Comparison of DNS server software
This article presents a comparison of the features, platform support, and packaging of independent implementations of Domain Name System (DNS) name server software.
Servers compared
Each of these DNS servers is an independent implementation of the DNS protocols, capable of resolving DNS names for other computers, publishing the DNS names of computers, or both. Excluded from consideration are single-feature DNS tools (such as proxies, filters, and firewalls) and redistributions of servers listed here (many products repackage BIND, for instance, with proprietary user interfaces).
DNS servers are grouped into several categories of specialization of servicing domain name system queries. The two principal roles, which may be implemented either uniquely or combined in a given product are:
- Authoritative server: authoritative name servers publish DNS mappings for domains under their authoritative control. Typically, a company (e.g. "Acme Example Widgets") would provide its own authority services to respond to address queries, or for other DNS information, for www.example.int. These servers are listed as being at the top of the authority chain for their respective domains, and are capable of providing a definitive answer. Authoritative name servers can be primary name servers, also known as master servers, i.e. they contain the original set of data, or they can be secondary or slave name servers, containing data copies usually obtained from synchronization directly with the master server, either via a DNS mechanism, or by other data store synchronization mechanisms.
- Recursive Servers: recursive servers (sometimes called "DNS caches", "caching-only name servers") provide DNS name resolution for applications, by relaying the requests of the client application to the chain of authoritative name servers to fully resolve a network name as well, usually, caching the result to answer potential future queries within a certain expiration (time-to-live) period. Most Internet users access a recursive server provided by their internet service provider to locate sites such as www.google.com.
BIND is the de facto standard DNS server. It is an free software product and is distributed with most Unix and Linux platforms, where it is most often also referred to as named (name daemon). It is the most widely deployed DNS server. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now technically obsolete and not considered in this article. BIND9 is a ground-up rewrite of BIND featuring complete DNSSEC support in addition to other features and enhancements.
Internet Systems Consortium has also started development of a new version, BIND 10. Its first release was in April 2010, and is expected to be a five-year project to complete its feature set. It is not included in this comparison at this time.
Microsoft DNS is the DNS server provided with Windows Server, a key component of Microsoft's Active Directory.
Dnsmasq is a lightweight, easy to configure, DNS forwarder and local resolver (and DHCP server) and is usually integrated in home networking routers.
Djbdns is a collection of DNS applications, including tinydns, which was the second most popular free software DNS server in 2004.[1]. It was designed by Daniel J. Bernstein, author of qmail, with an emphasis on security considerations. In March 2009, Bernstein paid $1000 to the first person finding a security hole in djbdns.[2] Djbdns requires several uncommon installation and configuration methods. The Source code is not centrally maintained and was released into the public domain in 2007. As of March 2009 there are three forks and more than a dozen patches to address shortcomings in djbdns.[3]
Simple DNS Plus is a commercial DNS server product that runs under Microsoft Windows with an emphasis on a simple-to-use GUI.
NSD is an free software authoritative server provided by NLNet Labs. NSD is a test-bed server for DNSSEC; new DNSSEC protocol features are often prototyped using the NSD code base. NSD hosts several top-level domains, and operates three of the root nameservers.
PowerDNS is an free software DNS server with a variety of data storage back-ends and load balancing features. Authoritative and recursive server functions are implemented as separate applications. It is the DNS implementation relied upon by Wikipedia.
MaraDNS is an free software DNS server by Sam Trenholme that claims a good security history and ease of use.[4] [5]
ANS is a commercial authoritative server from Nominum, a company founded by Paul Mockapetris, the inventor of the DNS. ANS was designed to meet the needs of top level domain servers, hosters and large enterprises.
Vantio is a commercial high-performance recursive caching server from Nominum, intended as a fast, secure alternative to BIND for service providers, enterprises, and government agencies.
Posadis is an free software DNS server, written in C++, featuring Dynamic DNS update support.
Secure64 is a commercial security-hardened DNS appliance, deployed on a proprietary 64-bit operating system running on Intel Itanium hardware.
Unbound is a validating, recursive and caching DNS server designed for high-performance. It was released May 20, 2008 (version 1.0.0) in form of free software software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei.
CNR includes a commercial DNS server from Cisco Systems usually used in conjunction with the CNR DHCP (Dynamic Host Configuration Protocol) server. It supports high rates of dynamic update.
Features
Some DNS features are relevant only to recursive servers, or to authoritative servers. As a result, a feature matrix such as the one in this article cannot by itself represent the effectiveness or maturity of a given implementation.
Another important qualifier is the server architecture. Some DNS servers provide support for both server roles in a single, "monolithic" program. Others are divided into smaller programs, each implementing a subsystem of the server. As in the classic Computer Science microkernel debate, the importance and utility of this distinction is hotly debated. The feature matrix in this article does not discuss whether DNS features are provided in a single program or several, so long as those features are provided with the base server package and not with third-party add-on software.
Explanation of features
- Authoritative
- A major category of DNS server functionality, see above.
- Recursive
- A major category of DNS server functionality, see above.
- Recursion Access Control
- Servers with this feature provide control over which hosts are permitted DNS recursive lookups. This is useful for load balancing and service protection.
- Slave Mode
- Authoritative servers can publish content that originates from primary data storage (such as zone files or databases connected to business administration processes)--such servers are also called 'master' servers--or can be slave or secondary servers, republishing content fetched from and synchronized with such master servers. Servers with a "slave mode" feature have a built-in capability to retrieve and republish content from other servers. This is typically, though not always, provided using the AXFR DNS protocol.
- Caching
- Servers with this feature provide recursive services for applications, and cache the results so that future requests for the same name can be answered quickly, without a full DNS lookup. This is an important performance feature, as it significantly reduces the latency of DNS requests.
- DNSSEC
- Servers with this feature implement some variant of the DNSSEC protocols. They may publish names with resource record signatures (providing a "secure authority service"), and may validate those signatures during recursive lookups (providing a "secure resolver"). DNSSEC is not widespread, and has not been adopted by the most popular sites on the Internet. Its value and feasibility has been the subject of debate. However, the presence of DNSSEC features is a notable characteristic of a DNS server.
- TSIG
- Servers with this feature typically provide DNSSEC services. In addition, they support the TSIG protocol, which allows DNS clients to establish a secure session with the server to publish Dynamic DNS records or to request secure DNS lookups without incurring the cost and complexity of full DNSSEC support.
- IPv6
- Servers with this feature are capable of publishing or handling DNS records that refer to IPv6 addresses. In addition to be fully IPv6 capable they must implement IPv6 transport protocol for queries and zone transfers in slave/master relationships and forwarder functions.
- Wildcard
- Servers with this feature can publish information for wildcard records, which provide data about DNS names in DNS zones that are not specifically listed in the zone.
- Split horizon
- Servers with the split-horizon DNS feature can give different answers depending on the source IP address of the query.
Feature matrix
| Server | Authoritative | Recursive | Recursion ACL | Slave mode | Caching | DNSSEC | TSIG | IPv6 | Wildcard | Interface | split horizon |
|---|---|---|---|---|---|---|---|---|---|---|---|
| BIND | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes (since 9.x) | Yes (since 4.x) | Web[Note 1], command line | Yes |
| Microsoft DNS | Yes | Yes | No | Yes | Yes | Yes[Note 2] | Yes[Note 3] | Yes[Note 4] | Yes | GUI, command line, API[Note 5], WMI[Note 6], RPC[Note 7] | No |
| djbdns | Yes | Yes | Yes | Yes[Note 8] | Yes | No | No | No [1] | Partial[Note 9] | command line | Yes[Note 10] |
| Dnsmasq | Partial[Note 11] | No | No | No | Yes | No | No | Yes | Yes | command line | No |
| Simple DNS Plus | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | GUI, Web, command line | Yes[Note 12] |
| NSD | Yes | No | — | Yes | — | Yes | Yes | Yes | Yes | command line | No |
| PowerDNS | Yes | Yes | Yes | Yes[Note 13] | Yes | Partial [Note 14] | No | Partial[Note 13] | Yes | Web, command line | No[Note 15] |
| MaraDNS | Yes | Yes | Yes | Partial[Note 16] | Yes | No | No | Partial | Yes | command line | No |
| Nominum ANS | Yes | No | — | Yes | No | Yes | Yes | Yes | Yes | command line, api, SOAP Interface, SNMP | Yes |
| Nominum Vantio | No | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | command line, api, SOAP Interface, SNMP | Yes |
| Posadis | Yes | Yes | ? | Yes | Yes | No | No | Yes | Yes | command line, API | ? |
| Secure64 DNS | Yes | No | ? | Yes | No | Yes | Yes | Yes | Yes | command line | No |
| Unbound | Partial | Yes | Yes | — | Yes | Yes | Yes | Yes | — | command line, API | No |
- ^ A BIND configuration module is available for Webmin in many Linux distributions.
- ^ Windows Server 2008 R2 supports DNSSEC, however dynamic DNS is not supported for DNSSEC-signed zones. For earlier versions including Windows Server 2003, DNSSEC functionality must be manually activated in the registry. In these versions, the DNSSEC support is sufficient to act as a slave/secondary server for a signed zone, but not sufficient to create a signed zone (lack of key generation and signing utilities).
- ^ Microsoft DNS supports the GSS-TSIG algorithm for Secure Dynamic Update when integrated with Active Directory, using RFC 3645, an application of GSS-API RFC 2743.
- ^ IPv6 functionality in the Microsoft DNS server is only available on Windows Server 2003 and newer.
- ^ Microsoft DNS Server API Reference
- ^ Microsoft DNS WMI Provider Specification
- ^ MS-DNSP DNS Server Management Protocol Specification (uses RPCs)
- ^ djbdns provides facilities to transfer zones; after completing the zone transfer, djbdns can act as an authoritative server for that zone. Consult the axfr-get documentation for further information.
- ^ djbdns supports wildcard DNS records, but not in a way that conforms with the RFCs.
- ^ This is not the same as views in bind. But it is a solution with comparable capabilities. See: section of tinydns-data.
- ^ dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use. A records are supported via /etc/hosts, and there is some MX record support via the command line.
- ^ Simple DNS Plus does not have "views" in the same way as BIND, but has a "NAT IP Alias" feature which allows host records to resolve to different IP addresses depending on where the DNS request comes from.
- ^ a b IPv6 support in PowerDNS is incomplete. Zone transfers in master/slave replication are only functional with IPv4 transport.
- ^ DNSSEC support in PowerDNS is currently restricted to being able to serve DNSSEC-related RRs, and better DNSSEC support is in development.
- ^ It is possible to support the concept of views in PowerDNS by either running two copies of PowerDNS in parallel (on the same machine), or by writing a custom backend which serves different data based on the client who is querying. See here for the original answer regarding this topic by the author of PowerDNS.
- ^ MaraDNS cannot directly provide slave support. Instead, a zone transfer is needed, after which MaraDNS will act as an authoritative server for that zone. See DNS Slave for further information.
Platforms
In this overview of operating system support for the discussed DNS server, the following terms indicate the level of support:
- No indicates that it does not exist or was never released.
- Partial indicates that while it works, the server lacks important functionality compared to versions for other OSs; it is still being developed however.
- Beta indicates that while a version is fully functional and has been released, it is still in development (e.g. for stability).
- Yes indicates that it has been officially released in a fully functional, stable version.
- Included indicates that the server comes pre-packaged with or has been integrated into the operating system.
This compilation is not exhaustive, but rather reflects the most common platforms today.
| Server | BSD | Solaris | Linux | Mac OS X | Windows |
|---|---|---|---|---|---|
| BIND | Yes | Yes | Yes | Yes | Yes[Note 1] |
| Microsoft DNS | No | No | No | No | Included[Note 2] |
| djbdns | Yes | Yes | Yes | Yes | No |
| Dnsmasq | Yes | Yes | Yes | Yes | No |
| Simple DNS Plus | No | No | No | No | Yes |
| NSD | Yes | Yes | Yes | Yes | No |
| PowerDNS | Yes | Yes [2] | Yes | Beta | Yes |
| MaraDNS | Yes | Yes [3] | Yes | Yes | Partial |
| Nominum ANS | Yes | Yes | Yes | No | No |
| Nominum Vantio | Yes | Yes | Yes | No | No |
| Posadis | Yes | Yes | Yes | Yes | Yes [4] |
| Secure64 DNS [Note 3] | — | — | — | — | — |
| Unbound | Yes | Yes | Yes | Yes | Yes |
- ^ BIND is available for Windows NT-based systems (including Windows 2000, XP, and Server 2003) in a port known as ntbind.
- ^ The functionality available with the Microsoft DNS server varies depending on the version of the underlying operating system; such as most Windows Server components, it is upgraded only with the rest of the operating system. Certain functionality, such as DNSSEC and IPv6 support, is only available in the Windows Server 2000-2003 version. Windows 2000 Server includes TSIG support. The Microsoft DNS Server is not available on Windows client operating systems such as Windows XP.
- ^ Secure64 DNS runs exclusively on SourceT, a micro operating system developed by Secure64.
Packaging
| Server | Creator | Cost (USD) | Public source code | Software license |
|---|---|---|---|---|
| BIND | Internet Systems Consortium | Free | Yes | BSD |
| Microsoft DNS | Microsoft | Included with Windows Server | No | Clickwrap license |
| djbdns | Daniel J. Bernstein | Free | Yes | Public domain |
| Dnsmasq | Simon Kelley | Free | Yes | GPL |
| Simple DNS Plus | JH Software | $79 - $379 | No | Clickwrap license |
| NSD | NLnet Labs | Free | Yes | BSD variant |
| PowerDNS | PowerDNS.COM BV / Bert Hubert | Free | Yes | GPL |
| MaraDNS | Sam Trenholme | Free | Yes | BSD variant |
| Nominum ANS | Nominum | Unpublished price | No | Clickwrap license |
| Nominum Vantio | Nominum | Unpublished price | No | Clickwrap license |
| Secure64 DNS | Secure64 Software | Unpublished price | No | Clickwrap license |
| Posadis | Meilof Veeningen | Free | Yes | GPL |
| Unbound | NLnet Labs | Free | Yes | BSD |
See also
References
- ^ Moore, Don (2004). "DNS server survey". Retrieved 2005-01-06.
- ^ "The djbdns prize claimed". Retrieved 2009-03-04.
- ^ "Detailed overview of DNS server software by Rick Moen". Retrieved 2009-07-13.
- ^ Mens, Jan-Piet (2008). Alternative DNS Servers: Choice and Deployment, and Optional SQL/LDAP Back-Ends (Paperback). UIT Cambridge Ltd. ISBN 0954452992.
- ^ Danchev, Dancho. "How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability". ZDNet. Retrieved 2009-10-10.