[SWLUG] BIND alternatives

Richard Smith richard at gotworms.co.uk
Tue Oct 28 16:24:15 UTC 2003 

  ** This is a forward since I fecked the destination of the original 
message :( **

 > So in essence I was wondering what people thought about nameservers, 
especially with regard to security and simplicity. I don't mind 
reconfiguring BIND, however I *do* mind it being a bug ridden, bloated, 
wide open doorway into my system, which I don't have the time or 
inclination to keep current.


I prefer DJBDNS and TinyDNS (the former being a resolver/cache the 
latter being a DNS Server), although I may be shot down in flames of 
glory for that revelation.

Although it's not GPL, it is open source and free to download and use in 
commercial or non-commercial situation, but it still r0xors :P

 From an installation perspective, it's easy to install and configure 
using the guide and documentation you want to use. From an 
administrative point of view, it's reasy to maintain.

Security wise, it's incredibly secure. It's not run as root. In fact, 
it's run as it's own user and chrooted into the base directory... The 
author even offers a reward of $500 if you find a verifyable security 
risk in the latest code. TO quote the site:

<quote>
- nscache runs as a dedicated non-root uid inside a chroot jail, so it 
can't touch the rest of the machine.
- tinydns runs as another dedicated non-root uid inside its own chroot jail.
- walldns runs as another dedicated non-root uid inside its own chroot jail.
- dnscache discards DNS queries from outside a specified list of IP 
addresses.
- dnscache and the dns library use a new query ID and a new UDP port for 
each query packet. They discard DNS responses from any IP address other 
than the one that the corresponding query was just sent to.
- dnscache uses a cryptographic generator to select unpredictable port 
numbers and IDs.
- dnscache is immune to cache poisoning.
- tinydns and walldns never cache information. They do not support 
recursion.
</quote>

Take a look at: http://cr.yp.to/djbdns.html (crypto with dots ;))

 > Since it is such a small scale operation, can anyone suggest a viable 
alternative to using BIND? Preferably one that doesn't involve a perl / 
bash script and netcat, but if anyone wants to draft one out that way, 
be my guest - less chance of getting rooted I suppose :o)


TinyDNS is great... I know several companies running thousands of 
domains off it. It just works.

There's loads of information on the site about running TinyDNS and DNS 
Servers in general. I learnt alot from that site when I first got into 
the whole DNS management thing.

One bonus I find to using djbdns is that when the server starts up, the 
second it binds to the port to serve requests, it can, unlike BIND, 
actually serve requests since from the get go since it uses an 
intermediary binary cache format for it's data. Essentially the zone 
files are converted to it's own format the second it starts up, if they 
don't exists that is. It means that so long as these binary files remain 
and the original zone files remain unchanged, the server can resolve 
requests. Which is great if your running a DNS server with thousands of 
domains... because the precious moments while bind is loading and 
parsing it's data files mean that your DNS server is down, which is not 
good.

Anyway... take a look... I've probably raved on about it too much 
already....

-- 
Richard

More information about the Swlug mailing list