproxy.sourceforge.net/
  Licence: GNU GPLv2 or later.

• dents is an authoritative, caching forwarder, and recursive resolver server, fully supporting zone transfers, but is perenially unfinished, and is probably dead, at this point. Coded in C by Johannes Erdfelt.
  http://sourceforge.net/projects/dents/
  Licence: GNU GPLv2 or later.

• djbdns is a suite of specialised-role, related DNS server utilities by Prof. Daniel J. Bernstein (DJB), prof. of mathematics at U. of Chicago and author of the qmail MTA:
  • djbdns is an omnibus package of all of DJB's DNS server software.
  • tinydns is the authoritative-only DNS daemon.
  • dnscache is the caching recursive-resolver.
  • walldns is the specialised authoritative-only DNS daemon for reverse-zone data, designed to minimise public leakage of inside host data.
  • rbldns is the specialised authoritative-only DNS daemon for DNS blocklist data about blocks of IP addresses such as dial-up IP lists.
  • axfrdns is the AXFR zone-transfer server. (NOTE: Absent third-party patches, the various djbdns utilities omit support for IETF NOTIFY, IXFR, outgoing AXFR, DNSSEC, TSIG, A6, DNAME, bitstring labels, Dynamic DNS, and other modern DNS features.)
  • axfr-get is the AXFR zone-transfer client.
  • dns is the DNS client library.
  • pickdns was the DNS load-balancing utility, but its functions were merged into tinydns as of djbdns v. 1.04 and above.

  Through 2007, fans of djbdns (and components thereof) would often assert that it was "free software" or "open source". It was not. However, starting in late 2007, DJB declared retroactively that djbdns (like qmail) was being made public domain by his own fiat. Absent patches, also requires the daemontools and ucspi-tcp packages. Coded in C by Daniel J. Bernstein. http://cr.yp.to/djbdns.html
  Licence: Declared to be "public domain".

• dnsjava is an authoritative, caching forwarder, and recursive resolver server, written in Java by Brian Wellington.
  http://www.dnsjava.org/
  Licence: Newer BSD licence.

• Dnsmasq is a small authoritative and caching forwarder server (no recursive service -- iterative queries only) for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases). Coded in C by Simon Kelley.
  http://www.thekelleys.org.uk/dnsmasq/
  Licence: GNU GPLv2 or later.

• DNRD (Domain Name Relay Daemon) is a small caching-only server for NAT / IPmasq networks. Coded in C by Natanael Copa, Brad Garcia, and Nathan Angelacos.
  http://dnrd.sourceforge.net/.
  Licence: GNU GPLv2 or later.

• Eddieware Enhanced DNS Server (aka "lbdns") is a load-balancing authoritative and recursive resolver DNS server. Coded in Erlang by the Eddie Team.
  http://eddie.sourceforge.net/lbdns.html
  Licence: Erlang Public Licence, a Swedish variant of MPL 1.0.

• GnuDIP is an authoritative server for Dynamic DNS (supporting the RFC 2136/3147 DNS Dynamic Update protocol) coded in Perl by Mike Machado, but only "minimally maintained" and needing a new primary maintainer, a/o 2003.
  http://gnudip2.sourceforge.net/gnudip-www/
  Licence: GNU GPLv2 or later.

• lbnamed is a authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture, written in Perl by Roland Schemers.
  http://www.stanford.edu/~riepel/lbnamed/
  Licence: Newer BSD licence.

• ldapdns is an LDAP database-based authoritative and caching server (no recursive service -- iterative queries only). Despite use of a database, it's much faster than BIND9. Coded in C by "Mrs. Brisby".
  http://ldapdns.sourceforge.net/
  Licence: GNU GPLv2 or later.

• MaraDNS is a general-purpose, fast authoritative, caching forwarder, and recursive resolver server, fully supporting zone transfers, which runs unprivileged, performs its own chroot, and includes its own buffer-overflow-resistant string library. Code is written in C by Sam Trenholme.
  http://www.maradns.org/
  Licence: Declared to be "public domain", changing to a simple permissive licence with warranty disclaimer starting with v. 1.1.

  Dovecot imapd author Timo Sirainen has posted some comments: "Should be secure. Code doesn't look too bad, but it's using a lot of gotos."

• moodns was meant to be a authoritative and recursive resolver server, but never passed alpha state. Discontinued. Coded in C by Michael Wolf.
  http://sourceforge.net/projects/moodns/
  Licence: Newer BSD licence, GNU GPLv2 or later.

• MyDNS is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache. Coded in C by Dan Moore.
  http://mydns.bboy.net/
  Licence: GPLv2 or later.

• NSD is a high-performance authoritative-only daemon, with DNSSEC support. Coded in C by a number of authors including Alexis Yushin and Erik Rozendaal.
  http://www.nlnetlabs.nl/nsd/
  Licence: Newer BSD licence.

• Oak DNS Server is an authoritative and recursive resolver server, supporting dynamic DNS updates and AAAA records. Doesn't need to run privileged. Coded in Python by Ed Stoner.
  http://www.digitallumber.com/oak
  Licence: GNU LGPL.

• pdnsd is a small caching forwarder server, coded in C by Paul A. Rombouts and Thomas Moestl, with a disk-based cache, suitable for small networks and workstations.
  http://www.phys.uu.nl/~rombouts/pdnsd.html
  Licence: GNU GPLv2 or later.

• Pliant DNS Server is an authoritative and caching forwarder server. Written in the Pliant language by Hubert Tonneau.
  http://fullpliant.org/pliant/protocol/dns/
  Licence: GNU GPLv2.

• Posadis is a fast authoritative and recursive resolver daemon, written in C++ by Meilof Veeningen.
  http://posadis.sourceforge.net/
  Licence: GNU GPLv2 or later.

• PowerDNS (open source as of 2002-11-25) is an authoritative and recursive resolver server with modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), BIND zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers. Coded in C++ by Norbert Sendetzky and others.
  http://www.powerdns.com/products/powerdns/
  Licence: GNU GPLv2 or later.

• rbldnsd is a small, fast authoritative server for DNS blocklist information (and can also serve other types of zone data). Coded in C by Michael Tokarev.
  http://www.corpit.ru/mjt/rbldnsd.html
  Licence: GNU GPLv2 or later.

• Stanford::DNSserver is lbnamed (see separate entry), reworked and packaged as a Perl module by Rob Riepel and others.
  http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
  Licence: Newer BSD licence.

• Trick or Treat Daemon (ToTD) is a small caching forwarder server, suitable for small networks and workstations. Coded in C by Feike W. Dillema and members of the WIDE Project.
  http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html
  Licence: Simple permissive licence (Dillema's code) and older BSD licence (WIDE Project code).

• Twisted Names is an authoritative, caching forwarder, and recursive resolver server, also functioning as a resolver library, written in Python by Twisted Matrix Laboratories (Jp Calderone and others).
  http://twistedmatrix.com/projects//names/
  Licence: MIT/X.

• Unbound is a fast, small, modular caching, recursive-resolver server, from the same people (NLnet Labs) who produced the excellent NSD authoritative-only nameserver, with additional help from VeriSign, Inc. and Kirei. Unbound does not itself do authoritative service, but does do "stub-zones" (local data or AS112 zones). It is claimed to be fully RFC-compliant, including DNSSEC validation. Coded in C.
  http://unbound.net/
  Licence: BSD.

• Yaku-NS (formerly ENS) is a small, fast authoritative, caching forwarder, and recursive resolver server, fully supporting zone transfers, aimed at embedded use. Does internal chroot, and attempts to prevent stack-smashing. Coded in C by Salvatore Sanfilippo.
  http://www.kyuzz.org/antirez/ens.html
  Licence: GNU GPLv2 or later.

Related:

• adns is a resolver library for C (and C++) programs, and a collection of useful resolver utilities, coded in C by Ian Jackson.
  http://www.chiark.greenend.org.uk/~ian/adns/
  Licence: GNU GPLv2 or later.

• Ares is an asynchronous resolver library in C by Greg Hudson.
  ftp://athena-dist.mit.edu/pub/ATHENA/ares/
  Licence: MIT/X.

• BIND DLZ (BIND Dynamically Loadable Zones) is a set of patches for BIND9 to make it use your choice of numerous back-end databases instead of flatfile zonefiles, and reduce memory usage (since BIND9 no longer needs to load everything into RAM at once). Coded in C by Rob Butler.
  http://bind-dlz.sourceforge.net/
  Licence: Simple permissive licence with warranty disclaimer.

• Constrict is a Python library for access to information parsed from the libbind library provided by BIND8. Coded in Python by Jason Smith.
  http://www.oes.co.th/projects/Constrict
  Licence: GNU GPLv2.

• dnsibs is a daemon offering Perl/CPAN code (notably the Mail::SpamCannibal anti-spam tool and dbtarpit) access to DNS blocklist data stored in a BerkeleyDB database. (It apparently doesn't serve up normal sorts of DNS information, which is why I put it in the "related" category.) It's coded in C by Michael Robinton.
  http://www.spamcannibal.org/docs/dnsbls.html
  Licence: GNU GPLv2 or later.

• dnspython is a Python toolkit for programmatic access to DNS functions, by Bob Halley.
  http://www.dnspython.org/
  Licence: Simple permissive licence with attribution requirement and warranty disclaimer.

• FireDNS is a resolver library with emphasis on speed and asynchronous processing. Has low-timeout blocking functions. Can be used to relace standard libc resolver library functions like getbyhostname with much faster equivalent code. Written in C by Ian Gulliver.
  http://firestuff.org/projects/firedns/
  Licence: GNU GPLv2.

• LDAP sdb is a patch to enable BIND9 to reach an LDAP back-end database instead of flatfile zonefiles, using the simplified database interface "sdb". Coded in C by Stig Venaas.
  http://www.venaas.no/ldap/bind-sdb/
  Licence: Simple permissive licence with warranty disclaimer.

• ldns is a library for access to DNS/DNSSEC data, relying on CPAN's NET::DNS module. Written in C by NLnet Labs.
  http://www.nlnetlabs.nl/ldns/ Licence: Newer BSD licence.

• Net::DNS is a resolver library, coded in Perl by Michael Fuhr, Olaf Kolkman, and Chris Reinhardt.
  http://www.net-dns.org/
  Licence: GNU GPLv2 or later, or Artistic Licence.

• Poslib is a resolver libarary and authoritative-server library in C++ by Meilof Veeningen.
  http://posadis.sourceforge.net/poslib/
  Licence: GNU GPLv2 or later.

This list would not be complete without:

• BIND9 is a full-featured recursive-resolver, authoritative, and caching nameserver, bundled with a resolver client library. This is a from-scratch rewrite of the hopelessly spaghetti-coded legacy BIND8 codebase that Paul Vixie inherited from UC Berkeley: Vixie commissioned its creation by Nominum, Inc., who wrote it solely from the BIND8 specifications without reference to the old codebase.
  http://www.isc.org/index.pl?/sw/bind/
  Licence: Simple permissive licence with warranty disclaimer.

  Dovecot imapd author Timo Sirainen has posted some comments: Code relies on several ISC wrapper libraries for key functions, code has lots of asserts and sanity check, "in general the code just feels heavy — functions have tons of variables, some functions are huge, locks for thread safety, lots of goto jumping to deinitialization parts if something went wrong".

  BIND9 is slow and large compared to many competitors, and the monolithic codebase seems overfeatured.

• BIND8 should be scrupulously avoided, for reasons cited above. (Some BIND8 code still lives on, in the DNS resolver library shipped with typical Linux and BSD distributions. This is regrettable, but the occasional security failures in that codebase should not be attributed to BIND9.)
  Licence: Simple permissive licence with warranty disclaimer.

--

Cheers,                                Before enlightenment, caffeine.
Rick Moen                              After enlightenment, caffeine.
rick@linuxmafia.com

Proprietary packages include:

• ANS: Authoritative Name Server (Nominum, Inc.) http://www.nominum.com/products.php?id=2
• ATLAS (Verisign)
• BINDPlus (Information Network Eng. Gruup, Inc.)
• Cisco Network Registrar (Cisco Systems, Inc.) - http://www.cisco.com/warp/public/cc/pd/nemnsw/nerr/
• CNS: Caching Name Server (Nominum, Inc.) http://www.nominum.com/products.php?id=1
• DNS Commander (Incognito Software, Inc.)
• Global Name Service (Nominum, Inc.)
• IPControl (International Network Services, Inc.) - proprietary extensions to BIND9 http://www.ins.com/software/products.aspx?id=685
• NeDNS (Neteka, Inc.) - company's Web site has disappeared; product is apparently discontinued
• Men & Mice Suite (formerly QuickDNS Pro, formerly QuickDNS; from Men&Mice) http://www.menandmice.com/ sqldjbdns/sqldns/pgsqldns http://untroubled.org/sqldjbdns/
• UltraDNS (UltraDNS Corporation) http://ultradns.com/
• VitalQIP (Lucent Technologies, Inc.) - proprietary extensions to BIND9 http://www.qip.lucent.com/

See also:

• Stephane Bortzmeyer's article "The choices for a nameserver", comparing BIND9, NSD, and PowerDNS.

• Brad Knowles's "Domain Name Server Comparison" presentations at LISA 2002 and RIPE 44.