LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A couple of alternative DNS servers

[Posted January 17, 2003 by corbet]

One of our favorite things to worry about here at LWN is software monocultures. When everybody is running the same thing, a single vulnerability can compromise them all. The BIND nameserver package has thus occasionally come up as a topic of concern, since it has one of the strongest monopolies in the free software arena. There have been very few free alternatives to BIND which have become stable enough for people to trust them with their name service tasks.

That situation is changing, however. Over the last week, two different free DNS server implementations have announced new releases. So it seems like a good time to give them a look.

The announcement of the first public release of the Oak DNS server went out recently. Oak is written entirely in Python, with the result that it is portable to many systems (even Windows) and should be relatively resistent to buffer overrun attacks. Oak is licensed under the LGPL, and supports most of the features one would expect in a nameserver: recursion, master and slave modes, etc.

That said, Oak is very much a work in progress. It comes packaged as one big Python module and a driver script; no distutils installation support in sight. It reads the usual DNS master file format to get zone information, but the top-level configuration takes the form of a screenful or so of Python code - not something every system administrator will want to get into. Documentation is scarce; those wanting to make serious use of Oak at this point will likely have to delve into the code. This is definitely not Aunt Tillie's DNS server.

But the core functionality of Oak appears to be solid, and the project's maintainer (Ed Stoner) is responsive to problem reports. It would not take all that much work to turn Oak into a simple, secure, high-quality DNS server, especially for smaller installations. If you like Python programming, Oak is worth a look now; with luck it will be ready for everybody else in the near future.

For a very different sort of nameserver, see the announcement for PowerDNS 2.9.4. PowerDNS was, for some time, a proprietary system; it was released under the GPL in November of 2002. The pace of development seems to have picked up since then, and PowerDNS is evolving into an impressive system.

While Oak may be best suited to small networks, PowerDNS is clearly aimed at large ISPs and others who must serve huge numbers of domains. It can obtain its DNS information via several backends; it can, for example, run from an existing BIND configuration, or talk (using a pipe) to an arbitary process via a simple and well-documented protocol. The most developed backends, however, would appear to be those which work with a MySQL, PostgreSQL, or Oracle database. PowerDNS comes with a database scheme that it expects to use, but the SQL it uses is easily changed via the configuration file. PowerDNS, thus, will happily fit in with just any sort of in-house system used for the management of domain information.

PowerDNS also includes its own built-in web server which provides information on performance and the most frequent queries. It can also produce statistics meant to be fed directly to MRTG. PowerDNS supports the usual security features (setuid, chroot), and has been written for high performance when dealing with thousands of domains. It is also extensively documented on doc.powerdns.com.

The one thing that PowerDNS lacks is support for recursive name resolution. With its default configuration, if PowerDNS is does not have an authoritative answer for a given query, it refuses to answer at all. It is thus suitable for handling primary and secondary nameserver duties, but not for handling name lookups for users. That is changing, though; version 2.9.4 includes a recursive nameserver which can be built and run as a separate process. The plan, apparently, is to integrate that functionality into PowerDNS itself in the 2.9.5 release.

Oak and PowerDNS are not the only alternative free nameservers, of course. Some others which appear to be reasonably stable and under active development include:

  • MaraDNS (a simple, recursive nameserver).
  • MyDNS (an authoritative-only system which works with MySQL or PostgreSQL).
  • NSD (authoritative-only).

(And yes, in order to forestall a flood of email, we should mention that the not-quite-free djbdns package is also out there).

BIND is a package with a long history of service; the Internet is literally built on it. Its security record is not that bad, considering its wide deployment and the amount of energy that has gone into finding vulnerabilities. But the security of the Net as a whole can only be improved by the emergence of solid, well-supported alternatives.

(Log in to post comments)

dnsmasq

Posted Jan 18, 2003 1:15 UTC (Sat) by rfunk (subscriber, #4054) [Link]

There's also dnsmasq, which is a forwarding nonrecursive server that can serve up answers from /etc/hosts and the dhcp lease file.

pdnsd

Posted Jan 18, 2003 5:23 UTC (Sat) by dkeller (guest, #4946) [Link]

There's also pdnsd (http://home.t-online.de/home/Moestl/), may not
be a full DNS server but it works great when you have a VPN and need
services internet names and intranet names (behind the VPN).

djbdns

Posted Jan 18, 2003 16:06 UTC (Sat) by anr (subscriber, #234) [Link]

Don't let the "not-quite-free" argument put you down. The license isn't a problem for DIY end users.

Also, it's very hard to match DJB's code quality. Just take a look at the changelogs involved...

Togheter with daemontools & ucspi-tcp, the package can be very nice to use and administer.

Finally, tinydns' data format is very well thought out. The departure from using the problematic bind zone file format is refreshing.

djbdns

Posted Jan 20, 2003 0:03 UTC (Mon) by iabervon (subscriber, #722) [Link]

The license is somewhat inconvenient for users who want, for example, a local-only DNS server
which keeps its cache across reboots, like you might want for a desktop machine. A patch exists
to make dnscache do this, but it has to be applied by hand by the end user due to the license.

djbdns

Posted Jan 24, 2003 12:49 UTC (Fri) by anr (subscriber, #234) [Link]

I don't think this is a good example, because the vast majority of users wouldn't benefit from this patch (there's a reason it isn't implemented upstream).

It's better to configure your desktop's dnscache in forward only mode.

But if you installed from source & want the patch anyway, applying it isn't rocket science ;-)

A couple of alternative DNS servers

Posted Jan 18, 2003 18:05 UTC (Sat) by stuart (subscriber, #623) [Link]

What's more all of these DNS servers are available from Debian in official packages.
apt-get install <package name>
You gotta love it.

Twisted Names -- another option

Posted Jan 19, 2003 2:28 UTC (Sun) by spiv (subscriber, #9031) [Link]

Another Python DNS server worth considering is Twisted Names, part of the Twisted library -- http://twistedmatrix.com/. Be sure to look at the 1.0.2 alpha, rather than 1.0.1, as Twisted Names is also being actively developed.

It's still a work in progress, but since Jp Calderone started maintaining it, it has been improving rapidly. I believe it currently has support for:
- recursive lookups
- authoritative answers
- caching
- TCP and UDP
- IPv6
- BIND9 zone files
- and probably other things I haven't noticed :)

The code should be flexible enough that you could write an SQL backend or whatever you need, if necessary. There's plenty left to be done (like optimisation), but I reckon its worth a look -- as is the rest of Twisted ;)

A couple of alternative DNS servers

Posted Jan 19, 2003 20:11 UTC (Sun) by edstoner (guest, #4496) [Link]

The latest version of Oak has distutils installation support.

DDNS and IXFR?

Posted Jan 20, 2003 9:11 UTC (Mon) by hensema (guest, #980) [Link]

Do these servers support Dynamic updates and incremental zone transfers? It's a feature of bind I can't live without because I'm using ISC DHCPD 3.0 which supports dynamic DNS updates.

I also use IPv6 and DNAME records (to simplify the administration of my reverses).

AFAIK bind is still the only DNS to support this. And since it's running safely in a chroot jail as an unpriviliged user, I don't worry about security ;-)

DDNS and IXFR?

Posted Jan 20, 2003 17:21 UTC (Mon) by edstoner (guest, #4496) [Link]

Oak supports Dynamic updates. It doesn't support incremental zone transfers yet, but should in a week or two.

Oak supports AAAA records but doesn't support A6 or DNAME because the IETF has downgraded them to experimental and recommended that people don't use them (that's my understanding anyway).

Oak runs as an unpriviliged user by default and it should be fairly easy to run it in a chroot jail. These things are good at protecting the system the server is running on, but don't help at all in protecting the data in the running DNS server. Not having the cache poisoned and not having someone rewrite the zone data so that all of your server's names point to their machines can be just as important as not letting them be root on the host machine. In other words, the code in the DNS Server still needs to secure, no matter how secure the system it's running on is.

CNAMEs and djbdns

Posted Jan 23, 2003 5:34 UTC (Thu) by ncm (subscriber, #165) [Link]

The older report, on djbdns, mentioned that DJB doesn't approve of CNAME records. What is supposed to be wrong with CNAME records, and what are we expected to do instead?

CNAMEs and djbdns

Posted Jan 24, 2003 12:37 UTC (Fri) by anr (subscriber, #234) [Link]

What's wrong with CNAMEs:

http://cr.yp.to/djbdns/notes.html#aliases
http://www.faqts.com/knowledge_base/view.phtml/aid/8815/fid/699

What you should do instead: use A records.

Quoting the manual:
http://cr.yp.to/djbdns/tinydns-data.html

" Don't use Cfqdn if there are any other records for fqdn. Don't use Cfqdn for common aliases; use +fqdn instead. Remember the wise words of Inigo Montoya: ``You keep using CNAME records. I do not think they mean what you think they mean.'' "

Writing a DNS server is easy

Posted Jan 23, 2003 12:42 UTC (Thu) by paulsheer (guest, #3925) [Link]

I actually find the whole DNS concept quite laughable. Admittedly, a recursive nameserver is a largish software project, but a master server is actually very simple to write. I wrote one in a weekend and its soon going to be the primary server for the .nis.za domain. It handles all common record types, and TCP and UDP queries, and its lightning fast.

I'll release the code after I add recursive queries.

I believe it has no exploits.

Writing a DNS server is easy

Posted Jan 23, 2003 20:18 UTC (Thu) by ahu (guest, #4298) [Link]

I'll speak to you a year from now :-) Anyhow, the recursive part is not that hard, the PowerDNS one is just 448 lines.

Re: Writing a DNS server is easy

Posted Jan 25, 2003 10:41 UTC (Sat) by sam (guest, #1329) [Link]

Well, depends on what sort of infastructure you already have in place. My recursive server is over 4000 lines long (!!!), but that includes the entire caching infastructure.

Does your caching infastructure have a method of removing elements from the cache so they no longer take up memory?

It took us months to get rid of all of the memory leaks in MaraDNS' cache.

BTW, Bert, I would like to applaud you for making Power DNS open source. It is good to see being realistic enough to realize that you are better off GPLing this package. You will still earn money by putting it on your résumé to impress people when the tech economy picks up again.

It is good to have competition among different open source DNS products; I am glad the "call to arms" for a non-BIND DNS server which has resulted in a number of implementations. Just two weeks ago, there were all of three non-BIND freely downloadable recursive DNS servers (my MaraDNS, pdnsd, and DjbDNS). All of a sudden, there are two more--five in total.

- Sam

Re: Writing a DNS server is easy

Posted Feb 3, 2003 18:46 UTC (Mon) by ahu (guest, #4298) [Link]

two words: use c++ :-) Saves heaps of typical C problems if done right, like memory leaks and the need to write btrees and whatnot

Writing a DNS server is easy

Posted Jan 25, 2003 10:14 UTC (Sat) by sam (guest, #1329) [Link]

Hmmm, well get back to us after you get compression working and after you have a working recursive DNS server. These are the two things which cause most would-be DNS implementers to give up on writing a DNS server. For example, moodns died when the author looked at what it took to get compression going. Dents died before the recursive part was finished. And so on.

I think it is apporoporate to quote a Slashdot posting I did recently:

Let me put it this way. Writing a DNS client (or a non-recursive DNS server) is sort of like Highlander I. Entertaining, really. You think to youself "Hey! That was easy! A recursive server can't be too bad!"

Well, writing a working recursive DNS server is like watching Highlander II. Suddenly, just as Highlander II changes your outlook on the entire Highlander franchise, writing a recursive DNS server changes your outlook on the entire DNS protocol.

- Sam

A listing of DNS servers

Posted Jan 27, 2003 16:03 UTC (Mon) by rickmoen (subscriber, #6943) [Link]

Recursive DNS servers are indeed still relatively rare, but I'm now keeping a record of nameserver packages of all types available (or believed available) for *ix, here:

http://linuxmafia.com/~rick/linux-info/dns-servers

Open source:

  • MaraDNS
  • pdnsd
  • Dnsmasq
  • DNRD
  • MyDNS
  • ldapdns
  • GnuDIP
  • NSD
  • PowerDNS
  • CustomDNS
  • lbnamed
  • Posadis
  • dents (probably dead, as Sam says)
  • Pliant DNS Server
  • Yaku-NS
  • Twisted Names
  • Oak DNS Server

Proprietary:

  • UltraDNS (UltraDNS Corporation)
  • djbdns/tinydns
  • ATLAS (Verisign)
  • BINDPlus (Information Network Eng. Group, Inc.)
  • Global Name Service (Nominum, Inc.)
  • NeDNS (Neteka, Inc.)

P.S.: It might be true, for all I know, that (as Sam says in one of his comments) that "writing a working recursive DNS server is like watching Highlander II", except that I'm sure you're not similarly driven to say "There should have been only one." *grin*

Rick Moen
rick@linuxmafia.com

A listing of DNS servers

Posted Jan 28, 2003 12:49 UTC (Tue) by anr (subscriber, #234) [Link]

Please explain what makes you list djbdns under the "proprietary" category. Some points:

* The source code is available to all who want it.
* You can distribute patches (and apply) at will.

It seems to me that a label like "Restricted Open Source" would be closer to the truth.

What is free software

Posted Jan 30, 2003 0:33 UTC (Thu) by sam (guest, #1329) [Link]

A lot of DJB advocates seem to be confused about what the general free software community considers free software. The software is not software libre, according to the FSF. The open source web site mentions nothing about DJB's license, since it is not free software as per their definition (look at section three, "derived works").

Let me make this clear: Dan is one of the best programmers out there.

He has an excellent security history. He has many years experience with UNIX and a driving obsession which makes him a very good coder. His DNS notes were very helpful in making my DNS server a better program; while very opinionated, his opinions have merit. I respect him greatly as a coder.

He has understandable reasons to make is software not be libre. Unfortunatly, his code will have a limited appeal until when and if he releases it under a more open license.

- Sam

A listing of DNS servers

Posted Mar 16, 2003 10:59 UTC (Sun) by rickmoen (subscriber, #6943) [Link]

anr asked: Please explain what makes you list djbdns under the "proprietary" category.

Gladly. Prof. Bernstein's terms of usage, while very generous and commendable, do not include the right to fork (Open Source Definition provision #3 -- which is the central concept of open source). Thus, nobody else has the legal right to develop, maintain, and release modified versions. Also, when/if Prof. Bernstein ceases to issue new versions, the project will probably pretty much die for lack of legal right to maintain the code (except in private or as patch files).

Please note that the term "proprietary" is not pejorative: It's a descriptive category, and includes a broad spectrum of licensing types, including Prof. Bernstein's benevolent source-available one on the liberal end.

Prof. Bernstein feels that his abilitiy to control the package's quality justifies this limitation (and he may be right). But, as a result, djbdns/dnscache is most plainly not open source.

As Sam says, Prof. Bernstein's DNS notes are a crucial resource for anyone wanting to truly understand DNS at a technical level, and I join Sam in recommending them to people.

Rick Moen
rick@linuxmafia.com

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds