Comparison of DNS server software
From Wikipedia, the free encyclopedia
This article is a comparison of DNS server software, comparing the features, platform support, and packaging of independent implementations of DNS.
Contents |
[edit] Servers compared
Each of these DNS servers is an independent implementation of the DNS protocols, capable of resolving DNS names for other computers, publishing the DNS names of computers, or both. Excluded from consideration are single-feature DNS tools (such as proxies, filters, and firewalls) and redistributions of servers listed here (many products repackage BIND, for instance, with proprietary user interfaces).
The term "DNS server" is ambiguous. DNS servers have two core roles, and a given DNS server may be intended to provide either or both of them:
- Recursive Servers: recursive servers (sometimes called "caches" or "caching-only name servers") provide DNS name resolution for applications, by relaying the requests of the client application through the proper authoritative name server and caching the result to answer potential future querries. A recursive server provided by an Internet Service Provider is how Internet users typically locate sites such as www.google.com.
- Authoritative servers: authoritative name servers publish DNS mappings for domains under their control. Typically, a company (e.g. "Acme Widgets") would provide its own authority services to tell the world where to find www.acmewidgets.int. These servers are listed as being at the top of the authority chain for their respective domains, and are capable of providing either a direct answer to a query or of delegating that authority to another host.
[edit] BIND
The de facto standard open-source DNS server. BIND ships on most Unix platforms, and is the most widely deployed DNS server. There are three major versions of BIND, each with significantly differently designed architectures: BIND4, BIND8, and BIND9. This page refers to BIND9, a ground-up rewrite of BIND featuring full DNSSEC support.
[edit] Microsoft DNS
The DNS server provided with Windows Server, a key component of Microsoft's Active Directory, and therefore one of the most widely deployed implementations of the DNS.
[edit] djbdns
The second most popular open-source DNS server, and the first security-aware DNS server, by Daniel J. Bernstein, author of qmail. Designed as a response to BIND.
[edit] Dnsmasq
Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP server.
[edit] Simple DNS Plus
A popular Windows DNS server product with emphasis on a simple-to-use GUI.
[edit] NSD
A popular open-source authoritative-only server provided by NLNet Labs. NSD is a test-bed server for DNSSEC; new DNSSEC protocol features are often prototyped using the NSD code base. NSD hosts several top-level domains, and operates three of the root nameservers.[citation needed]
[edit] PowerDNS
An open-source DNS server with a variety of storage backends and load balancing features, notable as the DNS implementation relied on by Wikipedia.
[edit] MaraDNS
A security-aware full-featured open source DNS server by Sam Trenholme.
[edit] ANS
A high-end commercial authoritative-only server from Nominum, a company founded by Paul Mockapetris, the inventor of the DNS. ANS was designed to meet the needs of top level domain servers.
[edit] CNS
A high-performance commercial recursive caching-only server from Nominum, intended as a secure alternative to BIND for enterprises.
[edit] Posadis
A full-featured open source DNS server, written in C++, featuring Dynamic DNS update support.
[edit] Secure64 DNS
A security-hardened commercial DNS appliance, deployed on a proprietary 64 bit operating system running on Intel Itanium hardware.
[edit] Unbound
Unbound is a validating, recursive and caching DNS server designed for high-performance. It was released May 20, 2008 (version 1.0.0) in form of open source software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei.
[edit] Features
Some DNS features are relevant only to recursive servers, or to authoritative servers. As a result, a feature matrix such as the one in this article cannot by itself represent the effectiveness or maturity of a given implementation.
Another important qualifier is the server architecture. Some DNS servers provide support for both server roles in a single, "monolithic" program. Others are divided into smaller programs, each implementing a subsystem of the server. As in the classic Computer Science microkernel debate, the importance and utility of this distinction is hotly debated. The feature matrix in this article does not discuss whether DNS features are provided in a single program or several, so long as those features are provided with the base server package and not with third-party add-on software.
[edit] Explanation of Features
- Authoritative
- Servers with this feature can publish DNS names to the world.
- Recursive
- Servers with this feature can perform lookups for arbitrary names in the DNS on behalf of applications.
- Recursion Access Control
- Servers with this feature can limit the hosts they provide lookup services for. This may provide a level of defense against DNS cache poisoning.
- Slave Mode
- Authoritative servers can publish content that originates from local storage (such as zone files or an SQL database), or can republish content fetched from other authoritative servers (this is sometimes called "secondary" service). Servers with a "slave mode" feature have a built-in capability to retrieve and republish content from other servers. This is typically, though not always, provided using the AXFR protocol.
- Caching
- Servers with this feature provide recursive services for applications, and cache the results so that future requests for the same name can be answered quickly, without a full DNS lookup. This is an important performance feature, as it significantly reduces the latency of DNS requests.
- DNSSEC
- Servers with this feature speak some variant of the DNSSEC protocols. They may publish names with resource record signatures (providing a "secure authority service"), and may validate those signatures during recursive lookups (providing a "secure resolver"). DNSSEC is not widespread, and has not been adopted by the most popular sites on the Internet. Its value and feasibility has been the subject of debate. However, the presence of DNSSEC features is a notable characteristic of a DNS server.
- TSIG
- Servers with this feature typically provide DNSSEC services. In addition, they support the TSIG protocol, which allows DNS clients to establish a secure session with the server to publish Dynamic DNS records or to request secure DNS lookups without incurring the cost and complexity of full DNSSEC support.
- IPv6
- Servers with this feature are capable of publishing or handling DNS records that refer to IPv6 addresses.
- LOC Record
- Servers with this feature are capable of publishing or handling DNS LOC records, which contain geographic information about DNS names.
- Wildcard
- Servers with this feature can publish information for wildcard records, which provide data about DNS names in DNS zones that are not specifically listed in the zone.
- Split horizon
- Servers with the split-horizon DNS feature can give different answers depending on what IP/subnet the query is coming from.
[edit] Feature Matrix
Server | Authoritative | Recursive | Recursion ACL | Slave mode | Caching | DNSSEC | TSIG | IPv6 | LOC record | Wildcard | Interface | split horizon |
---|---|---|---|---|---|---|---|---|---|---|---|---|
BIND | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes (since 9.x) | Yes | Yes (since 4.x) | Web†, command line | Yes |
Microsoft DNS | Yes | Yes | No | Yes | Yes | Partial† | Yes | Yes† | No | Yes | GUI, command line | No |
djbdns | Yes | Yes | Yes | Yes† | Yes | No | No | Yes [1] | Yes | Yes | command line | Yes† |
Dnsmasq | ? | ? | ? | ? | Yes | ? | ? | Yes | ? | ? | command line | ? |
Simple DNS Plus | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | GUI, Web, command line | Yes† |
NSD | Yes | No | No | Yes | No | Yes | Yes | Yes | Yes | Yes | command line | No |
PowerDNS | Yes | Yes | Yes | Yes | Yes | Yes (since 2.9.21) | No | Yes | Yes (since 2.9.21) | Yes | Web, command line | Yes† |
MaraDNS | Yes | Yes | Yes | Partial† | Yes | No | No | Partial | Yes | Yes | command line | No |
ANS | Yes | No | No | Yes | No | Yes | Yes | Yes | ? | Yes | command line, api, SOAP Interface, SNMP | Yes |
CNS | No | Yes | Yes | N/A | Yes | Yes | Yes | Yes | N/A | N/A | command line, api, SNMP | Yes |
Posadis | Yes | Yes | ? | Yes | Yes | No | No | Yes | Yes | Yes | command line, API | ? |
Secure64 DNS | Yes | No | ? | Yes | No | Yes | Yes | Yes | Yes | Yes | command line | No |
Unbound | No | Yes | Yes | N/A | Yes | Yes | Yes | Yes | N/A | N/A | command line, API | No |
- ^ A BIND configuration module is available for Webmin in many Linux distributions.
- ^ djbdns provides facilities to transfer zones; after completing the zone transfer, djbdns can act as an authoritative server for that zone. Consult the axfr-get documentation for further information.
- ^ This is not the same as views in bind. But it is a solution with comparable capabilities. See: section of tinydns-data.
- ^ MaraDNS cannot directly provide slave support. Instead, a zone transfer is needed, after which MaraDNS will act as an authoritative server for that zone. See DNS Slave for further information.
- ^ DNSSEC functionality must be manually activated in the registry. It is not enabled by default, and is only available in Windows Server 2003. Additionally, the DNSSEC support is sufficient to act as a slave/secondary server for a signed zone, but not sufficient to create a signed zone (lack of key generation and signing utilities).
- ^ IPv6 functionality in the Microsoft DNS server is only available on Windows Server 2003, and only if enabled from the command line.
- ^ Simple DNS Plus does not have "views" in the same way as BIND, but has a "NAT IP Alias" feature which allows host records to resolve to different IP addresses depending on where the DNS request comes from.
- ^ It is possible to support the concept of views in PowerDNS by either running two copies of PowerDNS in parallel (on the same machine), or by writing a custom backend which serves different data based on the client who is querying. See here for the original answer regarding this topic by the author of PowerDNS.
[edit] Platforms
The operating systems or virtual machines the DNS server are designed to run on without emulation; there are several possibilities:
- No indicates that it does not exist or was never released.
- Partial indicates that while it works, the server lacks important functionality compared to versions for other OSs; it is still being developed however.
- Beta indicates that while a version is fully functional and has been released, it is still in development (e.g. for stability).
- Yes indicates that it has been officially released in a fully functional, stable version.
- Included indicates that the server comes pre-packaged with or has been integrated into the operating system.
- Software Appliance indicates that the server has the operating system built in as Just enough operating system (JeOS)
Please note that the list is not exhaustive, but rather reflects the most common platforms today.
Server | BSD | Solaris | Linux | Mac OS X | Windows |
---|---|---|---|---|---|
BIND | Included | Included | Included† | Included | Yes† |
Microsoft DNS | No | No | No | No | Included† |
djbdns | Yes | Yes | Yes | Yes | No |
Dnsmasq | Yes | Yes | Yes | ? | No |
Simple DNS Plus | No | No | No | No | Yes |
NSD | Yes | Yes | Yes | Yes | No |
PowerDNS | Yes | Yes [2] | Yes | Beta | Yes |
MaraDNS | Yes | Yes [3] | Yes | Yes | Partial |
ANS | Yes | Yes | Yes | No | No |
CNS | Yes | Yes | Yes | No | No |
Posadis | Yes | Yes | Yes | Yes | Yes [4] |
Secure64 DNS † | N/A | N/A | N/A | N/A | N/A |
Unbound | Yes | Yes | Yes | Yes | No |
- ^ BIND is available for Windows NT-based systems (including Windows 2000, XP, and Server 2003) in a port known as ntbind.
- ^ The functionality available with the Microsoft DNS server varies depending on the version of the underlying operating system; such as most Windows Server components, it is upgraded only with the rest of the operating system. Certain functionality, such as DNSSEC and IPv6 support, is only available in the Windows Server 2003 version. Windows 2000 Server includes TSIG support. The Microsoft DNS Server is not available on Windows client operating systems such as Windows XP.
- ^ Most well-known Linux distributions come with BIND either installed as default or with the option of only installing a caching-only configuration. Distributions installed as a typical server configuration will have the former and distributions installed as a desktop or workstation configuration will have the latter.
- ^ Secure64 DNS runs exclusively on SourceT, a micro operating system developed by Secure64.
[edit] Packaging
Server | Creator | Cost (USD) | Public source code | Software license |
---|---|---|---|---|
BIND | Internet Systems Consortium | Free | Yes | BSD |
Microsoft DNS | Microsoft | Included with Windows Server | No | Clickwrap license |
djbdns | Daniel J. Bernstein | Free | Yes | Public domain |
Dnsmasq | Simon Kelley | Free | Yes | GPL |
Simple DNS Plus | JH Software | $79 | No | Clickwrap license |
NSD | NLnet Labs | Free | Yes | BSD variant |
PowerDNS | PowerDNS.COM BV / Bert Hubert | Free | Yes | GPL |
MaraDNS | Sam Trenholme | Free | Yes | BSD variant |
ANS | Nominum | Unpublished price | No | Clickwrap license |
CNS | Nominum | Unpublished price | No | Clickwrap license |
Secure64 DNS | Secure64 Software | Unpublished price | No | Clickwrap license |
Posadis | Meilof Veeningen | Free | Yes | GPL |
Unbound | NLnet Labs | Free | Yes | BSD |