Has anyone decided to show Bind the door and switch to another DNS program? I am considering change our DNS software from Bind to Djb DNS (http://cr.yp.to/djbdns.html). Does anyone have any experience with this software or another package?

Best regards,
Frank Rietta

Originally posted by AtlantaWebhost.com
Has anyone decided to show Bind the door and switch to another DNS program? I am considering change our DNS software from Bind to Djb DNS (http://cr.yp.to/djbdns.html). Does anyone have any experience with this software or another package?

Best regards,
Frank Rietta

Well, if it helps make your decision any easier, djbdns (DNScache), was developed by the same author as Qmail, which is comparable to Sendmail, but with more security in mind. The same goes for djbdns in that aspect. As I understand it, it's a good tool and better secure than BIND. There's no realistic alternative to BIND as of yet for all it's features, but djbdns is probably the best thing you can get otherwise and will likely suit your needs as well as BIND and result in better security.

However, if you ensure that BIND isn't running as root and you further chroot it with the -t command and do some other general configurations, BIND isn't as insecure as it would otherwise be and just like Qmail to Sendmail, Sendmail can be configured to be just as secure, it's just more effort and knowledge that is required to have such a result. So, equally compatible and stable tools are a good idea, when it improves security, if you're not much interested in scrutinizing code and hacking away at it, just to get one of the most used services running on almost ever web server to just be secure like it ought to be with a common install -- I find it horrid that the developers of BIND are still leaving such obvious holes in their software, for such a common and widely used software!

I say, go for it, let us all know how it works out for you. I know RIPE was supposed to give some presentation about an alternative to BIND, but I don't recall what it resulted in. Some other links of interest, light be:

http://lwn.net/1999/features/dyndnsdents.html
http://www.neteka.com/
http://www.beopen.com/products/ossindex/entries/948379751.shtml

I'll be testing djbdns on some of my servers on my home network shortly (when I have time) and I'll let you know if I find any reason to give of why it might not be a good solution, other than the differences that lie on BIND and djbdns currently, of course. Good luck...

djbdns works quite well for me. DJB's software takes a bit of getting used to -- for example, djbdns is designed to be started by his daemontools -- but once it is set up is quite easy to manage. The largest difference between BIND and djbdns is the DNS data format: where BIND has different zone files djbdns works with a single database file.

DJB seems to have tried to make it easier to edit the data file (from which the database is made) by implementing instructions which create several DNS entries at once (eg, "&domain.tld:1.2.3.4:ns1.domain.tld" creates a NS entry for domain.tld and an A antry for ns1.domain.tld) but in most cases I've found it more intuitive to construct the different DNS entries one by one rather than using this confusing "feature".

But to summarize, djbdns will be a bit confusing at first if you're used to BIND, but I think it is worth switching.

I'm using djbdns, but I just switched to it a few days ago.

It's looking pretty much good so far. Easy to configure bind-style views (ie. resolving to different things depending on who's querying), tiny memory footprint.

The only problems I'm seeing, or anticipate seeing, is also djbdns' strengths - by not implementing bind-style axfr's, tsig, etc, it can produce a simpler implementation that is more likely to be bug-free. OTOH, it is also somewhat bind incompatible, and there are a lot of tools out there that mostly work with bind.

My current problems with it involve getting dynamic dns to work (will probably have to involve adapting an existing package), and issues with being a slave or master nameserver for bind nameservers (doesn't seem to be any way currently to take account of serial numbers when being a slave, and the lack of support for authentication features for all axfr's).

As far as security goes, I'm happy with the fact that each program is designed to run chroot'ed under a different uid in a different directory - even if the authoritative nameserver (tinydns) were to get compromised, it wouldn't affect dns resolution of other domains. And there's really no need to make any effort to chroot them, copy files over, etc. The default installation style does it all. Log files tend to be spread out over multiple files in different directories, however :)

dents is still alpha software, i think, and therefore not something you'd probably like to try without testing extensively first.

I highly reccomend switching to djbdns. After working with it for about a year and 60 or so installations it has yet to fail me. I have not found a situation that it could not handle instead of bind. It is much easier to manage than Bind and frees you from tedious jobs such as changing serialnumbers, reloads and restarts to cure bad zone transfers and corrupted caches.

Migrating from bind will be the initial hell, but is made
considerably easier with the zone transfer utils and a perl script. Start with your secondary and when you are sure everything works switch in your primary.

Working with tinydns is as easy as:

editing "data" with your changes
type make and walk away your done.

You can separate your data in a file per domain and simply
do

cat zones/* > data ; make

Most importantly is the security factor. You will love not
having to upgrade while everyone is getting rooted.