Thursday, August 30, 2007

There's more to DNS than BIND and DjbDNS

Back in early 2001, there were only two DNS servers available: BIND and DjbDNS. Both DNS servers had problems: BIND constantly had security problems in it that gave attackers remote root access to systems. DjbDNS had a non-open source license and a disregard for standards that made using it problematic.

The feeling was that a new DNS server needed to be made. So I started developing MaraDNS. It was a lot of work; DNS is a non-trivial protocol.

Six years have passed since then and a number of DNS servers have come and gone. The ones that are still being actively maintained are my own MaraDNS, NSD, and PowerDNS. [1]

However, whenever a discussion about DNS servers comes up, we get the same BIND-vs-DjbDNS flame war rehashed over and over again. The flame wars are based on the following outdated bits of information:
  • BIND has privilege escalation security holes coming out every month (not true since BIND9 became viable in 2002 or 2003)
  • DjbDNS has no security holes (not true: DjbDNS has an unpatched remote denial of service security hole)
  • There are no free DNS servers besides BIND and DjbDNS (Not true; there are three other active open-source DNS servers)
Here is an example posting showing how people are still living in 2001 when it comes to DNS servers.

So, people, wake up and smell the coffee. There are no less than three other DNS servers. Being actively maintained. We are no longer in a BIND-and-DjbDNS world. BIND is no longer a remote root exploit waiting to happen.

- Sam

[1] There are some other DNS servers that are no longer actively maintained or on life support: pdnsd (the last update is from a year ago) and posadis (last update three years ago). There's also MyDNS (last update almost two years ago), which is a "one trick pony" DNS server for people who want to use a database to manage DNS records.