A couple of alternative DNS servers
That situation is changing, however. Over the last week, two different free DNS server implementations have announced new releases. So it seems like a good time to give them a look.
The announcement of the first public release of the Oak DNS server went out recently. Oak is written entirely in Python, with the result that it is portable to many systems (even Windows) and should be relatively resistent to buffer overrun attacks. Oak is licensed under the LGPL, and supports most of the features one would expect in a nameserver: recursion, master and slave modes, etc.
That said, Oak is very much a work in progress. It comes packaged as one big Python module and a driver script; no distutils installation support in sight. It reads the usual DNS master file format to get zone information, but the top-level configuration takes the form of a screenful or so of Python code - not something every system administrator will want to get into. Documentation is scarce; those wanting to make serious use of Oak at this point will likely have to delve into the code. This is definitely not Aunt Tillie's DNS server.
But the core functionality of Oak appears to be solid, and the project's maintainer (Ed Stoner) is responsive to problem reports. It would not take all that much work to turn Oak into a simple, secure, high-quality DNS server, especially for smaller installations. If you like Python programming, Oak is worth a look now; with luck it will be ready for everybody else in the near future.
For a very different sort of nameserver, see the announcement for PowerDNS 2.9.4. PowerDNS was, for some time, a proprietary system; it was released under the GPL in November of 2002. The pace of development seems to have picked up since then, and PowerDNS is evolving into an impressive system.
While Oak may be best suited to small networks, PowerDNS is clearly aimed at large ISPs and others who must serve huge numbers of domains. It can obtain its DNS information via several backends; it can, for example, run from an existing BIND configuration, or talk (using a pipe) to an arbitary process via a simple and well-documented protocol. The most developed backends, however, would appear to be those which work with a MySQL, PostgreSQL, or Oracle database. PowerDNS comes with a database scheme that it expects to use, but the SQL it uses is easily changed via the configuration file. PowerDNS, thus, will happily fit in with just any sort of in-house system used for the management of domain information.
PowerDNS also includes its own built-in web server which provides information on performance and the most frequent queries. It can also produce statistics meant to be fed directly to MRTG. PowerDNS supports the usual security features (setuid, chroot), and has been written for high performance when dealing with thousands of domains. It is also extensively documented on doc.powerdns.com.
The one thing that PowerDNS lacks is support for recursive name resolution. With its default configuration, if PowerDNS is does not have an authoritative answer for a given query, it refuses to answer at all. It is thus suitable for handling primary and secondary nameserver duties, but not for handling name lookups for users. That is changing, though; version 2.9.4 includes a recursive nameserver which can be built and run as a separate process. The plan, apparently, is to integrate that functionality into PowerDNS itself in the 2.9.5 release.
Oak and PowerDNS are not the only alternative free nameservers, of course. Some others which appear to be reasonably stable and under active development include:
- MaraDNS (a simple, recursive nameserver).
- MyDNS (an authoritative-only system which works with MySQL or PostgreSQL).
- NSD (authoritative-only).
(And yes, in order to forestall a flood of email, we should mention that the not-quite-free djbdns package is also out there).
BIND is a package with a long history of service; the Internet is literally
built on it. Its security record is not that bad, considering its wide
deployment and the amount of energy that has gone into finding
vulnerabilities. But the security of the Net as a whole can only be
improved by the emergence of solid, well-supported alternatives.
Posted Jan 18, 2003 1:15 UTC (Sat)
by rfunk (subscriber, #4054)
[Link]
Posted Jan 18, 2003 5:23 UTC (Sat)
by dkeller (guest, #4946)
[Link]
Posted Jan 18, 2003 16:06 UTC (Sat)
by anr (guest, #234)
[Link] (2 responses)
Also, it's very hard to match DJB's code quality. Just take a look at the changelogs involved... Togheter with daemontools & ucspi-tcp, the package can be very nice to use and administer. Finally, tinydns' data format is very well thought out. The departure from using the problematic bind zone file format is refreshing.
Posted Jan 20, 2003 0:03 UTC (Mon)
by iabervon (subscriber, #722)
[Link] (1 responses)
Posted Jan 24, 2003 12:49 UTC (Fri)
by anr (guest, #234)
[Link]
It's better to configure your desktop's dnscache in forward only mode. But if you installed from source & want the patch anyway, applying it isn't rocket science ;-)
Posted Jan 18, 2003 18:05 UTC (Sat)
by stuart (subscriber, #623)
[Link]
Posted Jan 19, 2003 2:28 UTC (Sun)
by spiv (guest, #9031)
[Link]
It's still a work in progress, but since Jp Calderone started maintaining it, it has been improving rapidly. I believe it currently has support for: The code should be flexible enough that you could write an SQL backend or whatever you need, if necessary. There's plenty left to be done (like optimisation), but I reckon its worth a look -- as is the rest of Twisted ;)
Posted Jan 19, 2003 20:11 UTC (Sun)
by edstoner (subscriber, #4496)
[Link]
Posted Jan 20, 2003 9:11 UTC (Mon)
by hensema (guest, #980)
[Link] (1 responses)
I also use IPv6 and DNAME records (to simplify the administration of my reverses). AFAIK bind is still the only DNS to support this. And since it's running safely in a chroot jail as an unpriviliged user, I don't worry about security ;-)
Posted Jan 20, 2003 17:21 UTC (Mon)
by edstoner (subscriber, #4496)
[Link]
Oak supports AAAA records but doesn't support A6 or DNAME because the IETF has downgraded them to experimental and recommended that people don't use them (that's my understanding anyway). Oak runs as an unpriviliged user by default and it should be fairly easy to run it in a chroot jail. These things are good at protecting the system the server is running on, but don't help at all in protecting the data in the running DNS server. Not having the cache poisoned and not having someone rewrite the zone data so that all of your server's names point to their machines can be just as important as not letting them be root on the host machine. In other words, the code in the DNS Server still needs to secure, no matter how secure the system it's running on is.
Posted Jan 23, 2003 5:34 UTC (Thu)
by ncm (guest, #165)
[Link] (1 responses)
Posted Jan 24, 2003 12:37 UTC (Fri)
by anr (guest, #234)
[Link]
http://cr.yp.to/djbdns/notes.html#aliases What you should do instead: use A records. Quoting the manual: " Don't use Cfqdn if there are any other records for fqdn. Don't use Cfqdn for common aliases; use +fqdn instead. Remember the wise words of Inigo Montoya: ``You keep using CNAME records. I do not think they mean what you think they mean.'' "
Posted Jan 23, 2003 12:42 UTC (Thu)
by paulsheer (guest, #3925)
[Link] (4 responses)
I'll release the code after I add recursive queries.
I believe it has no exploits.
Posted Jan 23, 2003 20:18 UTC (Thu)
by ahu (guest, #4298)
[Link] (2 responses)
Posted Jan 25, 2003 10:41 UTC (Sat)
by sam (guest, #1329)
[Link] (1 responses)
Does your caching infastructure have a method of removing elements from the cache so they no longer take up memory? It took us months to get rid of all of the memory leaks in MaraDNS' cache. BTW, Bert, I would like to applaud you for making Power DNS open source. It is good to see being realistic enough to realize that you are better off GPLing this package. You will still earn money by putting it on your résumé to impress people when the tech economy picks up again. It is good to have competition among different open source DNS products; I am glad the "call to arms" for a non-BIND DNS server which has resulted in a number of implementations. Just two weeks ago, there were all of three non-BIND freely downloadable recursive DNS servers (my MaraDNS, pdnsd, and DjbDNS). All of a sudden, there are two more--five in total. - Sam
Posted Feb 3, 2003 18:46 UTC (Mon)
by ahu (guest, #4298)
[Link]
Posted Jan 25, 2003 10:14 UTC (Sat)
by sam (guest, #1329)
[Link]
I think it is apporoporate to quote a Slashdot posting I did recently:
Let me put it this way. Writing a DNS client (or a non-recursive DNS server) is sort of like Highlander I. Entertaining, really. You think to youself "Hey! That was easy! A recursive server can't be too bad!"
Well, writing a working recursive DNS server is like watching Highlander II. Suddenly, just as Highlander II changes your outlook on the entire Highlander franchise, writing a recursive DNS server changes your outlook on the entire DNS protocol.
Posted Jan 27, 2003 16:03 UTC (Mon)
by rickmoen (subscriber, #6943)
[Link] (3 responses)
http://linuxmafia.com/~rick/linux-info/dns-servers
Open source:
Proprietary:
P.S.: It might be true, for all I know, that (as Sam says in one of his comments) that "writing a working recursive DNS server is like watching Highlander II", except that I'm sure you're not similarly driven to say "There should have been only one." *grin*
Rick Moen
Posted Jan 28, 2003 12:49 UTC (Tue)
by anr (guest, #234)
[Link] (2 responses)
* The source code is available to all who want it. It seems to me that a label like "Restricted Open Source" would be closer to the truth.
Posted Jan 30, 2003 0:33 UTC (Thu)
by sam (guest, #1329)
[Link]
Let me make this clear: Dan is one of the best programmers out there.
He has an excellent security history. He has many years experience with UNIX and a driving obsession which makes him a very good coder. His DNS notes were very helpful in making my DNS server a better program; while very opinionated, his opinions have merit. I respect him greatly as a coder.
He has understandable reasons to make is software not be libre. Unfortunatly, his code will have a limited appeal until when and if he releases it under a more open license.
- Sam
Posted Mar 16, 2003 10:59 UTC (Sun)
by rickmoen (subscriber, #6943)
[Link]
Gladly. Prof. Bernstein's terms of usage, while very generous and
commendable,
do not include the right to fork (Open Source Definition provision #3 -- which is the
central concept of open source). Thus, nobody else has the legal right
to develop,
maintain, and release modified versions. Also, when/if Prof. Bernstein ceases to
issue new versions, the project will probably pretty much die for lack of legal right to
maintain the code (except in private or as patch files).
Please note that the term "proprietary" is not pejorative: It's a descriptive
category,
and includes a broad spectrum of licensing types, including Prof. Bernstein's
benevolent source-available one on the liberal end.
Prof. Bernstein feels that his abilitiy to control the package's quality justifies
this limitation (and he may be right). But, as a result, djbdns/dnscache is most
plainly not open source.
As Sam says, Prof. Bernstein's DNS notes are a crucial resource for anyone
wanting to truly understand DNS at a technical level, and I join Sam in
recommending them to people.
Rick Moen
There's also dnsmasq, which is a forwarding nonrecursive server that can serve up answers from /etc/hosts and the dhcp lease file.
dnsmasq
There's also pdnsd (http://home.t-online.de/home/Moestl/), may not pdnsd
be a full DNS server but it works great when you have a VPN and need
services internet names and intranet names (behind the VPN).
Don't let the "not-quite-free" argument put you down. The license isn't a problem for DIY end users.djbdns
The license is somewhat inconvenient for users who want, for example, a local-only DNS server djbdns
which keeps its cache across reboots, like you might want for a desktop machine. A patch exists
to make dnscache do this, but it has to be applied by hand by the end user due to the license.
I don't think this is a good example, because the vast majority of users wouldn't benefit from this patch (there's a reason it isn't implemented upstream).djbdns
What's more all of these DNS servers are available from Debian in official packages.A couple of alternative DNS servers
apt-get install <package name>
You gotta love it.
Another Python DNS server worth considering is Twisted Names, part of the Twisted library -- http://twistedmatrix.com/. Be sure to look at the 1.0.2 alpha, rather than 1.0.1, as Twisted Names is also being actively developed.Twisted Names -- another option
- recursive lookups
- authoritative answers
- caching
- TCP and UDP
- IPv6
- BIND9 zone files
- and probably other things I haven't noticed :)
The latest version of Oak has distutils installation support.
A couple of alternative DNS servers
Do these servers support Dynamic updates and incremental zone transfers? It's a feature of bind I can't live without because I'm using ISC DHCPD 3.0 which supports dynamic DNS updates.DDNS and IXFR?
Oak supports Dynamic updates. It doesn't support incremental zone transfers yet, but should in a week or two.DDNS and IXFR?
The older report, on djbdns, mentioned that DJB doesn't
approve of CNAME records. What is supposed to be wrong
with CNAME records, and what are we expected to do instead?
CNAMEs and djbdns
What's wrong with CNAMEs:CNAMEs and djbdns
http://www.faqts.com/knowledge_base/view.phtml/aid/8815/fid/699
http://cr.yp.to/djbdns/tinydns-data.html
I actually find the whole DNS concept quite laughable. Admittedly, a recursive nameserver is a largish software project, but a master server
is actually very simple to write. I wrote one in a weekend and its soon
going to be the primary server for the .nis.za domain. It handles all
common record types, and TCP and UDP queries, and its lightning fast.
Writing a DNS server is easy
I'll speak to you a year from now :-) Anyhow, the recursive part is not that hard, the PowerDNS one is just 448 lines.
Writing a DNS server is easy
Well, depends on what sort of infastructure you already have in place. My recursive server is over 4000 lines long (!!!), but that includes the entire caching infastructure. Re: Writing a DNS server is easy
two words: use c++ :-) Saves heaps of typical C problems if done right, like memory leaks and the need to write btrees and whatnot
Re: Writing a DNS server is easy
Hmmm, well get back to us after you get compression working and after you have a working recursive DNS server. These are the two things which cause most would-be DNS implementers to give up on writing a DNS server. For example, moodns died when the author looked at what it took to get compression going. Dents died before the recursive part was finished. And so on.
Writing a DNS server is easy
- Sam
Recursive DNS servers are indeed still relatively rare, but I'm now keeping a record of nameserver packages of all types available (or believed available) for *ix, here:
A listing of DNS servers
rick@linuxmafia.com
Please explain what makes you list djbdns under the "proprietary" category. Some points:A listing of DNS servers
* You can distribute patches (and apply) at will.
A lot of DJB advocates seem to be confused about what the general free software community considers free software. The software is not software libre, according to the FSF. The open source web site mentions nothing about DJB's license, since it is not free software as per their definition (look at section three, "derived works").
What is free software
anr asked:
Please explain what makes you list djbdns under the "proprietary" category.
A listing of DNS servers
rick@linuxmafia.com