From: Craig Sanders (castaz.net.au)
Date: Fri Dec 31 2004 - 19:59:03 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 31, 2004 at 07:41:14PM +0000, Matt wrote:
> Completely off topic again, (not a first for me :), but does anyone
> have a recommendation as to a nice, basic and secure dns server. I
> don't need all the bloat of Bind, but I finally need to set up my own
> dns server, and would appreciate any comments/preferences.

if you want to serve domain(s) (either primary or secondary), then bind is
still your best choice(*). the so-called "bloat" is there for a reason, to meet
the requirements of the standards. bind can host domains and it can do
recursive lookups (i.e. act as a resolver for your local network). it is
relatively easy to set up and will basically Just Work, and cause you little
or no grief.

for extremely high-volume nameservers (e.g. root nameservers), there are
possibly better choices than bind, such as the authoritative-only NSD (note:
no recursion! useful as a server, but not as a resolver). for anything
smaller than that, though, bind is fine.

the main problem with bind is that it has had several security problems in the
past. there hasn't been one for quite a while now, but it is still a good
idea to keep up-to-date with security announcements and be ready to upgrade as
necessary.

if you only want a caching NS to speed up DNS lookups for your network, then
maradns makes an OK little recursive nameserver. maradns can do both
recursive lookups and hosting of domains, but i would never use it for the
latter (don't like the ugly zonefile format). i install this as a matter of
routine on all servers that need to do frequent dns lookups (mail servers, web
servers that run jdresolve on the logs for webalizer etc), and configure them
to use my main dns servers as parents.

the author of maradns has tried to make it easy to configure, but i find it
more complicated and hassle-prone than bind. YMMV, especially if you're not
already used to bind.

if you want to host an RBL domain, use Michael Tokarev's rbldnsd. it does the
job extremely well, and uses only a tiny fraction of the memory that bind
would for the equivalent zonefile. be careful not to confuse this with djb's
rbldns (note: no final "d" on the name), an easy mistake to make.

(*) i've wished this weren't true many times over the years. now i'm just
resigned to the fact that any alternative to bind will have its own annoyances
that are far worse than bind's annoyances. all DNS software sucks in one way
or another. bind sucks the least, or at least compensates for it's suckiness
with good features, reasonable but not perfect reliability, and decent
configuration and zonefile formats.

craig

ps: some people may suggest djbdns. avoid it like the plague. his dns
software only implements those parts of the DNS standards that he likes. he
ignores (actually, REFUSES to implement) the rest, and doesn't care about any
problems that may cause....but that's par for the course with his stuff. djb
is always right. if you think he's wrong, that's because you're an idiot and
don't know what you're talking about. worship him for he is the One True
leader of us all and you're not fit to even grovel at his feet.

--
craig sanders <castaz.net.au> (part time cyborg)

my postfix scripts are at http://taz.net.au/postfix/scripts/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]