Pages

Wednesday, 31 July 2019

DNS server software

Here is a list of DNS software that is open source, is currently (as of 2016) being maintained, and that has authoritative and recursiveDNSSEC support:
  • BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE BIND supports DNSSec.
  • Unbound and NSD make up a suite of DNS servers; they are both from NLnet Labs.Basically, one (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE(None of those entries look to point to NSD; it appears to have no CVE entries) Unbound CVE Both support DNSSec.
  • Knot DNS and Knot Resolver are two new DNS servers for the 2010s (an authoritative and recursive component); the recursive resolver is from 2016. Both support modern DNS features, such as DNSSec. Like NSD and Unbound, Knot DNS serves DNS records and Knot Resolver looks for DNS records on the Internet.So far, there do not appear to be any CVE reports for either server, but both packages are fairly new. There’s a good writeup at LWN by the implementer about Knot DNS.
  • PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE.
Here are some other DNS servers:
  • DjbDNS. Great tiny two-program DNS suite that sadly hasn't been updated by DJB since 2001. Yes, it does have security problems (That's a CVE link). Note that there are at least two security issues with DjbDNS which do not have CVE numbers.For anyone who wants to use DjbDNS, use N-DjbDNS, which is (as of mid-2015) patched against all known security holes.
    There are patches to give the authoritative half DNSSEC support; there is no DNSSEC support for the recursor.
  • MaraDNS. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVEMaraDNS does not support DNSSEC nor EDNS.
There are many many other DNS servers, both open source and non-open source. Here is an incomplete list of the open source ones:DnsMasqpdnsdPosadisMyDNSMyDNS-ngSDNS (Public domain, local download link), DnsJAVA

Other lists

from https://maradns.samiam.org/dns_software.html
---------------

DNS Server (and Related) Software for Unix

Here is a list of the real choices, comparing and contrasting BIND9 with all known alternative DNS server implementations for Unixes -- many that in particular deployments will prove superior:




Table of Contents

Maintained open source packages:

Unmaintained open source packages (deprecated!):

Related Software:

Proprietary Software:

(See list at page bottom.)





Guide for the Perplexed

If like most people you are unclear on how a recursive nameserver, an authoritative nameserver, and a forwarding nameserver differ, please see my explanatory anecdote: 1, 2.


Maintained open source packages:


  • BIND9 (link) is a full-featured recursive server, authoritative, and caching nameserver, bundled with a resolver client library. This is a from-scratch rewrite of the hopelessly spaghetti-coded legacy BIND8 codebase that Paul Vixie inherited from UC Berkeley: Vixie commissioned its creation by Nominum, Inc., who wrote it solely from the BIND8 specifications without reference to the old codebase.

    Coded in C.
    http://www.isc.org/software/bind/
    Licence: ISC Licence, a simple permissive licence with warranty disclaimer.
    Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): Code relies on several ISC wrapper libraries for key functions, code has lots of asserts and sanity check, "in general the code just feels heavy — functions have tons of variables, some functions are huge, locks for thread safety, lots of goto jumping to deinitialization parts if something went wrong".
    BIND9 is slow and large compared to many competitors, and the monolithic codebase seems overfeatured.
  • Bundy (link) is an authoritative server and DHCP daemon, initially (2010) developed as BIND10 at ISC, and then handed off (in 2014) to third-party developers when ISC decided to refocus on improving BIND9.

    Coded in C++ and Python.
    http://bundy-dns.de/
    Licence: ISC Licence, a simple permissive licence with warranty disclaimer.
  • CurveDNS (link) is a caching forwarder server capable of either forwarding regular (non-authenticated) DNS packets, or of boxing DNSCurve-authenticated queries and forwarding the resulting regular DNS packets and then boxing the resulting regular DNS responses to DNSCurve-authenticated responses. It supports both DNSCurve's streamlined and TXT formats, caching of shared secrets, both UDP and TCP, and both IPv4 and IPv6. Thus, you would normally deploy it as the DNSCurve-supporting front-end to a different authoritative nameserver.
    Coded in C by Harm van Tilborg, Jeroen Scheerder, and Lieuwe Jan Koning. Compilation requires Marc Lehmann's libev and the Computer Aided Cryptography Engineering project's NaCl (Networking and Cryptography library). Daniel J. Bernstein's daemontools are recommended but not required for management.
    http://curvedns.on2it.net/
    Licence: 2-clause BSD licence.
  • Deadwood (link) is a recursive server with several enhancements, for Unix and Win32, by Sam Trenholme, author of MaraDNS (for whose recursive component it's a compatible replacement). Deadwood is implemented as a non-threading daemon.
    At this writing (2010-10-05), Deadwood v. 3.0.01 is a feature-complete release. It's very small and fast: One 2.9 beta was the second smallest executable among recursive nameservers for Unix at 64,418 bytes as compiled for CentOS 5, versus zinq-djbdns's dnscache at 45,016 bytes, compiling using "-Os" optimisation and stripping the binary. (Unmodified dnscache v. 1.05, not recommended on account of unfixed bugs, weighs in at 43,644 bytes using the same options.)
    Comparing Win32 versions, the Deadwood beta's binary was 144,237 bytes (-O3 compiler optimisation and unstripped), PowerDNS recursor is 503,860 bytes (prebuilt binary), Unbound is 1,745,920 bytes (prebuilt binary), and BIND9 is 4,055,552 bytes (prebuilt binary).
    Enhancements over dnscache's basic recursive service:
    • "DNS wall" that filters any private IP addresses out of DNS responses to protect networks against DNS rebinding attacks.
    • Ability to read and write the cache to disk.
    • Optional ability to "resurrect" domains by serving expired data from cache if no data within TTL can be fetched.
    • Ability to filter out AAAA IPv6 responses (or to compile in full IPv6 support if desired).
    • Code that stops AR-injection spoof attacks.
    • Multiple inflight merging.
    • Flexible parser for server configuration files.
    • Support for DNS responses over TCP transport.
    • Caching of CNAME responses.
    • Caching of SOA responses.
    • Ability to countermand upstream NXDOMAIN redirections (ip_blacklist feature).
    Deadwood can be compiled for either Win32 or for Linux, and is available as source code. (Win32 binaries are available for download.) Linux functionality has been (thus far) author-tested on CentOS 5 only.
    Coded in C by Sam Trenholme.
    http://maradns.samiam.org/deadwood/
    Licence: Two-clause BSD licence.
  • djbdns (link) is a suite of specialised-role, related DNS server utilities (and two client pieces) by Daniel J. Bernstein, Research Professor, Department of Computer Science, University of Illinois at Chicago and author of the qmail MTA.
    (I'm being charitable in classifying djbdns as a "maintained offering", because, even though it was orphaned in 2001, its newly (a/o 2007) open-source (arguably) legal status permits third-party maintainers to put together an unofficial 1.06 release to bring it into the 21st century -- which may or may not happen but is worth hoping for.)
    • djbdns is an omnibus package of all of Bernstein's DNS server software.
    • tinydns is the authoritative-only DNS daemon.
    • dnscache is the caching recursive server. It is so far (2008) unique among *ix recursive nameservers in implementing this functionality without needing to use threading.
    • walldns is the specialised authoritative-only DNS daemon for reverse-zone data, designed to minimise public leakage of inside host data.
    • rbldns is the specialised authoritative-only DNS daemon for DNS blocklist data about blocks of IP addresses such as dial-up IP lists.
    • axfrdns is the TCP-based AXFR zone-transfer server. It also handles some other TCP-based queries, such as requests for SOA records and (rare) DNS replies exceeding the 512-byte maximum size of a (regular, non-EDNS0) UDP datagram. As a consequence of its ability to output RFC 1035 ("BIND") zonefiles for AXFR zone transfers, axfrdns is also usable as a format converter. (NOTE: Absent third-party patches, the various djbdns utilities omit support for IETF NOTIFY, IXFR, outgoing AXFR, DNSSEC, TSIG, A6, DNAME, bitstring labels, Dynamic DNS, negative TTLs (NCACHE), and other modern DNS features.) It is generally a good idea to set up axfrdns running on the same IP as tinydns, if you want support for large packets, or will offer zone transfers.
    • axfr-get is the AXFR zone-transfer client, pulling down other authoritative servers' data in RFC 1035 ("BIND") format and writing that data in tinydns's database format.
    • dns is the DNS client library.
    • pickdns was the DNS load-balancing utility, but its functions were merged into tinydns as of djbdns v. 1.04 and above.
    Through 2007, fans of djbdns (and components thereof) would often assert that it was "free software" or "open source". It was not. However, in late 2007, Bernstein asserted that djbdns (like qmail) would prospectively become public domain by his own fiat.
    Dovecot imapd author Timo Sirainen posted in 2005 some comments (warning: unmaintained page).
    Recommended patches: Codebase has been unmaintained since v. 1.05 in 2001, except for through third-party patches. In consequence, until someone collects, merges, and harmonises a reasonable set of those patches (2009-09-08 note: There are now four forks, as noted below) , users must collect and apply the following fixes to the v. 1.05 source tree, and compile locally:
    • Do 'echo "include /usr/include/errno.h >> conf-cc"', to make the djbdns tools' source code compilable with modern Linux C libraries (updating the errno definitions in djbdns and tcpserver),
    • apply a dnscache patch to prevent it from dying if it is remotely DoSed by an attacker sending it the SIGPIPE signal and then closing the socket before the write finishes (i.e., the patch makes dnscache ignore SIGPIPE),
    • apply a tinydns patch to reduce mmap() overhead,
    • apply a dnscache patch to add support for negative TTLs (caching of unsuccessful lookup results),
    • apply a dnscache patch (1, 2) to prevent it erroneously returning SERVFAIL on some queries over TCP,
    • apply a dnscache patch to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP),
    • apply two dnscache patches to make it become willing to cache SOA records, and to send only one response back to each flood of identical requests, thus greatly reducing the program's resistance to cache poisoning,
    • apply a tinydns patch (1, 2) to add native support for SRV RRs (not strictly necessary for creation of SRV records or other unsupported types such as AAAA, SPF, TXT, NAPTR, and DomainKeys, as you can always use the generic record format for arbitrary data types -- but nice to have as "syntactic sugar" -- and please note that proper native support for IPv6 has larger issues than just AAAA support),
    • apply a tinydns patch to fix a file-descriptor leak,
    • apply a tinydns patch making its error-handling on zonefile syntax errors more robust (obviously not an essential patch, but helpful),
    • apply a dnscache patch to make its logging less chatty,
    • apply two patches to fix dnscache's, tinydns's, and axfrdns's erroneous treatment of CNAMEs (1, 2),
    • apply (on Linux only) an epoll patch (to speed up various djbdns tools by using Linux 2.6.x's "epoll(4)" I/O event notification facility instead of "poll(2)"),
    • apply one of two patches (where one's usage model makes this useful) to make the various djbdns tools support binding to multiple IPs (1, 2) -- and, in fairness, the Bernstein-recommended alternative of running multiple daemon instances, one per IP, is usually fairly practical and has operational advantages,
    • apply a dnscache patch to update the (obsolete) root servers list,
    • apply a dnscache patch to its use of the Recursion Desired ("RD") bit, to make dnscache able to function correctly in a pure forwarding role (if you happen to need it in that role),
    • apply a "dns" (djbdns client library, if you happen to use that module) patch to correct a bad coding choice that makes it unable to correctly deal with the hostname of a recursive or forwarding server that maps to multiple IP addresses,
    • either tune dnscache's fixed-upper-bounded (but configurable) cache size to local requirements, or comment out dnscache's cache.c source line that limits the upper bound on cache size to 10^9 bytes by default ("if (cachesize > 1000000000) cachesize = 1000000000;"), to let it float, and
    • apply an axrfdns and tinydns patch to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
    • Patch dnscache to add use of SipHash, a pseudo-random function useful for fixiing a problem discovered in 2012 with dnsccache's djb33 hash function that makes dnscache vulnerable to cache poisoning (by inducing collisions in the hash table).
    • You also might want manpages, which, unbelievably, are deliberately missing from most of Bernstein's software.
    (Caveat coder: I cannot vouch for the quality of those code snippets, nor guarantee that they won't cause other problems or be mutually incompatible. I know only that they were efforts to address real deficiencies in the base code.)
    Also tinydns.org and Jonathan de Boyne Pollard's page document other problems that might warrant patching before compilation. Some problems will remain, such as frequent failure to resolve Akamai and some other companies' DNS (on account of their use of admittedly ugly and baroque delegations without glue records), where other nameservers will have no problems.
    It should also be noted that, by default, djbdns requires ancillary package ucspi-tcp (Bernstein's idiosyncratic superserver, though there are ways to substitute xinetd/inetd, etc.) and also recommends daemontools (Bernstein's idiosyncratic toolset for managing system services, though there are workarounds (1, 2) to avoid most of that need). Daemontools, if used, enforces a non-standard filesystem hierarchy for its and djbdns's components.
    djbdns (specifically, dnscache) was the first recursive nameserver to randomise query source UDP ports as a security precaution, and to separate recursive and authoritative service, which is best practices.
    Critical claims to the contrary notwithstanding, it is indeed possible to run dnscache and tinydns on the same IP. See Felix von Leitner's djbdns FAQ for that and other common questions.
    Coded in C by Daniel J. Bernstein.
    http://cr.yp.to/djbdns.html
    Licence: Asserted to be "public domain".
    • zinq-djbdns: (link) Mark Johnson has created a maintained fork of djbdns as part of his umbrella project of adopting Dan Bernstein's unmaintained software. Thus the term "zinq", which is from Zinq Is Not Qmail. As of v. 0.05, it adds these changes to Bernstein's v. 1.05:
      Updated obsolete root-nameservers roster "dnsroots.global"
      Uses automake/autoconf, instead of Bernstein's build process, and got rid of spurious compiler warnings.
      Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
      Patched dnscache to quadruple its upper bound on cache size from 10^9 bytes to 4x10^9 bytes.
      Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
      Patched dnscache to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP).
      Patched tinydns to add native support for SRV and NAPTR records.
      Supplied manpages, from Gerrit Pape's set.
      Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
      Coded in C by Mark Johnson and Daniel J. Bernstein.
      Formerly at http://sourceforge.net/projects/zinq/ (which no longer exists); seems to have moved a/o 2010 to https://github.com/tenchman/TTLinux/tree/master/apps/dns/zinq-djbdns
      Last maintained in 2010.
      Licence: Asserted to be "public domain".
    • Debian djbdns/dbndns: (link) Debian developer Gerrit Pape maintains four Debian binary packages (dbndns, djbdns, dnscache-run, tinydns-run) based on one Debian source package (djbdns). Pape applies these changes to Bernstein's v. 1.05:
      In both binary packages "djbdns" and "dbndns":
      Supplied manpages (by Gerrit Pape).
      Patched to use glibc, system errno.h headers.
      Updated the /etc/dnsroots.global configuration file to replace obsolete root nameservers list.
      Patched to support parallel build through "make -j".
      Patched to install binaries into /usr/bin.
      Patched to make daemontools, ucspi-tcp "Recommends" rather than "Depends" packages.
      Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.

      Applied to binary package "dbndns" only:
      Patched tinydns to add native IPV6 support.
      Patched to allow a maximum of 20 concurrent outgoing SOA queries to harden it against remote spoofers of DNS responses (but this patch may soon be backed out).
      I haven't worked through binary package dnscache-run's and tinydns-run's metadata to see what patches Pape applied to it, but it's whichever subset of his patches are applicable from those used ot create binary package "djbdns".
      Coded in C by Gerrit Pape and Daniel J. Bernstein.
      http://packages.qa.debian.org/d/djbdns.html
      https://tracker.debian.org/pkg/djbdns
      Licence: Asserted to be "public domain".
    • N-DJBDNS: (link) Red Hat developer Prasad J. Pandit has created a djbdns fork and proposed it (2009-03) for inclusion in Fedora Project. Prasad's fork was named RH-djbdns until July 2011, when he renamed it njbdns (new djbdns), later modified to N-DJBDNS. As of v. 1.05.3 (2009-08-17), it adds these changes to Bernstein's v. 1.05:
      Uses automake/autoconf, instead of Bernstein's build process.
      Works with /sbin/service.
      No longer requires daemontools.
      tinydns now reads /etc/djbdns/tinydns.conf and logs to /var/log/tinydns.log. Default installation destination prefix is /usr/ (in the RPM .spec file).
      Changed dnscache conffile to /etc/djbdns/dnscache.conf
      Changed dnscache to log to /var/log/dnscache.log", write PID file to /var/run/dnscache.pid, and accept some command-line options.
      Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
      Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
      Patched dnscache to update obsolete root nameservers list.
      Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
      Patched to use system errno.h headers.
      Renamed CHANGES to ChangeLog, added Pandit's entries.
      Changed various utils to use system header files.
      Some comments added, and a more-conventional coding style applied. All coding made portable to FreeBSD and probably other Unixes. New manuals for several commands. Commands now accept command-line options.
      As of 1.05.3, only the following djbdns tools are (thus far) compiled/installed: dnscache, dnsipq, dnsq, dnstracesort, tinydns, tinydns-data, tinydns-edit, tinydns-get, dnstrace, and a couple more. Pandit is proceeding to revamp the other pieces, gradually.
      Coded in C by Prasad J. Pandit and Daniel J. Bernstein.
      http://pjp.dgplug.org/djbdns/
      (.spec file, source, SRPM, bugzilla)
      Licence: GNU GPLv2 or later. (See .spec file.)
    • LolDNS: (link) Joshua Small created the LolDNS fork of djbdns 1.05 in February 2009, to "go beyond the many current forks of just perpetuating the product, and to actually do away with the things that djbdns used to get slammed for."
      Patched to use glibc, system errno.h headers.
      Patched to no longer require daemontools, ucspi-tcp.
      Patched to add an equivalent to BIND9's $GENERATE auto-generated entry directive.
      Patched to add support for SRV records.
      Patched to support binding to multiple IP addresses.
      Patched to call chroot() before dropping privilege.
      Adds new management and logging daemons.
      Coded in C by Joshua Small and Daniel J. Bernstein.
      https://lolware.net/2013/09/23/loldns.html
      http://lolware.net/loldns-STABLE5.tar.gz https://github.com/technion/loldns
      Note: Small recommends checking out the latest svn trunk snapshot, instead of using tarball code.
      Licence: Joshua Small has specified a licence of his own devising for his additions to Bernstein's code, the first two clauses of which grant a simple BSDish permissive licence (making code usable for any purpose; derivative works can be created and distributed by anyone), provided that there is no warranty (third clause) and that Small's small graphical "so much win" image remains included in some way (the fourth and final clause). Daniel Bernstein has asserted his v. 1.05 base code to be public domain".
  • DNRD (Domain Name Relay Daemon) (link) is a small caching-only server for NAT / IPmasq networks.
    Coded in C by Natanael Copa, Brad Garcia, and Nathan Angelacos.
    https://github.com/benjaminpetrin/dnrd, formerly at
    http://dnrd.sourceforge.net/.
    Licence: GNU GPLv2 or later.
  • dnsjava (link) is an authoritative-only server, DDNS client, and related tools, written in Java by Brian Wellington. Patched only on Aug. 6, 2008 to randomise UDP source ports for recursive queries as a security precaution. http://www.dnsjava.org/
    Licence: Newer BSD licence.
  • Dnsmasq (link) is a small caching forwarder server (no recursive service -- iterative queries only) with local-only authoritative service for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases).
    This package is often embedded in firewall/gateway appliance boxes. Did not implement serious randomisation of source UDP ports on outgoing recursive queries as a security precaution until July 11, 2008 (v. 4.3), when the use of inadequate system-libc random number generators was junked and replaced with Dan Bernstein's SURF random number generator, borrowed from dnscache.
    Coded in C by Simon Kelley.
    http://www.thekelleys.org.uk/dnsmasq/
    Licence: GNU GPLv2 or later.
  • dnsproxy (link) is is a proxy daemon that answers 53/tcp & 53/udp DNS queries, and forwards the recursive and authoritative queries separately so a pair of specialised daemons (e.g., NSD and Unbound, or tinydns and dnscache) can handle each, but still only use a single public-facing IP address. The two daemons accepting the forwards may be local or they might be elsewhere (as in a firewall situation). Requires libevent. Runs chrooted and unprivileged.
    Coded in C by Armin Wolfermann.
    http://wolfermann.org/dnsproxy.html
    Licence: MIT Licence.
  • dproxy (link) was/is a small caching forwarder server with a disk-based cache, suitable for small networks and workstations.
    Coded in C by Matthew Pratt. As of 2016, the legacy dproxy 1.x code has been unmaintained since 2005, but the dproxy-nexgen code at GitHub appears to be maintained (updated 2014).
    https://github.com/vicgarin/Actiontec-V1000H/tree/master/bcm963xx_V1000H-31-121L-11/userspace/gpl/apps/dproxy-nexgen
    https://sourceforge.net/projects/dproxy/
    Licence: GNU GPLv2 or later.
  • gndsd (Geographic DNS Daemon) (link) is an authoritative-only non-caching server with native support for DNSCurve authentication of DNS contents. The "geographic" in its name refers to its plugin interface for geographic (or other sorts of) balancing, redirection, and service-state-conscious failover, which is an optional capability. Several example plugins are provided, including gdnsd-plugin-georeg, which uses MaxMind's commercial Region-format database to do geographic balancing and failover of a given hostname to a set of geographically dispersed IP addresses. A basic HTTP monitoring service for failover is included, as are hooks for implementing other failover methods. Compilation requires pthread suppor, Marc Lehmann's libev, and the Computer Aided Cryptography Engineering project's NaCl (Networking and Cryptography library).
    Coded in C by Brandon Black for Logitech, Inc.
    https://github.com/gdnsd/gdnsd, formerly at
    http://code.google.com/p/gdnsd/
    Licence: GNU GPLv3 or later.
  • Knot DNS (link) is an authoritative-only server developed by CZ.NIC, the .CZ domain registry, with particular emphasis on suitability for TLD operators. It is implemented as a threaded daemon using a number of programming techniques to make it very fast, notably read-copy-update. Code is mostly lock-free, scales well on SMP systems, and operates non-stop even when adding or removing zones. Supports DNSSEC and EDNS0 extensions including NSEC3. Does AXFR/IXFR. Supports dynamic updates, response rate limiting, automatic DNSSEC signing.

    Runtime depends on several libraries including userspace-rcu. Configuration files use simplified YAML format.
    Coded in C by the CZ.NIC team.
    https://www.knot-dns.cz
    Licence: GNU GPLv3 or later.
  • ldapdns (link) is an LDAP database-based authoritative and caching server (no recursive service -- iterative queries only). Despite use of a database, it's much faster than BIND9.
    Coded in C by "Mrs. Brisby".
    http://ldapdns.sourceforge.net/
    Licence: GNU GPLv2 or later.
  • MaraDNS (link) is a general-purpose, fast, lightweight, authoritative, caching forwarder, and recursive server, fully supporting zone transfers, which runs unprivileged, performs its own chroot, and includes its own buffer-overflow-resistant string library and random number generator. Module "zoneserver" does authoritative service only. Module "maradns" can do both recursive and authoritative DNS. Includes a converter Python script to convert zonefiles from RFC 1035 ("BIND") format to MaraDNS's similar "csv2" format. Code uses RAM-based caching. Daemon must currently be restarted if any zonefile records are changed, currently requires the OS have robust threading support for its recursive service, and currently doesn't support NOTIFY or IXFR.
    Starting with the 2.0 release, MaraDNS defaults to using the provided Deadwood recursive nameserver code (see separate entry) for its recursive functionality.
    As of June 21, 2015, there is no security or maintenance support for the obsolete 1.x branch, and it is strongly deprecated.
    Excellent security history. Among other things, MaraDNS's recursive module randomised source UDP ports on outgoing recursive queries using a strong RNG from the very beginning. Also, recursive server attempts to be careful about cache poisoning resulting from trusting glue records passed out-of-bailiwick.
    Code is written in C by Sam Trenholme.
    http://maradns.samiam.org
    Licence: Two-clause BSD licence, on v. 1.1 and later.
    Dovecot imapd author Timo Sirainen post in 2007 some comments (warning: unmaintained page): "Should be secure. Code doesn't look too bad, but it's using a lot of gotos."
  • MyDNS-NG (link) is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache.
    Coded in C by Howard Wilkinson and Dan Moore.
    http://www.mydns-ng.com/
    Licence: GPLv2 or later.
  • NSD (link) is a high-performance, small, authoritative-only daemon, with DNSSEC support, and able to directly re-use RFC 1035 ("BIND") zonefiles (which it compiles to binary format for speed). Package includes the zonefile compiler ("zonec"), the core nsd daemon, the zoneserver, and a zone transfer program.
    Coded in C by a number of authors including Alexis Yushin and Erik Rozendaal.
    http://www.nlnetlabs.nl/nsd/
    Licence: Newer BSD licence.
  • pdnsd (link) is a small caching forwarder server, coded in C by Paul A. Rombouts and Thomas Moestl, with a disk-based cache, suitable for small networks and workstations. Has had some buffer-overflow and stability problems, in the past, but in general has sound design (e.g., always randomised source UDP ports for recursive queries). http://members.home.nl/p.a.rombouts/pdnsd/
    Licence: GNU GPLv3 or later.
  • PowerDNS: Was a combined authoritative and recursive nameserver package through v. 2.9.20. Starting with the next releases (April 21, 2007), those functions were split into new packages "PowerDNS Authoritative Server" and "PowerDNS Recursor", which please see.
    PowerDNS was originally proprietary software, open-sourced under GNU GPLv2 on 2002-11-25.
  • PowerDNS Authoritative Server (link) is an authoritative-only server with modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), RFC 1035 ("BIND") zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers. Partial DNSSEC support. Fast but also a bit bloated. Compiling the package requires satisfying some convoluted dependencies, notably the need for Boost C++ class libraries. Default configuration assumes propagation of nameservers to related hosts via replication at the level of the back-end database store, but optionally the adminstrator can also enable RFC 1034 / RFC 1995 "zone transfers" (using NOTIFY/AXFR) as implemented in BIND9. Package can be configured to refer incoming recursive queries to a (any) separate recursive nameserver by a specified IP/port. Has internal chroot function. Does not support BIND9-style "views": One can emulate that mode by running multiple nameserver instances. (Copy /etc/init.d/pdns to /etc/init.d/pdns-[name]. The script automatically parses $0 for "name" and reads /etc/pdns/pdns-[name].conf as its configuration file.)
    Coded in C++ by Norbert Sendetzky and others.
    http://www.powerdns.com/en/products.aspx
    Licence: GNU GPLv2.
  • PowerDNS Recursor (link) is a recursive nameserver. Has a programming interface for scripting in the Lua programming language. Pleasantly small and fast. Did not meaningfully randomise UDP source ports on outgoing recursive queries until March 2008, after Dan Kaminsky's private warnings about DNS security problems, at which time the authors added a strong random-number generator.
    Coded in C++ by Norbert Sendetzky and others.
    http://www.powerdns.com/en/products.aspx
    Licence: GNU GPLv2.
    In January 2010, PowerDNS Recursor (through v. 3.1.7.1) was discovered to be vulnerable to being buffer-overflowed by deliberately bad public DNS data or queries being aimed at it, leading to possible full system compromise, cache poisoning, and redirection of users to IPs controlled by attackers. This horrific bug was fixed as of v. 3.1.7.2, but is not a reassuring sign about PowerDNS Recursor's code quality.
  • rbldnsd (link) is a small, fast authoritative-only server for DNS blocklist information (and can also serve other types of zone data).
    Coded in C by Michael Tokarev.
    http://www.corpit.ru/mjt/rbldnsd.html
    Licence: GNU GPLv2 or later.
  • Technitium DNS Server (link) is a specialised forwarder with filtering ("ad blocking") optionally supporting DNS-over-TLS and DNS-over-HTTPS transports. Includes DHCPd, SOCKS5 proxy support, local authoritative stub zones.
    Coded in C# using .NET Standard 2.0. Runs on Linux using Mono Framework or .NET Core.
    https://technitium.com/dns/
    Licence: GNU GPLv3
  • Twisted Names (link) is an authoritative, caching forwarder, and recursive server, also functioning as a resolver library
    Coded in Python by Twisted Matrix Laboratories (Jp Calderone and others).
    http://twistedmatrix.com/trac/wiki/TwistedNames
    Licence: MIT/X.
  • Unbound (link) is a fast, small, modular caching, recursive server, from the same people (NLnet Labs) who produced the excellent NSD authoritative-only nameserver, with additional help from VeriSign, Inc. and Kirei. Unbound does not itself do authoritative service, but does do "stub-zones" (local data or AS112 zones). It is claimed to be fully RFC-compliant, including DNSSEC validation.
    Also of possible interest is Dnssec-Trigger, an add-on for Unbound running on an end-host (laptop or desktop computer), signaling Unbound to use DHCP-obtained forwarders for DNSSEC-capable nameservice of that has been probed and found accessible, or failing that to use Unbound's own AUTH queries, or failing that to notify the user and switch to unauthenticated DNS only. (As of 2016, this code is experimental.)
    Coded in C.
    http://unbound.net/
    Licence: BSD.
  • YADIFA (Yet Another DNS Implementation for All (link) is an authoritative server developed by the operators of the .eu TLD. Supports EDNS0, DNSSEC with NSEC and NSEC3. Includes a SQL back-end alongside an RFC 1035 ("BIND") zonefile back-end, and dynamic zone updates. Future versions are planned to include recursive service, caching, validation of zone data, split horizon, dynamic provisioning of new domains without restart, forwarding, and a DNSSEC signing service.
    Coded in C by EURid coders.
    http://www.yadifa.eu/
    Licence: 3-clause BSD.


Unmaintained open source packages:


(The July 2008 DNS security blowup made starkly obvious that it's in general dangerous to run poorly maintained DNS nameserver software. Some of the below-cited, unmaintained or apparently neglected codebases may be of interest for other reasons, e.g., adoption for revival & update by sufficiently interested coders.)
  • BIND8 (link) should be scrupulously avoided, for reasons cited above. (Some BIND8 code still lives on, in the DNS resolver library libresolv, shipped as part of GNU libc = glibc in typical Linux and BSD distributions. This is regrettable, but the occasional security failures in that codebase should not be attributed to BIND9. Note that the BIND8-derived 'stub resolver' in glibc does not enable EDNS0 in its queries.)
    Licence: Simple permissive licence with warranty disclaimer.
    Note that it is possible via NSS calls (and /etc/nsswitch.conf configuration) to call the BIND9-derived lwresd lightweight recursive daemon (entry about which, please see, below), instead of the legacy BIND8-based code furnished with glibc.
  • CustomDNS (link) was/is an authoritative-only daemon, based on dnsjava, for both static addresses and its variant form of dynamic DNS. Java and Perl code by Eric Kidd, based in part on Brian Wellington's dnsjava package. Unmaintained since July 2000. http://customdns.sourceforge.net/
    Licence: LGPL and MIT/X.
  • dents (link) was an authoritative, caching forwarder, and recursive server, fully supporting zone transfers, but is perennially unfinished, and is almost certainly dead, at this point. Coded in C by Johannes Erdfelt. http://sourceforge.net/projects/dents/
    Licence: GNU GPLv2 or later.
  • Eddieware Enhanced DNS Server (aka "lbdns") (link) was/is a load-balancing authoritative DNS server. Coded in Erlang by the Eddie Team. Unmaintained since 2003. http://eddie.sourceforge.net/lbdns.html
    Licence: Erlang Public Licence, a Swedish variant of MPL 1.0.
  • GnuDIP (link) was/is an authoritative-only server for Dynamic DNS (supporting the RFC 2136/3147 DNS Dynamic Update protocol) coded in Perl by Mike Machado, but only "minimally maintained" and needing a new primary maintainer, a/o 2003. http://gnudip2.sourceforge.net/gnudip-www/
    Licence: GNU GPLv2 or later.
  • lbnamed (link) was/is a authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture, written in Perl by Roland Schemers. Unmaintained since 2005: See replacement "Standard::DNSServer. http://www.stanford.edu/~riepel/lbnamed/
    Licence: Newer BSD licence.
  • lwresd (link) was/is a lightweight recursive[-resolver] daemon (thus the name) with caching, created by ISC (maintainers of BIND9) by stripping down the recursive and caching code in BIND9 and making it available separately (as a library). It is local-only, being capable only of listening for UDP-type port 921 DNS queries on IPv4 loopback address 127.0.0.1 (or one or more different address specified using "lwserver" lines in /etc/resolv.conf). It is also capable of handing off queries to separate nameservers listed via "nameserver" lines in /etc/resolv.conf, as forwarders, but, if there are none such, or if forwarding fails, falls back on its own internal recursive routines, starting with a built-in roster of root server hints. Configuration file, closely following BIND9's named.conf format, is /etc/lwresd.conf.
    Because lwresd returns queried values in its own format ("lightweight resolver protocol"), Linux systems will need to also install library nss_lwres, which unfortunately currently (2008) has been unmaintained since 2001 at upstream location ftp://sources.redhat.com/pub/glibc/old-releases/. That "glue" library being present, in turn, permits modifying /etc/nsswitch.conf to call a "lwres" routine (when available) in place of the legacy BIND8-based "dns" routine in glibc. Suggested format for /etc/nsswitch.conf is: "hosts: files lwres [NOTFOUND=return] dns"
    As of 2005, lwresd is said to be "stale code" that hasn't been touched in a year or two, doesn't respect DNS TTL, and has a few other issues. Upstream source code is available inside ISC's BIND9 package.
    http://www.isc.org/software/bind/
    Licence: Simple permissive licence with warranty disclaimer.
  • moodns (link) was meant to be a authoritative and recursive server, but never passed alpha state. Discontinued. Coded in C by Michael Wolf. http://sourceforge.net/projects/moodns/ and http://www.maradns.org/download/non-maradns/
    Licence: Newer BSD licence, GNU GPLv2 or later.
  • MyDNS (link) was/is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache. Unmaintained since 2006, so interested parties should probably look at MyDNS-NG or PowerDNS, instead. Coded in C by Dan Moore. http://mydns.bboy.net/
    Licence: GPLv2 or later.
  • Oak DNS Server (link) was/is an authoritative and recursive server, supporting dynamic DNS updates and AAAA records. Doesn't need to run privileged. Development release as of August 2008 is still being [re-]written to take advantage of the dnspython libraries, and still lacks recursive service or update support. Coded in Python by Ed Stoner. http://www.maradns.org/download/non-maradns/ (Gone from http://www.digitallumber.com/oak .)
    Licence: GNU LGPL.
  • Pliant DNS Server (link) was/is an authoritative and caching forwarder server (no recursive service -- iterative queries only). Written in the Pliant language by Hubert Tonneau. Seems to be unmaintained. http://fullpliant.org/pliant/protocol/dns/
    Licence: GNU GPLv2.
  • Posadis (link) was/is a fast authoritative, caching server, written in C++ by Meilof Veeningen. Sadly unmaintained since 2004. http://posadis.sourceforge.net/ http://www.posadis.org/
    Licence: GNU GPLv2 or later.
  • SDNS (Secure DNS) (link) was/is an authoritative-only server, created for the US Federal government (and thus genuinely public domain) by Anthony Carathimas, Eric Thomas, Fred Cohen, and Darrian Hale at Sandia Labs in the 1990s, with the specific aim of high security. Last maintained, 2001. http://www.maradns.org/download/non-maradns/sdns.tar.bz2
    Licence: Actual, real public domain.
  • Stanford::DNSserver (link) was/is lbnamed (see separate entry), reworked and packaged as a Perl module by Rob Riepel and others. Last maintained April 2006. http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
    Licence: Newer BSD licence.
  • Trick or Treat Daemon (ToTD) (link) was/is a small caching forwarder server, suitable for small networks and workstations. Coded in C by Feike W. Dillema and members of the WIDE Project. http://www.vermicelli.pasta.cs.uit.no/software/totd.html Last maintained August 2006.
    Licence: Simple permissive licence (Dillema's code) and older BSD licence (WIDE Project code).
  • Yaku-NS (formerly ENS) (link) was/is a small, fast authoritative, caching forwarder, fully supporting zone transfers, aimed at embedded use. Does internal chroot, and attempts to prevent stack-smashing. Coded in C by Salvatore Sanfilippo. Appears to be unmaintained. https://github.com/antirez/yaku-ns
    Licence: GNU GPLv2 or later.


Related software:


  • GNU adns (link) is a resolver library for C (and C++) programs, and a collection of useful resolver utilities, coded in C by Ian Jackson. http://www.chiark.greenend.org.uk/~ian/adns/
    Licence: GNU GPLv2 or later.
  • Ares (link) is an asynchronous resolver library in C by Greg Hudson. ftp://athena-dist.mit.edu/pub/ATHENA/ares/
    Licence: MIT/X.
  • BIND DLZ (BIND Dynamically Loadable Zones) (link) is a set of patches for BIND9 to make it use your choice of numerous back-end databases instead of flatfile RFC 1035 ("BIND") zonefiles, and reduce memory usage (since BIND9 no longer needs to load everything into RAM at once). Coded in C by Rob Butler. http://bind-dlz.sourceforge.net/
    Licence: Simple permissive licence with warranty disclaimer.
  • Constrict (link) is a Python library for access to information parsed from the libbind library provided by BIND8. Coded in Python by Jason Smith. http://www.oes.co.th/projects/Constrict
    Licence: GNU GPLv2.
  • dnsibs (link) is a daemon offering Perl/CPAN code (notably the Mail::SpamCannibal anti-spam tool and dbtarpit) access to DNS blocklist data stored in a BerkeleyDB database. (It apparently doesn't serve up normal sorts of DNS information, which is why I put it in the "related" category.) It's coded in C by Michael Robinton.
    http://www.spamcannibal.org/docs/dnsbls.html
    Licence: GNU GPLv2 or later.
  • dnspython (link) is a Python toolkit for programmatic access to DNS functions, by Bob Halley. http://www.dnspython.org/
    Licence: Simple permissive licence with attribution requirement and warranty disclaimer.
  • FireDNS (link) is a resolver library with emphasis on speed and asynchronous processing. Has low-timeout blocking functions. Can be used to replace standard libc resolver library functions like getbyhostname with much faster equivalent code. Written in C by Ian Gulliver. http://firestuff.org/projects/firedns/
    Licence: GNU GPLv2.
  • LDAP sdb (link) is a patch to enable BIND9 to reach an LDAP back-end database instead of flatfile RFC 1035 ("BIND") zonefiles, using the simplified database interface "sdb". Coded in C by Stig Venaas. http://www.venaas.no/ldap/bind-sdb/
    Licence: Simple permissive licence with warranty disclaimer.
  • ldns (link) is a library for access to DNS/DNSSEC data, relying on CPAN's NET::DNS module. Written in C by NLnet Labs.
    http://www.nlnetlabs.nl/ldns/ Licence: Newer BSD licence.
  • nscd (link), name service caching daemon, is a local cache with no other nameserver functionality, providing caching of host, passwd, and group database data. The hosts data caches both positive and negative results data, in separate caches. nscd is furnished as part of the glibc codebase, and is a reimplementation of an idea first provided in Sun Solaris. It is needed primarily on hosts using slow authentication services such as NIS, NIS+, and LDAP. The glibc/Linux implmentation is notorious for being a bit buggy. Licence: GNU GPLv2.
  • Net::DNS (link) is a resolver library, coded in Perl by Michael Fuhr, Olaf Kolkman, and Chris Reinhardt. http://www.net-dns.org/
    Licence: GNU GPLv2 or later, or Artistic Licence.
  • Poslib (link) is a resolver library and authoritative-server library in C++ by Meilof Veeningen. http://posadis.sourceforge.net/poslib/
    Licence: GNU GPLv2 or later.
  • Resolvconf (link) is a client- (resolver-) side utility to mediate write access to the DNS client's /etc/resolv.conf file, keeping track of nameservers listed there and preventing multiple packages (DHCP clients, system-local nameservers, other) updating that file from interfering with each other. For it to work, software touching /etc/resolv.conf must be Resolvconf-aware. At this writing (2009-08), most but not all such software is Resolvconf-aware. There are two implementations: Original/Debian Resolvconf, http://packages.qa.debian.org/r/resolvconf.html coded in C by Thomas Hood; and Openresolv, http://roy.marples.name/projects/openresolv, coded in C by Ray Marples.
    Licence: GPLv2 (Hood's).
    Licence: BSD Licence (Marples's)
  • skadns (link) is a small, asynchronous resolver library, coded in C by Laurent Bercot. http://www.skarnet.org/software/skadns/
    Licence: Original BSD licence with advertising clause.
  • systemd-resolved (link), one of the constituent binaries in systemd, has included a caching stub resolver routine since August 2014. GNU LGPLv2.1 or later.
  • unscd (link), micro name service caching daemon, is a local cache with no other nameserver functionality, providing caching of host, passwd, and group database data. The hosts data caches both positive and negative results data, in separate caches. unscd is a from-scratch reimplmentation by Denys Vlasenko of the design of glibc's nscd, with the aim of avoiding nscd's bugs and offering more crashproof operation by running a threaded process that offloads NSS lookups to child worker processes. It is needed primarily on hosts using slow authentication services such as NIS, NIS+, and LDAP.
    Licence: GNU GPLv2.
--
Cheers,                                Before enlightenment, caffeine.
Rick Moen                              After enlightenment, caffeine.
rick@linuxmafia.com



Proprietary software:





See also:
To do:
http://www.corpit.ru/mjt/udns.html

http://daniel.haxx.se/projects/c-ares/  c-ares by by Daniel Stenberg and
others (derived from ares library written by Greg Hudson at MIT.
Asyncrhonous.  See notes on http://www.corpit.ru/mjt/udns.html about it
and adns.

Notes about libresolv at https://lwn.net/Articles/665055/ .

ldns https://www.nlnetlabs.nl/projects/ldns/

systemd-resolved.service stub resolver, etc.

https://github.com/coredns/coredns

More at https://packages.gentoo.org/categories/net-dns 
 
from http://linuxmafia.com/faq/Network_Other/dns-servers.html
---------
 
djbdns

Other DNS software

Management tools

twa lets authorized browsers edit the tinydns data file. ldap2dns converts an LDAP DNS database to a tinydns data file. tinyadmin is a graphical interface to the LDAP DNS database used by ldap2dns.
mkdns converts a MySQL DNS database to a tinydns data file. It lets authorized browsers edit the MySQL DNS database.
sql2tinydns is similar to mkdns.
dhcp_dns watches dhcpd for new DHCP address assignments, and publishes those addresses through tinydns.
tinydyndns publishes dynamic IP addresses authenticated through POP connections.

Servers

ldapdns publishes DNS information from an LDAP database. MyDNS publishes DNS information from a MySQL database.
Posadis publishes DNS information from BIND-style zone files. Security history: Buffer overflow, allowing attackers around the Internet to take control of the server; fixed in m5pre2 (2002.03.30). Someone announced an exploitable buffer overflow in m5pre2 a few weeks later; the history here isn't clear from the Posadis web pages.
NSD publishes DNS information from BIND-style zone files. Security history: Unclear. The NSD documentation includes bugs like ``Very strange coredump in hash_destroy() that happens sometimes'' without any analysis of their security impact. Is that an exploitable buffer overflow?
PowerDNS publishes DNS information from MySQL databases, PostgreSQL databases, Oracle databases, IBM databases, LDAP databases, or BIND-style zone files. Security history: Unclear, like the NSD security history.
MaraDNS is a general-purpose DNS server.
lbnamed is a load-balancing DNS server.
lbdns is another load-balancing DNS server.
Oak DNS Server is a good example of why novices shouldn't try to write DNS software. The digitallumber.net domain, served by Oak DNS Server 1.0, is inaccessible to a huge number of clients that try AAAA lookups before A lookups: the server incorrectly returns NXDOMAIN for AAAA, effectively wiping out its own A record.

Caches

pdnsd is a DNS cache. Security history: Remotely exploitable buffer overflow; fixed in 1.1.7a (2002.01.18). MaraDNS can act as a cache.
I don't know why anyone would want to use these caches in place of dnscache.

DNS clients

adns is a DNS client library. ares is a DNS client library.
perldns is a DNS client library for Perl.

The Buggy Internet Name Daemon

BIND is a monolithic server/cache; it also includes a client library, libresolv. Security history: IQUERY buffer overflow in BIND before 8.1.2-T3B (1998); NXT buffer overflow in BIND before 8.2.2-P4 (1999); nslookupcomplain buffer overflow in BIND before 4.9.8 (2001); TSIG buffer overflow in BIND before 8.2.3 (2001); CNAME buffer overflow in libresolv before 4.9.9/8.2.6/8.3.3/9.2.2 (2002); SIG buffer overflow in BIND before 4.9.11/8.3.4 (2002); getnetbyname buffer overflow in libresolv before 4.9.11 (2002). All of these allowed attackers around the Internet to seize control of the program.

from http://cr.yp.to/djbdns/other.html 

No comments:

Post a Comment