[buug] DNS on OpenBSD

[Rick Moen]

Quoting N. Thomas (nthomas at cise.ufl.edu):

> So I'm shopping around for a DNS solution for our network here: an OpenBSD
> firewalling/nat box that feeds some other (mostly Unix) machines.

I'll just cross-post my list from a comment I made at
http://lwn.net/Articles/12928/ :



Free/open-source alternatives to BIND:

    * http://www.dents.org/: DENTS
    * http://www.maradns.org/ MaraDNS
    * http://mydns.bboy.net/: MyDNS
    * http://home.t-online.de/home/Moestl/: pdnsd
    * http://dnrd.nevalabs.org/: Domain Name Relay Daemon
    * http://posadis.sourceforge.net/: Posadis
    * http://pliant.cx/pliant/protocol/dns/: Pliant
    * http://www.linuks.mine.nu/helpers/yaku-ns/: Yaku-NS (official site
    * at www.kyuzz.org/antirez/ens.html seems to be down)
    * http://customdns.sourceforge.net/: CustomDNS
    * http://www.thekelleys.org.uk/dnsmasq/: Dnsmasq
    * http://gnudip2.sourceforge.net/gnudip-www/: GnuDIP
    * http://www.stanford.edu/~riepel/lbnamed/: lbnamed
    * http://eddie.sourceforge.net/lbdns.html: lbdns

Taken from my list of such software in
http://linuxmafia.com/~rick/faq/#djb, which also includes all known
open-source Web and ftp daemons for *ix. (Some of the DNS daemons listed
are for specialised applications, but many are not.)



> Normally I would just use the vendor supplied program, but I was
> looking through a DNS book the other day (Langfeldt, Que) and it put
> the fear of God into me about using bind4.

I'm wary of BIND4, too -- but, in fairness, it seems a dead certainty
that the version OpenBSD ships is very heavily patched.  Very often, the
best bets for reasonable security over the long run are older versions
that have had fixes backported to them, rather than jumping at the
latest of everything.

> Bind9 is what the book recommended, and everywhere I turn I hear about
> djbdns.

Heh.  _That_ kettle of fish.  Quoting from
http://linuxmafia.com/~rick/faq/#djb :


[Coverage of proprietary licensing and extremely odd design of DJBware
snipped.  Listings of open-source alternatives in each category of
DJBware snipped.]

djbdns should not be assumed automatically to be an all-around-usage DNS
server, either. Some of the areas in which Bernstein has elected not to
follow IETF draft standards in djbdns's functioning are outlined in
Scott Morizot's letter to Linux Weekly News
[http://lwn.net/2001/0222/letters.php3] (seventh letter down). (Note
that there are third-party ways to fix djbdns to add support for the
IETF NOTIFY protocol, for sending [http://tinydns.org/dnsnotify] and 
receiving [http://marc.theaimsgroup.com/?l=djbdns&m=97563649813152&w=2] 
NOTIFYs, but the point is Bernstein decided not to implement that and
many other core DNS protocols: He recommends
[http://cr.yp.to/djbdns/run-server.html], for example, that you
eschew the standards-track NOTIFY and IXFR protocols, and use rsync
instead.) A comprehensive list of IETF DNS protocols omitted from djbdns
can be found in Paul Vixie's linuxsecurity.com interview
[http://www.linuxsecurity.com/feature_stories/conrad_vixie-4.html].

It can be argued that the omitted DNS protocols are merely
standards-track (proposed) IETF protocols as of Nov. 2001 -- whose
adoption Bernstein opposes on various grounds. (Relevant RFCs are 1995,
1996, 2136, 2535, 2536, 2537, 2538, 2539, 2845, 2930, 2931, 3007, 3008,
3090, and 3110.) But shunning common zone-transfer mechanisms (NOTIFY,
IXFR, outgoing AXFR) is just unreasonable if you want to want to
interoperate with the rest of the world.

> Would anyone like to share some information on the topic?

Try MaraDNS.

Me, I tend to use BIND9, but more because I'm used to the thing than 
for any better reason.

-- 
Cheers,      "On the face of it, Microsoft complaining about the source license 
Rick Moen    used by Linux is like the event horizon calling the kettle black."
rick at linuxmafia.com             -- Adam Barr, former Microsoft Corp. programmer