Here is a list of DNS software that is open source, is currently (as of 2016) being maintained, and that has authoritative and recursiveDNSSEC support:
- BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE BIND supports DNSSec.
- Unbound and NSD make up a suite of DNS servers; they are both from NLnet Labs.Basically, one (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE(None of those entries look to point to NSD; it appears to have no CVE entries) Unbound CVE Both support DNSSec.
- Knot DNS and Knot Resolver are two new DNS servers for the 2010s (an authoritative and recursive component); the recursive resolver is from 2016. Both support modern DNS features, such as DNSSec. Like NSD and Unbound, Knot DNS serves DNS records and Knot Resolver looks for DNS records on the Internet.So far, there do not appear to be any CVE reports for either server, but both packages are fairly new. There’s a good writeup at LWN by the implementer about Knot DNS.
- PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE.
- DjbDNS. Great tiny two-program DNS suite that sadly hasn't been updated by DJB since 2001. Yes, it does have security problems (That's a CVE link). Note that there are at least two security issues with DjbDNS which do not have CVE numbers.For anyone who wants to use DjbDNS, use N-DjbDNS, which is (as of mid-2015) patched against all known security holes.
There are patches to give the authoritative half DNSSEC support; there is no DNSSEC support for the recursor. - MaraDNS. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVEMaraDNS does not support DNSSEC nor EDNS.
There are many many other DNS servers, both open source and non-open source. Here is an incomplete list of the open source ones:DnsMasq, pdnsd, Posadis, MyDNS, MyDNS-ng, SDNS (Public domain, local download link), DnsJAVA
Other lists
- Rick Moen has a great list of open-source DNS servers.
- Dan J. Bernstein also has a list of DNS servers
---------------
DNS Server (and Related) Software for Unix
Here is a list of the real choices, comparing and contrasting BIND9 with all known alternative DNS server implementations for Unixes -- many that in particular deployments will prove superior:Table of Contents
Maintained open source packages:
- BIND9: authoritative, recursive, AXFR, client
- Bundy: authoritative, DHCPd
- CurveDNS: forwarder
- Deadwood: recursive
- djbdns: authoritative,
recursive, AXFR, client, other (modular; needs patching)
- zinq-djbdns: authoritative, recursive, AXFR, client, other
- Debian djbdns: authoritative, recursive, AXFR, client, other
- N-DJBDNS: authoritative, recursive, AXFR, client, other
- LolDNS: authoritative, recursive, AXFR, client, other
- dnsjava: authoritative, AXFR (modular)
- DNRD: forwarder
- Dnsmasq: forwarder
- dnsproxy: proxy
- dproxy: forwarder
- gdnsd: authoritative
- Knot DNS: authoritative, AXFR
- ldapdns: authoritative, AXFR
- MaraDNS: authoritative, recursive, AXFR
- MyDNS-NG: authoritative, outgoing AXFR
- NSD: authoritative, AXFR
- pdnsd: forwarder
- PowerDNS Authoritative Server: authoritative, AXFR
- PowerDNS Recursor: recursive
- rbldnsd: authoritative
- Technitium DNS Server: forwarder, DHCPd
- Twisted Names: authoritative, forwarder, client
- Unbound: recursive
- YADIFA: authoritative, AXFR
Unmaintained open source packages (deprecated!):
- BIND8: authoritative, recursive, AXFR
- CustomDNS: authoritative, AXFR (modular)
- dents: authoritative, recursive
- Eddieware Enhanced DNS Server (aka "lbdns"): authoritative
- GnuDIP: authoritative
- lbnamed: authoritative
- lwresd: recursive
- moodns: authoritative, recursive
- MyDNS: authoritative, outgoing AXFR
- Oak DNS Server: authoritative, recursive
- Pliant DNS Server: forwarder
- Posadis: authoritative, AXFR
- SDNS (Secure DNS): authoritative
- Stanford::DNSserver: authoritative
- Trick or Treat Daemon (ToTD): forwarder
- Yaku-NS: authoritative, forwarder, AXFR
Related Software:
- GNU adns: client
- Ares: client
- BIND DLZ: authoritative (patch)
- Constrict: client
- dnsibs: authoritative (non-standard data)
- dnspython: client, AXFR
- FireDNS: client
- LDAP sdb: authoritative (patch)
- ldns: client
- nscd: cache
- Net::DNS: client
- Poslib: authoritative, client
- Resolvconf: client-side utility
- skadns: client
- systemd-resolved: cache
- unscd: cache
Proprietary Software:
(See list at page bottom.)Guide for the Perplexed
If like most people you are unclear on how a recursive nameserver, an authoritative nameserver, and a forwarding nameserver differ, please see my explanatory anecdote: 1, 2.Maintained open source packages:
- BIND9 (link)
is a full-featured recursive server, authoritative, and caching
nameserver, bundled with a resolver client library. This is a
from-scratch rewrite of the hopelessly spaghetti-coded legacy BIND8
codebase that Paul Vixie inherited from UC Berkeley: Vixie commissioned
its creation by Nominum, Inc., who wrote it solely from the BIND8
specifications without reference to the old codebase.
Coded in C.
http://www.isc.org/software/bind/
Licence: ISC Licence, a simple permissive licence with warranty disclaimer.
Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): Code relies on several ISC wrapper libraries for key functions, code has lots of asserts and sanity check, "in general the code just feels heavy — functions have tons of variables, some functions are huge, locks for thread safety, lots of goto jumping to deinitialization parts if something went wrong".
BIND9 is slow and large compared to many competitors, and the monolithic codebase seems overfeatured. - Bundy (link)
is an authoritative server and DHCP daemon, initially (2010) developed as
BIND10 at ISC, and then handed off (in 2014) to third-party developers when
ISC decided to refocus on improving BIND9.
Coded in C++ and Python.
http://bundy-dns.de/
Licence: ISC Licence, a simple permissive licence with warranty disclaimer. - CurveDNS (link) is a caching forwarder server capable of
either forwarding regular (non-authenticated) DNS packets, or of
boxing DNSCurve-authenticated queries and forwarding the resulting
regular DNS packets and then boxing the resulting regular DNS responses
to DNSCurve-authenticated responses. It supports both DNSCurve's
streamlined and TXT formats, caching of shared secrets, both UDP and TCP,
and both IPv4 and IPv6. Thus, you would normally deploy it as the
DNSCurve-supporting front-end to a different authoritative
nameserver.
Coded in C by Harm van Tilborg, Jeroen Scheerder, and Lieuwe Jan Koning. Compilation requires Marc Lehmann's libev and the Computer Aided Cryptography Engineering project's NaCl (Networking and Cryptography library). Daniel J. Bernstein's daemontools are recommended but not required for management. http://curvedns.on2it.net/
Licence: 2-clause BSD licence. - Deadwood (link) is a recursive server with several
enhancements, for Unix and Win32, by Sam Trenholme, author of MaraDNS
(for whose recursive component it's a compatible replacement).
Deadwood is implemented as a non-threading daemon.
At this writing (2010-10-05), Deadwood v. 3.0.01 is a feature-complete release. It's very small and fast: One 2.9 beta was the second smallest executable among recursive nameservers for Unix at 64,418 bytes as compiled for CentOS 5, versus zinq-djbdns's dnscache at 45,016 bytes, compiling using "-Os" optimisation and stripping the binary. (Unmodified dnscache v. 1.05, not recommended on account of unfixed bugs, weighs in at 43,644 bytes using the same options.)
Comparing Win32 versions, the Deadwood beta's binary was 144,237 bytes (-O3 compiler optimisation and unstripped), PowerDNS recursor is 503,860 bytes (prebuilt binary), Unbound is 1,745,920 bytes (prebuilt binary), and BIND9 is 4,055,552 bytes (prebuilt binary).
Enhancements over dnscache's basic recursive service:- "DNS wall" that filters any private IP addresses out of DNS responses to protect networks against DNS rebinding attacks.
- Ability to read and write the cache to disk.
- Optional ability to "resurrect" domains by serving expired data from cache if no data within TTL can be fetched.
- Ability to filter out AAAA IPv6 responses (or to compile in full IPv6 support if desired).
- Code that stops AR-injection spoof attacks.
- Multiple inflight merging.
- Flexible parser for server configuration files.
- Support for DNS responses over TCP transport.
- Caching of CNAME responses.
- Caching of SOA responses.
- Ability to countermand upstream NXDOMAIN redirections (ip_blacklist feature).
Coded in C by Sam Trenholme.
http://maradns.samiam.org/deadwood/
Licence: Two-clause BSD licence. - djbdns (link) is a suite of specialised-role, related DNS
server utilities (and two client pieces) by Daniel J. Bernstein,
Research Professor, Department of Computer Science, University of Illinois at
Chicago and author of the qmail MTA.
(I'm being charitable in classifying djbdns as a "maintained offering", because, even though it was orphaned in 2001, its newly (a/o 2007) open-source (arguably) legal status permits third-party maintainers to put together an unofficial 1.06 release to bring it into the 21st century -- which may or may not happen but is worth hoping for.)- djbdns is an omnibus package of all of Bernstein's DNS server software.
- tinydns is the authoritative-only DNS daemon.
- dnscache is the caching recursive server. It is so far (2008) unique among *ix recursive nameservers in implementing this functionality without needing to use threading.
- walldns is the specialised authoritative-only DNS daemon for reverse-zone data, designed to minimise public leakage of inside host data.
- rbldns is the specialised authoritative-only DNS daemon for DNS blocklist data about blocks of IP addresses such as dial-up IP lists.
- axfrdns is the TCP-based AXFR zone-transfer server. It also handles some other TCP-based queries, such as requests for SOA records and (rare) DNS replies exceeding the 512-byte maximum size of a (regular, non-EDNS0) UDP datagram. As a consequence of its ability to output RFC 1035 ("BIND") zonefiles for AXFR zone transfers, axfrdns is also usable as a format converter. (NOTE: Absent third-party patches, the various djbdns utilities omit support for IETF NOTIFY, IXFR, outgoing AXFR, DNSSEC, TSIG, A6, DNAME, bitstring labels, Dynamic DNS, negative TTLs (NCACHE), and other modern DNS features.) It is generally a good idea to set up axfrdns running on the same IP as tinydns, if you want support for large packets, or will offer zone transfers.
- axfr-get is the AXFR zone-transfer client, pulling down other authoritative servers' data in RFC 1035 ("BIND") format and writing that data in tinydns's database format.
- dns is the DNS client library.
- pickdns was the DNS load-balancing utility, but its functions were merged into tinydns as of djbdns v. 1.04 and above.
Dovecot imapd author Timo Sirainen posted in 2005 some comments (warning: unmaintained page). Recommended patches: Codebase has been unmaintained since v. 1.05 in 2001, except for through third-party patches. In consequence, until someone collects, merges, and harmonises a reasonable set of those patches (2009-09-08 note: There are now four forks, as noted below) , users must collect and apply the following fixes to the v. 1.05 source tree, and compile locally:- Do 'echo "include /usr/include/errno.h >> conf-cc"', to make the djbdns tools' source code compilable with modern Linux C libraries (updating the errno definitions in djbdns and tcpserver),
- apply a dnscache patch to prevent it from dying if it is remotely DoSed by an attacker sending it the SIGPIPE signal and then closing the socket before the write finishes (i.e., the patch makes dnscache ignore SIGPIPE),
- apply a tinydns patch to reduce mmap() overhead,
- apply a dnscache patch to add support for negative TTLs (caching of unsuccessful lookup results),
- apply a dnscache patch (1, 2) to prevent it erroneously returning SERVFAIL on some queries over TCP,
- apply a dnscache patch to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP),
- apply two dnscache patches to make it become willing to cache SOA records, and to send only one response back to each flood of identical requests, thus greatly reducing the program's resistance to cache poisoning,
- apply a tinydns patch (1, 2) to add native support for SRV RRs (not strictly necessary for creation of SRV records or other unsupported types such as AAAA, SPF, TXT, NAPTR, and DomainKeys, as you can always use the generic record format for arbitrary data types -- but nice to have as "syntactic sugar" -- and please note that proper native support for IPv6 has larger issues than just AAAA support),
- apply a tinydns patch to fix a file-descriptor leak,
- apply a tinydns patch making its error-handling on zonefile syntax errors more robust (obviously not an essential patch, but helpful),
- apply a dnscache patch to make its logging less chatty,
- apply two patches to fix dnscache's, tinydns's, and axfrdns's erroneous treatment of CNAMEs (1, 2),
- apply (on Linux only) an epoll patch (to speed up various djbdns tools by using Linux 2.6.x's "epoll(4)" I/O event notification facility instead of "poll(2)"),
- apply one of two patches (where one's usage model makes this useful) to make the various djbdns tools support binding to multiple IPs (1, 2) -- and, in fairness, the Bernstein-recommended alternative of running multiple daemon instances, one per IP, is usually fairly practical and has operational advantages,
- apply a dnscache patch to update the (obsolete) root servers list,
- apply a dnscache patch to its use of the Recursion Desired ("RD") bit, to make dnscache able to function correctly in a pure forwarding role (if you happen to need it in that role),
- apply a "dns" (djbdns client library, if you happen to use that module) patch to correct a bad coding choice that makes it unable to correctly deal with the hostname of a recursive or forwarding server that maps to multiple IP addresses,
- either tune dnscache's fixed-upper-bounded (but configurable) cache size to local requirements, or comment out dnscache's cache.c source line that limits the upper bound on cache size to 10^9 bytes by default ("if (cachesize > 1000000000) cachesize = 1000000000;"), to let it float, and
- apply an axrfdns and tinydns patch to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
- Patch dnscache to add use of SipHash, a pseudo-random function useful for fixiing a problem discovered in 2012 with dnsccache's djb33 hash function that makes dnscache vulnerable to cache poisoning (by inducing collisions in the hash table).
- You also might want manpages, which, unbelievably, are deliberately missing from most of Bernstein's software.
Also tinydns.org and Jonathan de Boyne Pollard's page document other problems that might warrant patching before compilation. Some problems will remain, such as frequent failure to resolve Akamai and some other companies' DNS (on account of their use of admittedly ugly and baroque delegations without glue records), where other nameservers will have no problems.
It should also be noted that, by default, djbdns requires ancillary package ucspi-tcp (Bernstein's idiosyncratic superserver, though there are ways to substitute xinetd/inetd, etc.) and also recommends daemontools (Bernstein's idiosyncratic toolset for managing system services, though there are workarounds (1, 2) to avoid most of that need). Daemontools, if used, enforces a non-standard filesystem hierarchy for its and djbdns's components.
djbdns (specifically, dnscache) was the first recursive nameserver to randomise query source UDP ports as a security precaution, and to separate recursive and authoritative service, which is best practices.
Critical claims to the contrary notwithstanding, it is indeed possible to run dnscache and tinydns on the same IP. See Felix von Leitner's djbdns FAQ for that and other common questions.
Coded in C by Daniel J. Bernstein.
http://cr.yp.to/djbdns.html
Licence: Asserted to be "public domain".- zinq-djbdns: (link) Mark
Johnson has created a maintained fork of djbdns as part of his umbrella
project of adopting Dan Bernstein's unmaintained software. Thus the
term "zinq", which is from Zinq Is Not Qmail. As of v. 0.05, it adds
these changes to Bernstein's v. 1.05:
Updated obsolete root-nameservers roster "dnsroots.global"
Uses automake/autoconf, instead of Bernstein's build process, and got rid of spurious compiler warnings.
Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
Patched dnscache to quadruple its upper bound on cache size from 10^9 bytes to 4x10^9 bytes.
Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
Patched dnscache to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP).
Patched tinydns to add native support for SRV and NAPTR records.
Supplied manpages, from Gerrit Pape's set.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
Coded in C by Mark Johnson and Daniel J. Bernstein.
Formerly at http://sourceforge.net/projects/zinq/ (which no longer exists); seems to have moved a/o 2010 to https://github.com/tenchman/TTLinux/tree/master/apps/dns/zinq-djbdns
Last maintained in 2010.
Licence: Asserted to be "public domain". - Debian
djbdns/dbndns: (link)
Debian developer Gerrit Pape maintains four Debian binary packages
(dbndns,
djbdns,
dnscache-run,
tinydns-run) based
on one Debian source package
(djbdns).
Pape applies these changes to Bernstein's v. 1.05:
In both binary packages "djbdns" and "dbndns":
Supplied manpages (by Gerrit Pape).
Patched to use glibc, system errno.h headers.
Updated the /etc/dnsroots.global configuration file to replace obsolete root nameservers list.
Patched to support parallel build through "make -j".
Patched to install binaries into /usr/bin.
Patched to make daemontools, ucspi-tcp "Recommends" rather than "Depends" packages.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
Applied to binary package "dbndns" only:
Patched tinydns to add native IPV6 support.
Patched to allow a maximum of 20 concurrent outgoing SOA queries to harden it against remote spoofers of DNS responses (but this patch may soon be backed out).
I haven't worked through binary package dnscache-run's and tinydns-run's metadata to see what patches Pape applied to it, but it's whichever subset of his patches are applicable from those used ot create binary package "djbdns".
Coded in C by Gerrit Pape and Daniel J. Bernstein.
http://packages.qa.debian.org/d/djbdns.html
https://tracker.debian.org/pkg/djbdns
Licence: Asserted to be "public domain". - N-DJBDNS: (link) Red Hat developer Prasad J. Pandit
has created a djbdns fork and proposed it (2009-03) for inclusion in
Fedora Project. Prasad's fork was named RH-djbdns until July 2011,
when he renamed it njbdns (new djbdns), later modified to N-DJBDNS.
As of v. 1.05.3 (2009-08-17),
it adds these changes to Bernstein's v. 1.05:
Uses automake/autoconf, instead of Bernstein's build process.
Works with /sbin/service.
No longer requires daemontools.
tinydns now reads /etc/djbdns/tinydns.conf and logs to /var/log/tinydns.log. Default installation destination prefix is /usr/ (in the RPM .spec file).
Changed dnscache conffile to /etc/djbdns/dnscache.conf
Changed dnscache to log to /var/log/dnscache.log", write PID file to /var/run/dnscache.pid, and accept some command-line options.
Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
Patched dnscache to update obsolete root nameservers list.
Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
Patched to use system errno.h headers.
Renamed CHANGES to ChangeLog, added Pandit's entries.
Changed various utils to use system header files.
Some comments added, and a more-conventional coding style applied. All coding made portable to FreeBSD and probably other Unixes. New manuals for several commands. Commands now accept command-line options.
As of 1.05.3, only the following djbdns tools are (thus far) compiled/installed: dnscache, dnsipq, dnsq, dnstracesort, tinydns, tinydns-data, tinydns-edit, tinydns-get, dnstrace, and a couple more. Pandit is proceeding to revamp the other pieces, gradually.
Coded in C by Prasad J. Pandit and Daniel J. Bernstein.
http://pjp.dgplug.org/djbdns/
(.spec file, source, SRPM, bugzilla)
Licence: GNU GPLv2 or later. (See .spec file.) - LolDNS: (link) Joshua Small created the LolDNS fork of djbdns
1.05 in February 2009, to "go beyond the many current forks of just
perpetuating the product, and to actually do away with the things that
djbdns used to get slammed for."
Patched to use glibc, system errno.h headers.
Patched to no longer require daemontools, ucspi-tcp.
Patched to add an equivalent to BIND9's $GENERATE auto-generated entry directive.
Patched to add support for SRV records.
Patched to support binding to multiple IP addresses.
Patched to call chroot() before dropping privilege.
Adds new management and logging daemons.
Coded in C by Joshua Small and Daniel J. Bernstein.
https://lolware.net/2013/09/23/loldns.html http://lolware.net/loldns-STABLE5.tar.gz https://github.com/technion/loldns
Note: Small recommends checking out the latest svn trunk snapshot, instead of using tarball code.
Licence: Joshua Small has specified a licence of his own devising for his additions to Bernstein's code, the first two clauses of which grant a simple BSDish permissive licence (making code usable for any purpose; derivative works can be created and distributed by anyone), provided that there is no warranty (third clause) and that Small's small graphical "so much win" image remains included in some way (the fourth and final clause). Daniel Bernstein has asserted his v. 1.05 base code to be public domain".
- DNRD (Domain Name Relay Daemon) (link) is a small caching-only server for NAT / IPmasq networks.
Coded in C by Natanael Copa, Brad Garcia, and Nathan Angelacos.
https://github.com/benjaminpetrin/dnrd, formerly at
http://dnrd.sourceforge.net/.
Licence: GNU GPLv2 or later. - dnsjava (link)
is an authoritative-only server, DDNS client, and related tools,
written in Java by Brian Wellington. Patched only on Aug. 6, 2008 to
randomise UDP source ports for recursive queries as a security
precaution.
http://www.dnsjava.org/
Licence: Newer BSD licence. - Dnsmasq (link)
is a small caching forwarder server (no recursive service -- iterative
queries only) with local-only authoritative service for a group of
NATted / IPmasqued machines (optionally pulling names from DHCP leases).
This package is often embedded in firewall/gateway appliance boxes. Did not implement serious randomisation of source UDP ports on outgoing recursive queries as a security precaution until July 11, 2008 (v. 4.3), when the use of inadequate system-libc random number generators was junked and replaced with Dan Bernstein's SURF random number generator, borrowed from dnscache.
Coded in C by Simon Kelley. http://www.thekelleys.org.uk/dnsmasq/
Licence: GNU GPLv2 or later. - dnsproxy (link)
is is a proxy daemon that answers 53/tcp & 53/udp DNS queries, and
forwards the recursive and authoritative queries separately so a pair of
specialised daemons (e.g., NSD and Unbound, or tinydns and dnscache)
can handle each, but still only use a single public-facing IP address.
The two daemons accepting the forwards may be local or they might be
elsewhere (as in a firewall situation). Requires libevent. Runs chrooted and unprivileged.
Coded in C by Armin Wolfermann. http://wolfermann.org/dnsproxy.html
Licence: MIT Licence. - dproxy (link) was/is a small caching forwarder server with a disk-based cache, suitable for small networks and workstations.
Coded in C by Matthew Pratt. As of 2016, the legacy dproxy 1.x code has been unmaintained since 2005, but the dproxy-nexgen code at GitHub appears to be maintained (updated 2014).
https://github.com/vicgarin/Actiontec-V1000H/tree/master/bcm963xx_V1000H-31-121L-11/userspace/gpl/apps/dproxy-nexgen https://sourceforge.net/projects/dproxy/
Licence: GNU GPLv2 or later. - gndsd (Geographic DNS
Daemon) (link) is an authoritative-only
non-caching server with native support for DNSCurve authentication of
DNS contents. The "geographic" in its name refers to its plugin
interface for geographic (or other sorts of) balancing, redirection, and
service-state-conscious failover, which is an optional capability.
Several example plugins are provided, including gdnsd-plugin-georeg,
which uses MaxMind's commercial Region-format database to do geographic
balancing and failover of a given hostname to a set of geographically
dispersed IP addresses. A basic HTTP monitoring service for failover is
included, as are hooks for implementing other failover methods.
Compilation requires pthread suppor, Marc Lehmann's libev, and the
Computer Aided Cryptography Engineering project's NaCl (Networking and
Cryptography library).
Coded in C by Brandon Black for Logitech, Inc.
https://github.com/gdnsd/gdnsd, formerly at
http://code.google.com/p/gdnsd/
Licence: GNU GPLv3 or later. - Knot DNS (link)
is an authoritative-only server developed by CZ.NIC, the .CZ domain
registry, with particular emphasis on suitability for TLD operators. It
is implemented as a threaded daemon using a number of programming
techniques to make it very fast, notably read-copy-update. Code is
mostly lock-free, scales well on SMP systems, and operates non-stop even
when adding or removing zones. Supports DNSSEC and EDNS0 extensions
including NSEC3. Does AXFR/IXFR. Supports dynamic updates, response
rate limiting, automatic DNSSEC signing.
Runtime depends on several libraries including userspace-rcu. Configuration files use simplified YAML format.
Coded in C by the CZ.NIC team.
https://www.knot-dns.cz
Licence: GNU GPLv3 or later. - ldapdns (link)
is an LDAP database-based authoritative and caching server (no
recursive service -- iterative queries only). Despite use of a database,
it's much faster than BIND9.
Coded in C by "Mrs. Brisby".
http://ldapdns.sourceforge.net/
Licence: GNU GPLv2 or later. - MaraDNS (link)
is a general-purpose, fast, lightweight, authoritative, caching
forwarder, and recursive server, fully supporting zone transfers, which
runs unprivileged, performs its own chroot, and includes its own
buffer-overflow-resistant string library and random number generator.
Module "zoneserver" does authoritative service only. Module "maradns"
can do both recursive and authoritative DNS. Includes a converter
Python script to convert zonefiles from RFC 1035 ("BIND") format to
MaraDNS's similar "csv2" format. Code uses RAM-based caching. Daemon
must currently be restarted if any zonefile records are changed,
currently requires the OS have robust threading support for its
recursive service, and currently doesn't support NOTIFY or IXFR.
Starting with the 2.0 release, MaraDNS defaults to using the provided Deadwood recursive nameserver code (see separate entry) for its recursive functionality.
As of June 21, 2015, there is no security or maintenance support for the obsolete 1.x branch, and it is strongly deprecated.
Excellent security history. Among other things, MaraDNS's recursive module randomised source UDP ports on outgoing recursive queries using a strong RNG from the very beginning. Also, recursive server attempts to be careful about cache poisoning resulting from trusting glue records passed out-of-bailiwick.
Code is written in C by Sam Trenholme. http://maradns.samiam.org
Licence: Two-clause BSD licence, on v. 1.1 and later.
Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): "Should be secure. Code doesn't look too bad, but it's using a lot of gotos." - MyDNS-NG
(link) is a MySQL or PostgreSQL-based authoritative and
caching forwarder server (no recursive service -- iterative queries
only) suitable for very large sites. In such roles, it's faster and more
responsive than BIND9, even though the latter uses a RAM-based
cache.
Coded in C by Howard Wilkinson and Dan Moore. http://www.mydns-ng.com/
Licence: GPLv2 or later. - NSD (link)
is a high-performance, small, authoritative-only daemon, with DNSSEC
support, and able to directly re-use RFC 1035 ("BIND") zonefiles (which
it compiles to binary format for speed). Package includes the zonefile
compiler ("zonec"), the core nsd daemon, the zoneserver, and a zone
transfer program.
Coded in C by a number of authors including Alexis Yushin and Erik Rozendaal. http://www.nlnetlabs.nl/nsd/
Licence: Newer BSD licence. - pdnsd (link)
is a small caching forwarder server, coded in C by Paul A. Rombouts and
Thomas Moestl, with a disk-based cache, suitable for small networks and
workstations. Has had some buffer-overflow and stability problems, in
the past, but in general has sound design (e.g., always randomised
source UDP ports for recursive queries).
http://members.home.nl/p.a.rombouts/pdnsd/
Licence: GNU GPLv3 or later. - PowerDNS: Was a combined authoritative and
recursive nameserver package through v. 2.9.20. Starting with the
next releases (April 21, 2007), those functions were split into new
packages "PowerDNS Authoritative Server" and "PowerDNS Recursor", which
please see.
PowerDNS was originally proprietary software, open-sourced under GNU GPLv2 on 2002-11-25. - PowerDNS Authoritative Server (link)
is an authoritative-only server with modular structure supporting
various back-end information stores such as SQL databases (MySQL,
PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), RFC
1035 ("BIND") zonefiles and other file formats, and LDAP directories.
Supports AXFR zone transfers. Partial DNSSEC support. Fast but also a
bit bloated. Compiling the package requires satisfying some convoluted
dependencies, notably the need for Boost
C++ class libraries. Default configuration assumes propagation of
nameservers to related hosts via replication at the level of the
back-end database store, but optionally the adminstrator can also enable
RFC 1034 / RFC 1995 "zone transfers" (using NOTIFY/AXFR) as implemented
in BIND9. Package can be configured to refer incoming recursive
queries to a (any) separate recursive nameserver by a specified IP/port.
Has internal chroot function. Does not support BIND9-style "views":
One can emulate that mode by running multiple nameserver instances.
(Copy /etc/init.d/pdns to /etc/init.d/pdns-[name]. The script
automatically parses $0 for "name" and reads /etc/pdns/pdns-[name].conf
as its configuration file.)
Coded in C++ by Norbert Sendetzky and others. http://www.powerdns.com/en/products.aspx
Licence: GNU GPLv2. - PowerDNS Recursor
(link) is a recursive nameserver. Has a
programming interface for scripting in the Lua programming language.
Pleasantly small and fast. Did not meaningfully randomise UDP source
ports on outgoing recursive queries until March 2008, after Dan
Kaminsky's private warnings about DNS security problems, at which time
the authors added a strong random-number generator.
Coded in C++ by Norbert Sendetzky and others. http://www.powerdns.com/en/products.aspx
Licence: GNU GPLv2.
In January 2010, PowerDNS Recursor (through v. 3.1.7.1) was discovered to be vulnerable to being buffer-overflowed by deliberately bad public DNS data or queries being aimed at it, leading to possible full system compromise, cache poisoning, and redirection of users to IPs controlled by attackers. This horrific bug was fixed as of v. 3.1.7.2, but is not a reassuring sign about PowerDNS Recursor's code quality. - rbldnsd (link) is a small, fast authoritative-only server for DNS blocklist information (and can also serve other types of zone data).
Coded in C by Michael Tokarev. http://www.corpit.ru/mjt/rbldnsd.html
Licence: GNU GPLv2 or later. - Technitium DNS Server
(link) is a specialised forwarder with
filtering ("ad blocking") optionally supporting DNS-over-TLS and
DNS-over-HTTPS transports. Includes DHCPd, SOCKS5 proxy support, local
authoritative stub zones.
Coded in C# using .NET Standard 2.0. Runs on Linux using Mono Framework or .NET Core. https://technitium.com/dns/
Licence: GNU GPLv3 - Twisted Names (link) is an authoritative, caching forwarder, and recursive server, also functioning as a resolver library
Coded in Python by Twisted Matrix Laboratories (Jp Calderone and others). http://twistedmatrix.com/trac/wiki/TwistedNames
Licence: MIT/X. - Unbound (link) is a fast, small, modular caching,
recursive server, from the same people (NLnet Labs) who produced
the excellent NSD authoritative-only nameserver, with additional help
from VeriSign, Inc. and Kirei. Unbound does not itself do authoritative
service, but does do "stub-zones" (local data or AS112 zones). It is
claimed to be fully RFC-compliant, including DNSSEC validation.
Also of possible interest is Dnssec-Trigger, an add-on for Unbound running on an end-host (laptop or desktop computer), signaling Unbound to use DHCP-obtained forwarders for DNSSEC-capable nameservice of that has been probed and found accessible, or failing that to use Unbound's own AUTH queries, or failing that to notify the user and switch to unauthenticated DNS only. (As of 2016, this code is experimental.)
Coded in C. http://unbound.net/
Licence: BSD. - YADIFA (Yet Another DNS
Implementation for All (link) is an
authoritative server developed by the operators of the .eu TLD. Supports
EDNS0, DNSSEC with NSEC and NSEC3. Includes a SQL back-end alongside
an RFC 1035 ("BIND") zonefile back-end, and dynamic zone updates.
Future versions are planned to include recursive service, caching,
validation of zone data, split horizon, dynamic provisioning of new
domains without restart, forwarding, and a DNSSEC signing service.
Coded in C by EURid coders.
http://www.yadifa.eu/
Licence: 3-clause BSD.
Unmaintained open source packages:
(The July 2008 DNS security blowup made starkly obvious that it's in general dangerous to run poorly maintained DNS nameserver software. Some of the below-cited, unmaintained or apparently neglected codebases may be of interest for other reasons, e.g., adoption for revival & update by sufficiently interested coders.)
- BIND8 (link)
should be scrupulously avoided, for reasons cited above. (Some BIND8
code still lives on, in the DNS resolver library libresolv, shipped as
part of GNU libc = glibc in typical Linux and BSD distributions. This
is regrettable, but the occasional security failures in that codebase
should not be attributed to BIND9. Note that the BIND8-derived 'stub
resolver' in glibc does not enable EDNS0 in its queries.)
Licence: Simple permissive licence with warranty disclaimer.
Note that it is possible via NSS calls (and /etc/nsswitch.conf configuration) to call the BIND9-derived lwresd lightweight recursive daemon (entry about which, please see, below), instead of the legacy BIND8-based code furnished with glibc. - CustomDNS (link)
was/is an authoritative-only daemon, based on dnsjava, for both static
addresses and its variant form of dynamic DNS. Java and Perl code by
Eric Kidd, based in part on Brian Wellington's dnsjava package.
Unmaintained since July 2000. http://customdns.sourceforge.net/
Licence: LGPL and MIT/X. - dents (link)
was an authoritative, caching forwarder, and recursive server, fully
supporting zone transfers, but is perennially unfinished, and is almost
certainly dead, at this point. Coded in C by Johannes Erdfelt. http://sourceforge.net/projects/dents/
Licence: GNU GPLv2 or later. - Eddieware Enhanced DNS Server (aka "lbdns") (link) was/is a load-balancing authoritative DNS server. Coded in Erlang by the Eddie Team. Unmaintained since 2003. http://eddie.sourceforge.net/lbdns.html
Licence: Erlang Public Licence, a Swedish variant of MPL 1.0. - GnuDIP (link)
was/is an authoritative-only server for Dynamic DNS (supporting the RFC
2136/3147 DNS Dynamic Update protocol) coded in Perl by Mike Machado,
but only "minimally maintained" and needing a new primary maintainer,
a/o 2003. http://gnudip2.sourceforge.net/gnudip-www/
Licence: GNU GPLv2 or later. - lbnamed (link)
was/is a authoritative-only daemon for static and dynamic information,
with a load-balancing multi-machine architecture, written in Perl by
Roland Schemers. Unmaintained since 2005: See replacement
"Standard::DNSServer. http://www.stanford.edu/~riepel/lbnamed/
Licence: Newer BSD licence. - lwresd (link)
was/is a lightweight recursive[-resolver] daemon (thus the name) with
caching, created by ISC (maintainers of BIND9) by stripping down the
recursive and caching code in BIND9 and making it available separately
(as a library). It is local-only, being capable only of listening for
UDP-type port 921 DNS queries on IPv4 loopback address 127.0.0.1 (or one
or more different address specified using "lwserver" lines in
/etc/resolv.conf). It is also capable of handing off queries to
separate nameservers listed via "nameserver" lines in /etc/resolv.conf,
as forwarders, but, if there are none such, or if forwarding fails,
falls back on its own internal recursive routines, starting with a
built-in roster of root server hints. Configuration file, closely
following BIND9's named.conf format, is /etc/lwresd.conf.
Because lwresd returns queried values in its own format ("lightweight resolver protocol"), Linux systems will need to also install library nss_lwres, which unfortunately currently (2008) has been unmaintained since 2001 at upstream location ftp://sources.redhat.com/pub/glibc/old-releases/. That "glue" library being present, in turn, permits modifying /etc/nsswitch.conf to call a "lwres" routine (when available) in place of the legacy BIND8-based "dns" routine in glibc. Suggested format for /etc/nsswitch.conf is: "hosts: files lwres [NOTFOUND=return] dns"
As of 2005, lwresd is said to be "stale code" that hasn't been touched in a year or two, doesn't respect DNS TTL, and has a few other issues. Upstream source code is available inside ISC's BIND9 package. http://www.isc.org/software/bind/
Licence: Simple permissive licence with warranty disclaimer. - moodns (link)
was meant to be a authoritative and recursive server, but never passed
alpha state. Discontinued. Coded in C by Michael Wolf. http://sourceforge.net/projects/moodns/ and http://www.maradns.org/download/non-maradns/
Licence: Newer BSD licence, GNU GPLv2 or later. - MyDNS (link)
was/is a MySQL or PostgreSQL-based authoritative and caching forwarder
server (no recursive service -- iterative queries only) suitable for
very large sites. In such roles, it's faster and more responsive than
BIND9, even though the latter uses a RAM-based cache. Unmaintained
since 2006, so interested parties should probably look at MyDNS-NG or
PowerDNS, instead. Coded in C by Dan Moore. http://mydns.bboy.net/
Licence: GPLv2 or later. - Oak DNS Server (link)
was/is an authoritative and recursive server, supporting dynamic DNS
updates and AAAA records. Doesn't need to run privileged. Development
release as of August 2008 is still being [re-]written to take advantage
of the dnspython libraries, and still lacks recursive service or update
support. Coded in Python by Ed Stoner. http://www.maradns.org/download/non-maradns/ (Gone from http://www.digitallumber.com/oak .)
Licence: GNU LGPL. - Pliant DNS Server (link)
was/is an authoritative and caching forwarder server (no recursive
service -- iterative queries only). Written in the Pliant language by
Hubert Tonneau. Seems to be unmaintained. http://fullpliant.org/pliant/protocol/dns/
Licence: GNU GPLv2. - Posadis (link) was/is a fast authoritative, caching server, written in C++ by Meilof Veeningen. Sadly unmaintained since 2004. http://posadis.sourceforge.net/ http://www.posadis.org/
Licence: GNU GPLv2 or later. - SDNS (Secure DNS) (link) was/is an authoritative-only
server, created for the US Federal government (and thus genuinely public
domain) by Anthony Carathimas, Eric Thomas, Fred Cohen, and Darrian Hale
at Sandia Labs in the 1990s, with the specific aim of high security.
Last maintained, 2001.
http://www.maradns.org/download/non-maradns/sdns.tar.bz2
Licence: Actual, real public domain. - Stanford::DNSserver (link)
was/is lbnamed (see separate entry), reworked and packaged as a Perl
module by Rob Riepel and others. Last maintained April 2006. http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
Licence: Newer BSD licence. - Trick or Treat Daemon (ToTD) (link)
was/is a small caching forwarder server, suitable for small networks
and workstations. Coded in C by Feike W. Dillema and members of the
WIDE Project. http://www.vermicelli.pasta.cs.uit.no/software/totd.html Last maintained August 2006.
Licence: Simple permissive licence (Dillema's code) and older BSD licence (WIDE Project code). - Yaku-NS (formerly ENS) (link)
was/is a small, fast authoritative, caching forwarder, fully supporting
zone transfers, aimed at embedded use. Does internal chroot, and
attempts to prevent stack-smashing. Coded in C by Salvatore Sanfilippo.
Appears to be unmaintained. https://github.com/antirez/yaku-ns
Licence: GNU GPLv2 or later.
Related software:
- GNU adns (link) is a resolver library for C (and C++) programs, and a collection of useful resolver utilities, coded in C by Ian Jackson. http://www.chiark.greenend.org.uk/~ian/adns/
Licence: GNU GPLv2 or later. - Ares (link) is an asynchronous resolver library in C by Greg Hudson. ftp://athena-dist.mit.edu/pub/ATHENA/ares/
Licence: MIT/X. - BIND DLZ (BIND Dynamically Loadable Zones) (link)
is a set of patches for BIND9 to make it use your choice of numerous
back-end databases instead of flatfile RFC 1035 ("BIND") zonefiles, and
reduce memory usage (since BIND9 no longer needs to load everything into
RAM at once). Coded in C by Rob Butler. http://bind-dlz.sourceforge.net/
Licence: Simple permissive licence with warranty disclaimer. - Constrict (link)
is a Python library for access to information parsed from the libbind
library provided by BIND8. Coded in Python by Jason Smith. http://www.oes.co.th/projects/Constrict
Licence: GNU GPLv2. - dnsibs (link)
is a daemon offering Perl/CPAN code (notably the Mail::SpamCannibal
anti-spam tool and dbtarpit) access to DNS blocklist data stored in a
BerkeleyDB database. (It apparently doesn't serve up normal sorts of
DNS information, which is why I put it in the "related" category.) It's
coded in C by Michael Robinton.
http://www.spamcannibal.org/docs/dnsbls.html
Licence: GNU GPLv2 or later. - dnspython (link) is a Python toolkit for programmatic access to DNS functions, by Bob Halley. http://www.dnspython.org/
Licence: Simple permissive licence with attribution requirement and warranty disclaimer. - FireDNS (link)
is a resolver library with emphasis on speed and asynchronous
processing. Has low-timeout blocking functions. Can be used to replace
standard libc resolver library functions like getbyhostname with much
faster equivalent code. Written in C by Ian Gulliver. http://firestuff.org/projects/firedns/
Licence: GNU GPLv2. - LDAP sdb (link)
is a patch to enable BIND9 to reach an LDAP back-end database instead
of flatfile RFC 1035 ("BIND") zonefiles, using the simplified database
interface "sdb". Coded in C by Stig Venaas. http://www.venaas.no/ldap/bind-sdb/
Licence: Simple permissive licence with warranty disclaimer. - ldns (link) is a library for access to DNS/DNSSEC data, relying on CPAN's NET::DNS module. Written in C by NLnet Labs.
http://www.nlnetlabs.nl/ldns/ Licence: Newer BSD licence. - nscd (link), name service caching daemon, is a local cache with no other nameserver functionality, providing caching of host, passwd, and group database data. The hosts data caches both positive and negative results data, in separate caches. nscd is furnished as part of the glibc codebase, and is a reimplementation of an idea first provided in Sun Solaris. It is needed primarily on hosts using slow authentication services such as NIS, NIS+, and LDAP. The glibc/Linux implmentation is notorious for being a bit buggy. Licence: GNU GPLv2.
- Net::DNS (link) is a resolver library, coded in Perl by Michael Fuhr, Olaf Kolkman, and Chris Reinhardt. http://www.net-dns.org/
Licence: GNU GPLv2 or later, or Artistic Licence. - Poslib (link) is a resolver library and authoritative-server library in C++ by Meilof Veeningen. http://posadis.sourceforge.net/poslib/
Licence: GNU GPLv2 or later. - Resolvconf (link) is a client- (resolver-) side utility to
mediate write access to the DNS client's /etc/resolv.conf file, keeping
track of nameservers listed there and preventing multiple packages (DHCP
clients, system-local nameservers, other) updating that file from
interfering with each other. For it to work, software touching
/etc/resolv.conf must be Resolvconf-aware. At this writing (2009-08),
most but not all such software is Resolvconf-aware. There are two
implementations: Original/Debian Resolvconf, http://packages.qa.debian.org/r/resolvconf.html coded
in C by Thomas Hood; and Openresolv, http://roy.marples.name/projects/openresolv, coded in C by Ray Marples.
Licence: GPLv2 (Hood's).
Licence: BSD Licence (Marples's) - skadns (link) is a small, asynchronous resolver library, coded in C by Laurent Bercot. http://www.skarnet.org/software/skadns/
Licence: Original BSD licence with advertising clause. - systemd-resolved (link), one of the constituent binaries in systemd, has included a caching stub resolver routine since August 2014. GNU LGPLv2.1 or later.
- unscd (link),
micro name service caching daemon, is a local cache with no other
nameserver functionality, providing caching of host, passwd, and group
database data. The hosts data caches both positive and negative results
data, in separate caches. unscd is a from-scratch reimplmentation by
Denys Vlasenko of the design of glibc's nscd, with the aim of avoiding
nscd's bugs and offering more crashproof operation by running a threaded
process that offloads NSS lookups to child worker processes. It is
needed primarily on hosts using slow authentication services such as
NIS, NIS+, and LDAP.
Licence: GNU GPLv2.
Cheers, Before enlightenment, caffeine.
Rick Moen After enlightenment, caffeine.
rick@linuxmafia.com
Proprietary software:
- ANS: Authoritative Name Server (Nominum, Inc.) http://www.nominum.com/products/authoritative_name_server.php
- AnswerX (Akamai) - https://www.akamai.com/us/en/products/network-operator/dnsi-cacheserve.jsp
- ATLAS (Verisign) - http://www.verisign.com/information-services/ATLAS/ Appears to be a Verisign-hosted service offering, only, not an externally available software product.
- BINDPlus (Information Network Eng. Gruup, Inc.) (appears to be defunct since late 1990s; was promoted by Jeffrey A. Williams)
- Cisco Network Registrar (Cisco Systems, Inc.) - http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
- CNS: Caching Name Server (Nominum, Inc.) https://partners.nominum.com/products.php?id=1
- Global Name Service (Nominum, Inc.): Was a hosted service only, and is now discontinued.
- IPControl (BT Global Services, formerly International Network Services, Inc.) - proprietary extensions to BIND9 http://www.globalservices.bt.com/LeafAction.do?RecNo=33: available lately only as "IP ControlSapphire Appliances" embedded appliance code, no longer just as software.
- NeDNS (Neteka, Inc.) - company's Web site has disappeared; product is apparently discontinued. Cited at http://directory.fsf.org/project/NeDNS/ (and was a patched version of BIND8 with support for "ACE-encoded" name records)
- Men & Mice Suite (formerly QuickDNS Pro, formerly QuickDNS; from Men&Mice) http://www.menandmice.com/
- Name Commander (formerly DNS Commander; from Incognito Software, Inc.) - http://www.incognito.com/products/name-commander/
- NxFilter from Jahastech is a forwarding, caching, authoritative DNS server primarily intended for filtering of DNS, coded in Java. https://nxfilter.org/p3/
- SheerDNS is an authoritative-only server with to unique distinction of having its zone records stored each in its own separate file, to facilitate atomic updates without restarting. Author probably intended to create open source but failed to specify a licence. (2009 update: I've talked about this problem, via e-mail, with author Paul Sheer. He is aware of not granting the right to independently maintain or redistribute this code, and has no intention to grant any additional rights to it.) Unmaintained since 2005. http://threading.2038bug.com/sheerdns/
- sqldjbdns/sqldns/pgsqldns http://untroubled.org/sqldjbdns/: a patched version of djbdns 1.02 that back-ends data into PostgreSQL. Author's patch code is under GPL v. 2 or later, but Daniel J. Bernstein has never purported to put djbdns 1.02 into "public domain", only v. 1.05.
- Secure64 DNS Authority (Secure64) https://secure64.com/products/secure64-dns-authority/ is an authoritative nameserver bundled with a custom Linux distribution.
- Secure64 DNS Cache (Secure64) https://secure64.com/products/secure64-dns-cache/ is a recursive server bundled with a custom Linux distribution.
- UltraDNS (UltraDNS Corporation) http://ultradns.com/: Appears to be a hosted service offering, only, not an externally available software product.
- Vantio Base Server (Nominum, Inc.) - http://www.nominum.com/products/vantio_base_server.php
- VitalQIP (Alcatel-Lucent, formerly Lucent Technologies, Inc.) - proprietary extensions to BIND9 to support names from DHCP and integrate with Microsoft Active Directory / Microsoft DNS http://enterprise.alcatel-lucent.com/?product=VitalQIP&page=overview
See also:
- Stephane Bortzmeyer's article "The choices for a nameserver", comparing BIND9, NSD, and PowerDNS.
- Brad Knowles's "Domain Name Server Comparison" presentations at LISA 2002 and RIPE 44.
- MaraDNS author Sam Trenholme's DNS software pages: (1, 2)
To do:
http://www.corpit.ru/mjt/udns.html
http://daniel.haxx.se/projects/c-ares/ c-ares by by Daniel Stenberg and
others (derived from ares library written by Greg Hudson at MIT.
Asyncrhonous. See notes on http://www.corpit.ru/mjt/udns.html about it
and adns.
Notes about libresolv at https://lwn.net/Articles/665055/ .
ldns https://www.nlnetlabs.nl/projects/ldns/
systemd-resolved.service stub resolver, etc.
https://github.com/coredns/coredns
More at https://packages.gentoo.org/categories/net-dns
from http://linuxmafia.com/faq/Network_Other/dns-servers.html
---------
djbdns
Other DNS software
Management tools
twa lets authorized browsers edit the tinydns data file. ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.
sql2tinydns is similar to mkdns.
dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.
tinydyndns publishes dynamic IP addresses authenticated through POP connections.
Servers
ldapdns publishes DNS information from an LDAP database. MyDNS publishes DNS information from a MySQL database.Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.
NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?
PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.
MaraDNS is a general-purpose DNS server.
lbnamed is a load-balancing DNS server.
lbdns is another load-balancing DNS server.
Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.
Caches
pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18). MaraDNS can act as a cache.I don't know why anyone would want to use these caches in place of dnscache.
DNS clients
adns is a DNS client library. ares is a DNS client library.perldns is a DNS client library for Perl.
The Buggy Internet Name Daemon
BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcomplain buffer overflow in BIND before 4.9.8 (2001); TSIG buffer overflow in BIND before 8.2.3 (2001); CNAME buffer overflow in libresolv before 4.9.9/8.2.6/8.3.3/9.2.2 (2002); SIG buffer overflow in BIND before 4.9.11/8.3.4 (2002); getnetbyname buffer overflow in libresolv before 4.9.11 (2002). All of these allowed attackers around the Internet to seize control of the program.from http://cr.yp.to/djbdns/other.html
No comments:
Post a Comment