BIND vs DJBDNS

[Yamakasi]

hello ppl,

What do u guy prefer between those 2 dns servers.
I usually use Bind, but since it has a lot of security hole issues, Im searching for something else.
I heard about Djbdns.

Can u guy give their experiences?
Im looking for for EXTREM SECURITY and EXTREM PERFORMANCES

Thx

[vericgar]

I was using BIND, then it just got to be too much of a hassle with the DNS hosting I was doing (30+ domains) and it was easier to automate it using djbdns. It just depends what your needs are. If you have many many domains that the only difference between thier zones will be the name, then djbdns makes it easy to automate things. If you only have 2-3 domains that are complex and quite different then bind may be the easier way to go as it's method of zonefiles is much more verbose. If you want to see a comparison of configs between the two, then I can e-mail them or something.

As far as security, djbdns has this: http://cr.yp.to/djbdns/guarantee.html

As for performance, I didn't notice much of a difference between the two, but I didn't have much of a load.

[Ethereal]

djbdns is much better than BIND. Look at their size, speed, stability etc. Difference is like between sendmail and qmail. I dont want to prove it , its clear.

[Qubax]

i don't know much about bind and djbdns, but at the end i was able to get bind running and working, a thing i wasn't able to get with djbdns
but after reading this i think i'll give djbdns a second try

[dma]

I'm thinking about installing djbdns but the ebuild for it is beyond wacky....

I recommend installing it manually for now I think.

BTW... I think bind and sendmail were made by the same group (Berkeley)... coincidence?

[Xor]

well, it's true... bind has sometimes it's flaws.... but for that you can chroot it, so it won't do harm to the system... hopefully - anyway... it's not a good sign....

I can't talk much about djdns, just that I saw that it violates an RFC - and the matter it it is made buy the same guy who made this piece called qmail didn't do any good.

so to say: I stay with postfix + bind... both chrooted, I don't have performance comparisons at hand - nor would I want to say that a bind response is faster as a djdns response... but at least I get a response....

[Vancouverite]

Although djbdns is not completely RFC compliant I have never had a problem with it in a production environment. Bind is a patch whore that requires a chroot jail to keep anyone from rooting the box or it can be exploited to run privledged code. Djbdns uses two programs; dnscache is a resolving caching proxy and tinydns is the authority server. It is managed using the daemontools package. Since security concerns you I'd go with djbdns. Sendmail is another dog. I like qmail or postfix much better.

[relyt]

Which would you guys run just as a caching name-server, only accessed by localhost?

[Vancouverite]

Which would you guys run just as a caching name-server, only accessed by localhost?

I was running dnscache on localhost until I got a d-link nat router to share my broadband and it didn't work very well. It's a nice tweak to speed up name resolving. I also run squid on localhost point my browsers at it and set their cache size to zero. Naturally I would rather use a PC for a firewall and run this stuff on it but I couldn't spare a box for it and got the router for free.

[puke]

If you are concerned about performance, you will not want to run BIND. BIND is a resource hog.

If you are concerned about security, you will not want to run BIND. BIND is poorly written.

In fact, as we are in the security forum, we shouldn't be talking about BIND.

djbdns is small ("tinydns") and once you get your head around the simplicity of configuration (heh) you'll never look back.

I know ISPs that use it; I know home users that use it. No complaints. Just my 0.02.

[kashani]

Nice the see the science of hearsay is alive and kicking these days.

Around a year and some change ago the engineering department I was part of decided to find out which DNS server is actually the fastest for lookups.

The test machines
Sun 420, 4GB ram, 4 Proc, Solaris 7
Dell, 2GB ram, 2 Proc, Linux 2.4 Red Hat somthing

The setup
Mail system of 20 servers generates 800-1600 lookups/sec
DNS servers on the local network
All DNS logging is turned off for all servers

The servers
djbdns
Bind 8.x
Bind 9.x

The tests
Use each platform with each DNS server for day. Compare numbers assuming nothing breaks.

The conclusion
If you really want to see more than 1000/sec lookups go with Bind 8.x. If you're fine with tapping out at 700-900/s djbdns or Bind 9.x are about the same.

You could probably get more perfomance out of all of the servers by doing some serious tuning to the OS, ie tweaking udp buffers and other wacky things, but for our tests we figured standard installs would be the most level playing field.

Security is another story and there have been some serious holes in Bind. Very few of those were cause for alarm if you tightly controlled zone trransfers. That may or may not help you in your decicison based on what kind of system you're building.

[Vancouverite]

The conclusion
If you really want to see more than 1000/sec lookups go with Bind 8.x. If you're fine with tapping out at 700-900/s djbdns or Bind 9.x are about the same.

Interesting. How high did Bind 8.x max out at?

[upnix]

I know ISPs that use it; I know home users that use it. No complaints. Just my 0.02.

Funny, I know root servers that run BIND. If I'm not mistaken, they do at least a couple of queries a day.

[puke]

Funny, I know root servers that run BIND. If I'm not mistaken, they do at least a couple of queries a day.

Funny, I wasn't saying that BIND doesn't serve queries.

The poster was probably asking the question in relation to usage on a Gentoo box, not virtual server farms serving hundreds of millions of hits a day. I'm saying that on a Gentoo system with limited resources, I'd have a more stable and secure Gentoo box using djbdns. Your mileage may vary etc.

[adammorley]

1st: dnscache and tinydns chroot by default. read the code.

2nd: comparison testing dnscache & bind is non-trivial. dnscache will beat bind if you tweak it right. ie: you'll need a few specific patches, browse the mailing list archives for djbdns, and you might want to look into disabling logging, which can be resource intensive.

3rd: i use djbdns to run a production network, a /24 through a t1. not very large, but its infinitely easier to maintain than a comparable bind setup with zone files. ++ this is on solaris, so we're talking I could've just clikced a few buttons and used bind, but i chose not to. in the end, pick the one you think is less crappy.

[JoeCotellese]

I maintain the servers at my office. About a year and a half ago I decided to update our servers to from BSD which no one here knew to Linux. We needed a DNS server so we chose BIND. Never having setup a DNS server before it took me about a week to understand the BIND syntax and get a properly configured DNS. Once it worked everything was fine, however on a couple of occasions we had problems that required me to mess with the BIND config files. That didn't go so well and caused problems that last for a day or two. After that experience I thought that DNS was just too difficult to understand.

I'm the type of personality that likes to understand how something works. That way if it breaks I can fix it. I recently decided to update our system and began to look for other DNS servers. My search led me to djbdns. I did some reading, installed it as a dnscache on our internal network. Everything worked great. I began to understand how DNS worked. After a week of a working cache server I decided to disconnect BIND completely and use djbdns as my domain server as well. Read a couple of well written articles and had things setup within a day.

Aside from the security guarentee I would have to say that the extremely simple syntax of the configuration files is the thing I like most about this server. It allows you to concentrate on understanding the concepts of DNS without also trying to learn unintuitive software package.

[Koon]

Drawback for BIND is the same as sendmail : security holes will always be found in it, so you have to stay alert and patch quickly. Use something else if maximum security is your goal

Drawback for djbdns is D.J.Bernstein really personal interpretation of the RFC... Use something else if maximum compliance is your goal (that's why some root servers use BIND).

-K

[FTC]

Hi,

I don't know about performance. I run a small hosting shop so, I don't have high traffic.

Regarding security, DJB is really paranoid about it. IIRC he even offers money to anyone that submits an exploitable bug in djbdns (noone claimed the prize yet).

I'm using a mix of bind8/9 for LAN servers but I'm using djbdns for my hosting DNSs.

BTW, check out DNSadmin from Inter7. It let's you admin both djbdns and bind using a database (great if you want to try both bind and djbdns).

Just my $0.02.

[Slynix]

I use bind and it works ok so far, no problems at all. Ill keep it running until/if something goes wrong so I get proved that bind isnt the "right stuff"

[awev]

A late reply, but still worth a momment.
Consider dnsmasq, from http://thekelleys.org.uk It is included with a good number of firewall/proxy/gateway packages.

[sig]

Hi.

I was just wondering has anyone tried out any other DNS servers than just Bind or djbdns? I mean in production environment.

One I've found is PowerDNS http://www.powerdns.com/products/powerdns/index.php. Though I haven't ran it in a production environment.

Are other experiences?

[UberLord]

I'm currently running PowerDNS for my LAN's DNS.
I like as it supports BIND config files or you can store stuff in mysql databases. The only gripe I have is the ebuild for it is a little behind the latest stable version.

[mmealman]

The security "issues" with BIND are a little overstated in this thread. BIND8 was a security nightmare which is why BIND9 was a total re-write.

Considering 90% of the internet runs off of BIND, if it was truly as insecure as some of the people in this thread make it out to be the internet would've ground to a halt a long time ago.

[bone]

I would like some input on PowerDNS. I hear this more and more every week, and am wondering how it compares to BIND.

Anyone, Anywhere?

[UberLord]

I gave up with both BIND (hard to configure) and PowerDNS (no DHCP integration). I also ditched ISC's DHCP server as well.

I replaced the lot with dnsmasq! A very small and lightweight DNS and DHCP server. Easy to configure and perfect for my needs of a small LAN. It's not a "real" DNS server as such - as it needs a real DNS server for internet lookups.

But it provides everything for LAN needs