djbdns vs bind [closed]

domain-name-system bind nameserver djbdns

Solution 1:

I've worked with djbdns in the past and currently run a bunch of BIND servers.

The biggest problem with djbdns is best put the way my first grade teacher put it on my report card: "doesn't play well with others". It simply doesn't behave like anything else on a unix box in all sorts of very small ways that can bite you later. It uses a syntax for zone files you won't see anywhere else.

The biggest advantage of djbdns is that it was designed from the ground up with security as goal #1.

If you were going to set up a DNS server, expose it to the internet and then never maintain it, djbdns would be the way to go.

In the real world, most admins are better off using the BIND packages from the OS vendor, and patching it promptly when there's an update. But running it chrooted is a good idea, and keeping your authoritative DNS servers separate from your recursive resolver DNS servers is a good idea.

If you find docs for something with DNS, BIND will be included and djbdns is unlikely to be included. If you use dig, the format it returns can be pasted into a BIND zone file and work. It acts like any normal unix daemon instead of something from another planet.

We use some hardware load balancers and load balance our recursive resolver BIND servers; works great. Just make sure the users get the same source IP as they sent their requests to and any UDP and TCP capable load balancing setup should work. If you're doing authoritative DNS, load balancing is as simple as having more than one server and publishing all of them in the whois info; the other DNS servers will load balance intelligently.

Solution 2:

For an authoritative service, nsd.

For a recursive one, unbound.

Both are small (so probably have less security holes waiting to be discovered), actively maintained and support all the recent DNS things (DNSSEC, IPv6, etc).

Otherwise, BIND is good software.

djbdns is a one-man project, unmaintained for a long time, not more secure (the author just says it so), and the official Web site is full of mistakes. (Now, I'm sure I will get a lot of downvotes from djbboys, my rep. was too high for my taste :-)

Related

Identifying which MTA is running
How do I determine what version of Red Hat Enterprise Linux my server is running?
Highest value of max_connections in AWS RDS micro instance
Ubuntu uninstall elasticsearch
Fatal error: Can't open and lock privilege tables: Table storage engine for 'user' doesn't have this option
Count number of bytes piped from one process to another
Is there a downside to installing VNC?
How to remove access to a port using firewall on Centos7?
unknown directive "stream" in /etc/nginx/nginx.conf:86
What programmer things should every sysadmin know?
How to receive email using Amazon SES
Make ls print it all on one line (like in terminal)