[Message quoted below has been re-edited to update it.]

From: Rick Moen (rick@linuxmafia.com)
To: SlugLUG (sluglug@hermosa.cse.ucsc.edu)
Subject: Re: [SlugLUG] DNS links
User-Agent: Mutt/1.4i
Date: Sat, 23 Nov 2002 14:51:17 -0800

[...]

(Referring to Albitz and Liu's DNS and BIND.) This edition (4th) struck me as weak on new BIND 9.x features; frustrating, because there's not enough available on-line about that, either.

Anyhow, one limitation of both the Albitz book and troubleshooters.com's DNS page is that they concern BIND, solely. Even after the from-scratch 9.x rewrite, BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. Pity that most DNS information is BIND-specific; that's held us back.

Here is a list of the real choices, comparing and contrasting BIND9 with alternatives that in many deployments are superior:

Table of Contents

Maintained open source packages:

• BIND9: authoritative, recursive, AXFR, client
• djbdns: authoritative, recursive, AXFR, client, other (modular; needs patching)
• zinq-djbdns: authoritative, recursive, AXFR, client, other
• Debian djbdns: authoritative, recursive, AXFR, client, other
• RH djbdns: authoritative, recursive, AXFR, client, other
• LolDNS: authoritative, recursive, AXFR, client, other
• dnsjava: authoritative, AXFR (modular)
• Dnsmasq: forwarder
• ldapdns: authoritative, AXFR
• MaraDNS: authoritative, recursive, AXFR
• MyDNS-NG: authoritative, outgoing AXFR
• NSD: authoritative, AXFR
• pdnsd: forwarder
• PowerDNS Authoritative Server: authoritative, AXFR
• PowerDNS Recursor: recursive
• rbldnsd: authoritative
• Twisted Names: authoritative, forwarder, client
• Unbound: recursive

Unmaintained open source packages (deprecated!):

• BIND8: authoritative, recursive, AXFR
• CustomDNS: authoritative, AXFR (modular)
• dproxy: forwarder
• dents: authoritative, recursive
• DNRD: forwarder
• Eddieware Enhanced DNS Server (aka "lbdns"): authoritative
• GnuDIP: authoritative
• lbnamed: authoritative
• lwresd: recursive
• moodns: authoritative, recursive
• MyDNS: authoritative, outgoing AXFR
• Oak DNS Server: authoritative, recursive
• Pliant DNS Server: forwarder
• Posadis: authoritative, AXFR
• SDNS (Secure DNS): authoritative
• Stanford::DNSserver: authoritative
• Trick or Treat Daemon (ToTD): forwarder
• Yaku-NS: authoritative, forwarder, AXFR

Related Software:

• GNU adns: client
• Ares: client
• BIND DLZ: authoritative (patch)
• Constrict: client
• dnsibs: authoritative (non-standard data)
• dnspython: client, AXFR
• FireDNS: client
• LDAP sdb: authoritative (patch)
• ldns: client
• Net::DNS: client
• Poslib: authoritative, client
• Resolvconf: client-side utility
• skadns: client

Proprietary Software:

(See list at page bottom.)

Guide for the Perplexed

If like most people you are unclear on how a recursive nameserver, an authoritative nameserver, and a forwarding nameserver differ, please see my explanatory anecdote: 1, 2.

Maintained open source packages:

• BIND9 (link) is a full-featured recursive server, authoritative, and caching nameserver, bundled with a resolver client library. This is a from-scratch rewrite of the hopelessly spaghetti-coded legacy BIND8 codebase that Paul Vixie inherited from UC Berkeley: Vixie commissioned its creation by Nominum, Inc., who wrote it solely from the BIND8 specifications without reference to the old codebase.
  http://www.isc.org/index.pl?/sw/bind/
  Licence: Simple permissive licence with warranty disclaimer.

  Dovecot imapd author Timo Sirainen has posted some comments (warning: unmaintained page): Code relies on several ISC wrapper libraries for key functions, code has lots of asserts and sanity check, "in general the code just feels heavy — functions have tons of variables, some functions are huge, locks for thread safety, lots of goto jumping to deinitialization parts if something went wrong".

  BIND9 is slow and large compared to many competitors, and the monolithic codebase seems overfeatured.

• djbdns (link) is a suite of specialised-role, related DNS server utilities (and two client pieces) by Prof. Daniel J. Bernstein, prof. of mathematics at U. of Chicago and author of the qmail MTA.

  (I'm being charitable in classifying djbdns as a "maintained offering", because, even though it was orphaned in 2001, its newly (a/o 2007) open-source (arguably) legal status permits third-party maintainers to put together an unofficial 1.06 release to bring it into the 21st century -- which may or may not happen but is worth hoping for.)

  • djbdns is an omnibus package of all of Bernstein's DNS server software.
  • tinydns is the authoritative-only DNS daemon.
  • dnscache is the caching recursive server. It is so far (2008) unique among *ix recursive nameservers in implementing this functionality without needing to use threading.
  • walldns is the specialised authoritative-only DNS daemon for reverse-zone data, designed to minimise public leakage of inside host data.
  • rbldns is the specialised authoritative-only DNS daemon for DNS blocklist data about blocks of IP addresses such as dial-up IP lists.
  • axfrdns is the TCP-based AXFR zone-transfer server. It also handles some other TCP-based queries, such as requests for SOA records and (rare) DNS replies exceeding the 512-byte maximum size of a (regular, non-EDNS0) UDP datagram. As a consequence of its ability to output RFC 1035 ("BIND") zonefiles for AXFR zone transfers, axfrdns is also usable as a format converter. (NOTE: Absent third-party patches, the various djbdns utilities omit support for IETF NOTIFY, IXFR, outgoing AXFR, DNSSEC, TSIG, A6, DNAME, bitstring labels, Dynamic DNS, negative TTLs (NCACHE), and other modern DNS features.) It is generally a good idea to set up axfrdns running on the same IP as tinydns, if you want support for large packets, or will offer zone transfers.
  • axfr-get is the AXFR zone-transfer client, pulling down other authoritative servers' data in RFC 1035 ("BIND") format and writing that data in tinydns's database format.
  • dns is the DNS client library.
  • pickdns was the DNS load-balancing utility, but its functions were merged into tinydns as of djbdns v. 1.04 and above.

  Through 2007, fans of djbdns (and components thereof) would often assert that it was "free software" or "open source". It was not. However, in late 2007, Bernstein asserted that djbdns (like qmail) would prospectively become public domain by his own fiat.

  Dovecot imapd author Timo Sirainen has posted some comments (warning: unmaintained page).

  Recommended patches: Codebase has been unmaintained since v. 1.05 in 2001, except for through third-party patches. In consequence, until someone collects, merges, and harmonises a reasonable set of those patches (2009-09-08 note: There are now four forks, as noted below) , users must collect and apply the following fixes to the v. 1.05 source tree, and compile locally:

  • Do 'echo "include /usr/include/errno.h >> conf-cc"', to make the djbdns tools' source code compilable with modern Linux C libraries (updating the errno definitions in djbdns and tcpserver),
  • apply a dnscache patch to prevent it from dying if it is remotely DoSed by an attacker sending it the SIGPIPE signal and then closing the socket before the write finishes (i.e., the patch makes dnscache ignore SIGPIPE),
  • apply a tinydns patch to reduce mmap() overhead,
  • apply a dnscache patch to add support for negative TTLs (caching of unsuccessful lookup results),
  • apply a dnscache patch (1, 2) to prevent it erroneously returning SERVFAIL on some queries over TCP,
  • apply a dnscache patch to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP),
  • apply two dnscache patches to make it become willing to cache SOA records, and to send only one response back to each flood of identical requests, thus greatly reducing the program's resistance to cache poisoning,
  • apply a tinydns patch (1, 2) to add native support for SRV RRs (not strictly necessary for creation of SRV records or other unsupported types such as AAAA, SPF, TXT, NAPTR, and DomainKeys, as you can always use the generic record format for arbitrary data types -- but nice to have as "syntactic sugar" -- and please note that proper native support for IPv6 has larger issues than just AAAA support),
  • apply a tinydns patch to fix a file-descriptor leak,
  • apply a tinydns patch making its error-handling on zonefile syntax errors more robust (obviously not an essential patch, but helpful),
  • apply a dnscache patch to make its logging less chatty,
  • apply two patches to fix dnscache's, tinydns's, and axfrdns's erroneous treatment of CNAMEs (1, 2),
  • apply (on Linux only) an epoll patch (to speed up various djbdns tools by using Linux 2.6.x's "epoll(4)" I/O event notification facility instead of "poll(2)"),
  • apply one of two patches (where one's usage model makes this useful) to make the various djbdns tools support binding to multiple IPs (1, 2) -- and, in fairness, the Bernstein-recommended alternative of running multiple daemon instances, one per IP, is usually fairly practical and has operational advantages,
  • apply a dnscache patch to update the (obsolete) root servers list,
  • apply a dnscache patch to its use of the Recursion Desired ("RD") bit, to make dnscache able to function correctly in a pure forwarding role (if you happen to need it in that role),
  • apply a "dns" (djbdns client library, if you happen to use that module) patch to correct a bad coding choice that makes it unable to correctly deal with the hostname of a recursive or forwarding server that maps to multiple IP addresses,
  • either tune dnscache's fixed-upper-bounded (but configurable) cache size to local requirements, or comment out dnscache's cache.c source line that limits the upper bound on cache size to 10^9 bytes by default ("if (cachesize > 1000000000) cachesize = 1000000000;"), to let it float, and
  • apply an axrfdns and tinydns patch to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
  • You also might want manpages, which, unbelievably, are deliberately missing from most of Bernstein's software.

  (Caveat coder: I cannot vouch for the quality of those code snippets, nor guarantee that they won't cause other problems or be mutually incompatible. I know only that they were efforts to address real deficiencies in the base code.)

  Also tinydns.org and Jonathan de Boyne Pollard's page document other problems that might warrant patching before compilation. Some problems will remain, such as frequent failure to resolve Akamai and some other companies' DNS (on account of their use of admittedly ugly and baroque delegations without glue records), where other nameservers will have no problems.

  It should also be noted that, by default, djbdns requires ancillary package ucspi-tcp (Bernstein's idiosyncratic superserver, though there are ways to substitute xinetd/inetd, etc.) and also recommends daemontools (Bernstein's idiosyncratic toolset for managing system services, though there are workarounds (1, 2) to avoid most of that need). Daemontools, if used, enforces a non-standard filesystem hierarchy for its and djbdns's components.

  djbdns (specifically, dnscache) was the first recursive nameserver to randomise query source UDP ports as a security precaution, and to separate recursive and authoritative service, which is best practices.

  Critical claims to the contrary notwithstanding, it is indeed possible to run dnscache and tinydns on the same IP. See Felix von Leitner's djbdns FAQ for that and other common questions.

  Coded in C by Daniel J. Bernstein. http://cr.yp.to/djbdns.html
  Licence: Asserted to be "public domain".

  • zinq-djbdns: (link) Mark Johnson has created a maintained fork of djbdns as part of his umbrella project of adopting Dan Bernstein's unmaintained software. Thus the term "zinq", which is from Zinq Is Not Qmail. As of v. 0.05, it adds these changes to Bernstein's v. 1.05:

    Updated obsolete root-nameservers roster "dnsroots.global"
    Uses automake/autoconf, instead of Bernstein's build process, and got rid of spurious compiler warnings.
    Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
    Patched dnscache to quadruple its upper bound on cache size from 10^9 bytes to 4x10^9 bytes.
    Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
    Patched dnscache to support oversized UDP packets up to 4096 bytes in length (while still correctly truncating responses over 512 bytes when sending them to stub resolvers over UDP).
    Patched tinydns to add native support for SRV and NAPTR records.
    Supplied manpages, from Gerrit Pape's set.
    Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.

    Coded in C by Mark Johnson and Daniel J. Bernstein. http://sourceforge.net/projects/zinq/
    Licence: Asserted to be "public domain".

  • Debian djbdns/dbndns: (link) Debian developer Gerrit Pape maintains two Debian binary packages (dbndns, djbdns) based on one Debian source package (djbdns). Pape applies these changes to Bernstein's v. 1.05:

    In both binary packages "djbdns" and "dbndns":
    Supplied manpages (by Gerrit Pape).
    Patched to use glibc, system errno.h headers.
    Patched dnscache to update obsolete root nameservers list.
    Patched to support parallel build through "make -j".
    Patched to install binaries into /usr/bin.
    Patched to no longer require daemontools, ucspi-tcp.
    Patched dnscache to update obsolete root nameservers list.
    Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
    Patched dnscache to set initial cache size to 1*10^9 bytes, and triple the upstream code's cache limit to 3*10^9 bytes.

    Applied to binary package "dbndns" only:
    Patched tinydns to add native IPV6 support.

    Coded in C by Gerrit Pape and Daniel J. Bernstein. http://packages.qa.debian.org/d/djbdns.html
    Licence: Asserted to be "public domain".

  • RH djbdns: (link) Red Hat developer Prasad J. Pandit has created a djbdns fork and proposed it (2009-03) for inclusion in Fedora Project. As of v. 1.05.2 (2009-03-23), it adds these changes to Bernstein's v. 1.05:

    Uses automake/autoconf, instead of Bernstein's build process.
    Works with /sbin/service.
    No longer requires daemontools.
    Default installation destination prefix is /usr/ (in the RPM .spec file).
    Changed dnscache conffile to /etc/djbdns/dnscache.conf
    Changed dnscache to log to /var/log/dnscache.log", write PID file to /var/run/dnscache.pid, and accept some command-line options.
    Patched axfrdns and tinydns to correct a security-damaging bug in large-packet TCP data handling that permits a limited form of cache poisoning.
    Patched dnscache to prevent it erroneously returning SERVFAIL on some queries over TCP.
    Patched dnscache to update obsolete root nameservers list.
    Applied the patch to dnscache to make it ignore SIGPIPE, which can be used to DoS it.
    Patched to use system errno.h headers.
    Renamed CHANGES to ChangeLog, added Pandit's entries.
    Changed various utils to use system header files.
    Some comments added, and a more-conventional coding style applied.

    As of 1.05.2, only the following djbdns tools are (thus far) compiled/installed: dnscache, dnsipq, dnsq, dnstracesort. Pandit is proceeding to revamp the other pieces, gradually.

    Coded in C by Prasad J. Pandit and Daniel J. Bernstein. http://pjp.dgplug.org/djbdns/
    (.spec file, source, SRPM, bugzilla)
    Licence: GNU GPLv2 or later. (See .spec file.)

  • LolDNS: (link) Joshua Small created the LolDNS fork of djbdns 1.05 in February 2009, to "go beyond the many current forks of just perpetuating the product, and to actually do away with the things that djbdns used to get slammed for."

    Patched to use glibc, system errno.h headers.
    Patched to no longer require daemontools, ucspi-tcp.
    Patched to add an equivalent to BIND9's $GENERATE auto-generated entry directive.
    Patched to add support for SRV records.
    Patched to support binding to multiple IP addresses.
    Patched to call chroot() before dropping privilege.
    Adds new management and logging daemons.

    Coded in C by Joshua Small and Daniel J. Bernstein.
    http://www.lolware.net/
    http://www.lolware.net/loldns-STABLE5.tar.gz
    Note: Small recommends checking out the latest svn trunk snapshot, instead of using tarball code.
    Licence: Joshua Small has specified a licence of his own devising for his additions to Bernstein's code, the first two clauses of which grant a simple BSDish permissive licence (making code usable for any purpose; derivative works can be created and distributed by anyone), provided that there is no warranty (third clause) and that Small's small graphical "so much win" image remains included in some way (the fourth and final clause). Daniel Bernstein has asserted his v. 1.05 base code to be public domain".

  • netdjbdns: Russ Nelson registered the "netdjbdns.org" domain to house a project to revamp the djbdns codebase independently, as netqmail briefly did for Bernstein's qmail MTA in 2005. Unfortunately, no project has ever appeared, and "netdjbdns.org" remains (2009-03) solely a redirect to the tinydns.org Web site.

• dnsjava (link) is an authoritative-only server, DDNS client, and related tools, written in Java by Brian Wellington. Patched only on Aug. 6, 2008 to randomise UDP source ports for recursive queries as a security precaution.
  http://www.dnsjava.org/
  Licence: Newer BSD licence.

• Dnsmasq (link) is a small caching forwarder server (no recursive service -- iterative queries only) with local-only authoritative service for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases). Coded in C by Simon Kelley. This package is often embedded in firewall/gateway appliance boxes. Did not implement serious randomisation of source UDP ports on outgoing recursive queries as a security precaution until July 11, 2008 (v. 4.3), when the use of inadequate system-libc random number generators was junked and replaced with Dan Bernstein's SURF random number generator, borrowed from dnscache.
  http://www.thekelleys.org.uk/dnsmasq/
  Licence: GNU GPLv2 or later.

• ldapdns (link) is an LDAP database-based authoritative and caching server (no recursive service -- iterative queries only). Despite use of a database, it's much faster than BIND9. Coded in C by "Mrs. Brisby".
  http://ldapdns.sourceforge.net/
  Licence: GNU GPLv2 or later.

• MaraDNS (link) is a general-purpose, fast, lightweight, authoritative, caching forwarder, and recursive server, fully supporting zone transfers, which runs unprivileged, performs its own chroot, and includes its own buffer-overflow-resistant string library and random number generator. Module "zoneserver" does authoritative service only. Module "maradns" can do both recursive and authoritative DNS. Includes a converter Python script to convert zonefiles from RFC 1035 ("BIND") format to MaraDNS's similar "csv2" format. Code uses RAM-based caching. Daemon must currently be restarted if any zonefile records are changed, currently requires the OS have robust threading support for its recursive service, and currently doesn't support NOTIFY or IXFR.

  Excellent security history. Among other things, MaraDNS's recursive module randomised source UDP ports on outgoing recursive queries using a strong RNG from the very beginning. Also, recursive server attempts to be careful about cache poisoning resulting from trusting glue records passed out-of-bailiwick.

  Code is written in C by Sam Trenholme.
  http://www.maradns.org/
  Licence: Two-clause BSD licence, on v. 1.1 and later.

  Dovecot imapd author Timo Sirainen has posted some comments (warning: unmaintained page): "Should be secure. Code doesn't look too bad, but it's using a lot of gotos."

• MyDNS-NG (link) is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache. Coded in C by Howard Wilkinson and Dan Moore.
  http://www.mydns-ng.com/
  Licence: GPLv2 or later.

• NSD (link) is a high-performance, small, authoritative-only daemon, with DNSSEC support, and able to directly re-use RFC 1035 ("BIND") zonefiles (which it compiles to binary format for speed). Package includes the zonefile compiler ("zonec"), the core nsd daemon, the zoneserver, and a zone transfer program. Coded in C by a number of authors including Alexis Yushin and Erik Rozendaal.
  http://www.nlnetlabs.nl/nsd/
  Licence: Newer BSD licence.

• pdnsd (link) is a small caching forwarder server, coded in C by Paul A. Rombouts and Thomas Moestl, with a disk-based cache, suitable for small networks and workstations. Has had some buffer-overflow and stability problems, in the past, but in general has sound design (e.g., always randomised source UDP ports for recursive queries).
  http://www.phys.uu.nl/~rombouts/pdnsd.html
  Licence: GNU GPLv3 or later.

• PowerDNS: Was a combined authoritative and recursive nameserver package through v. 2.9.20. Starting with the next releases (April 21, 2007), those functions were split into new packages "PowerDNS Authoritative Server" and "PowerDNS Recursor", which please see.

  PowerDNS was originally proprietary software, open-sourced under GNU GPLv2 on 2002-11-25.

• PowerDNS Authoritative Server (link) is an authoritative-only server with modular structure supporting various back-end information stores such as SQL databases (MySQL, PostgreSQL, Oracle 8i, Oracle 9i, IBM DB2, and others via ODBC), RFC 1035 ("BIND") zonefiles and other file formats, and LDAP directories. Supports AXFR zone transfers. Partial DNSSEC support. Fast but also a bit bloated. Compiling the package requires satisfying some convoluted dependencies, notably the need for Boost C++ class libraries. Default configuration assumes propagation of nameservers to related hosts via replication at the level of the back-end database store, but optionally the adminstrator can also enable RFC 1034 / RFC 1995 "zone transfers" (using NOTIFY/AXFR) as implemented in BIND9. Package can be configured to refer incoming recursive queries to a (any) separate recursive nameserver by a specified IP/port. Has internal chroot function. Does not support BIND9-style "views": One can emulate that mode by running multiple nameserver instances. (Copy /etc/init.d/pdns to /etc/init.d/pdns-[name]. The script automatically parses $0 for "name" and reads /etc/pdns/pdns-[name].conf as its configuration file.) Coded in C++ by Norbert Sendetzky and others.
  http://www.powerdns.com/en/products.aspx
  Licence: GNU GPLv2.

• PowerDNS Recursor (link) is a recursive nameserver. Coded in C++ by Norbert Sendetzky and others. Has a programming interface for scripting in the Lua programming language. Pleasantly small and fast. Did not meaningfully randomise UDP source ports on outgoing recursive queries until March 2008, after Dan Kaminsky's private warnings about DNS security problems, at which time the authors added a strong random-number generator.
  http://www.powerdns.com/en/products.aspx
  Licence: GNU GPLv2.

  In January 2010, PowerDNS Recursor (through v. 3.1.7.1) was discovered to be vulnerable to being buffer-overflowed by deliberately bad public DNS data or queries being aimed at it, leading to possible full system compromise, cache poisoning, and redirection of users to IPs controlled by attackers. This horrific bug was fixed as of v. 3.1.7.2, but is not a reassuring sign about PowerDNS Recursor's code quality.

• rbldnsd (link) is a small, fast authoritative-only server for DNS blocklist information (and can also serve other types of zone data). Coded in C by Michael Tokarev.
  http://www.corpit.ru/mjt/rbldnsd.html
  Licence: GNU GPLv2 or later.

• Twisted Names (link) is an authoritative, caching forwarder, and recursive server, also functioning as a resolver library, written in Python by Twisted Matrix Laboratories (Jp Calderone and others).
  http://twistedmatrix.com/trac/wiki/TwistedNames
  Licence: MIT/X.

• Unbound (link) is a fast, small, modular caching, recursive server, from the same people (NLnet Labs) who produced the excellent NSD authoritative-only nameserver, with additional help from VeriSign, Inc. and Kirei. Unbound does not itself do authoritative service, but does do "stub-zones" (local data or AS112 zones). It is claimed to be fully RFC-compliant, including DNSSEC validation. Coded in C.
  http://unbound.net/
  Licence: BSD.

Unmaintained open source packages:

(The July 2008 DNS security blowup made starkly obvious that it's in general dangerous to run poorly maintained DNS nameserver software. The below-cited, unmaintained or apparently neglected codebases may be of interest for other reasons, e.g., adoption by sufficiently interested coders.)

• BIND8 (link) should be scrupulously avoided, for reasons cited above. (Some BIND8 code still lives on, in the DNS resolver library shipped with typical Linux and BSD distributions. This is regrettable, but the occasional security failures in that codebase should not be attributed to BIND9.)
  Licence: Simple permissive licence with warranty disclaimer.

  Note that it is possible via NSS calls (and /etc/nsswitch.conf configuration) to call the BIND9-derived lwresd lightweight recursive daemon (entry about which, please see, below), instead of the legacy BIND8-based code encased within glibc.

• CustomDNS (link) is a authoritative-only daemon, based on dnsjava, for both static addresses and its variant form of dynamic DNS. Java and Perl code by Eric Kidd, based in part on Brian Wellington's dnsjava package. Unmaintained since July 2000.
  http://customdns.sourceforge.net/
  Licence: LGPL and MIT/X.

• dproxy (link) was/is a small caching forwarder server with a disk-based cache, suitable for small networks and workstations. Coded in C by Matthew Pratt. As of 2008, unmaintained since 2003.
  http://dproxy.sourceforge.net/
  Licence: GNU GPLv2 or later.

• dents (link) was an authoritative, caching forwarder, and recursive server, fully supporting zone transfers, but is perennially unfinished, and is almost certainly dead, at this point. Coded in C by Johannes Erdfelt.
  http://sourceforge.net/projects/dents/
  Licence: GNU GPLv2 or later.

• DNRD (Domain Name Relay Daemon) (link) was/is a small caching-only server for NAT / IPmasq networks. Coded in C by Natanael Copa, Brad Garcia, and Nathan Angelacos. Nearly unmaintained since 2005.
  http://dnrd.sourceforge.net/.
  Licence: GNU GPLv2 or later.

• Eddieware Enhanced DNS Server (aka "lbdns") (link) was/is a load-balancing authoritative DNS server. Coded in Erlang by the Eddie Team. Unmaintained since 2003.
  http://eddie.sourceforge.net/lbdns.html
  Licence: Erlang Public Licence, a Swedish variant of MPL 1.0.

• GnuDIP (link) was/is an authoritative-only server for Dynamic DNS (supporting the RFC 2136/3147 DNS Dynamic Update protocol) coded in Perl by Mike Machado, but only "minimally maintained" and needing a new primary maintainer, a/o 2003.
  http://gnudip2.sourceforge.net/gnudip-www/
  Licence: GNU GPLv2 or later.

• lbnamed (link) was/is a authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture, written in Perl by Roland Schemers. Unmaintained since 2005: See replacement "Standard::DNSServer.
  http://www.stanford.edu/~riepel/lbnamed/
  Licence: Newer BSD licence.

• lwresd (link) was/is a lightweight recursive[-resolver] daemon (thus the name) with caching, created by ISC (maintainers of BIND9) by stripping down the recursive and caching code in BIND9 and making it available separately (as a library). It is local-only, being capable only of listening for UDP-type port 921 DNS queries on IPv4 loopback address 127.0.0.1 (or one or more different address specified using "lwserver" lines in /etc/resolv.conf). It is also capable of handing off queries to separate nameservers listed via "nameserver" lines in /etc/resolv.conf, as forwarders, but, if there are none such, or if forwarding fails, falls back on its own internal recursive routines, starting with a built-in roster of root server hints. Configuration file, closely following BIND9's named.conf format, is /etc/lwresd.conf.

  Because lwresd returns queried values in its own format ("lightweight resolver protocol"), Linux systems will need to also install library nss_lwres, which unfortunately currently (2008) has been unmaintained since 2001 at upstream location ftp://sources.redhat.com/pub/glibc/old-releases/. That "glue" library being present, in turn, permits modifying /etc/nsswitch.conf to call a "lwres" routine (when available) in place of the legacy BIND8-based "dns" routine in glibc. Suggested format for /etc/nsswitch.conf is: "hosts: files lwres [NOTFOUND=return] dns"

  As of 2005, lwresd is said to be "stale code" that hasn't been touched in a year or two, doesn't respect DNS TTL, and has a few other issues. Upstream source code is available inside ISC's BIND9 package.
  http://www.isc.org/index.pl?/sw/bind/
  Licence: Simple permissive licence with warranty disclaimer.

• moodns (link) was meant to be a authoritative and recursive server, but never passed alpha state. Discontinued. Coded in C by Michael Wolf.
  http://sourceforge.net/projects/moodns/
  Licence: Newer BSD licence, GNU GPLv2 or later.

• MyDNS (link) was/is a MySQL or PostgreSQL-based authoritative and caching forwarder server (no recursive service -- iterative queries only) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache. Unmaintained since 2006, so interested parties should probably look at MyDNS-NG or PowerDNS, instead. Coded in C by Dan Moore.
  http://mydns.bboy.net/
  Licence: GPLv2 or later.

• Oak DNS Server (link) was/is an authoritative and recursive server, supporting dynamic DNS updates and AAAA records. Doesn't need to run privileged. Development release as of August 2008 is still being [re-]written to take advantage of the dnspython libraries, and still lacks recursive service or update support. Coded in Python by Ed Stoner.
  http://www.digitallumber.com/oak
  Licence: GNU LGPL.

• Pliant DNS Server (link) was/is an authoritative and caching forwarder server (no recursive service -- iterative queries only). Written in the Pliant language by Hubert Tonneau. Seems to be unmaintained.
  http://fullpliant.org/pliant/protocol/dns/
  Licence: GNU GPLv2.

• Posadis (link) was/is a fast authoritative, caching server, written in C++ by Meilof Veeningen. Sadly unmaintained since 2004.
  http://posadis.sourceforge.net/
  http://www.posadis.org/
  Licence: GNU GPLv2 or later.

• SDNS (Secure DNS) (link) was/is an authoritative-only server, created for the US Federal government (and thus genuinely public domain) by Anthony Carathimas, Eric Thomas, Fred Cohen, and Darrian Hale at Sandia Labs in the 1990s, with the specific aim of high security. Last maintained, 2001.
  http://www.maradns.org/download/non-maradns/sdns.tar.bz2
  Licence: Actual, real public domain.

• Stanford::DNSserver (link) was/is lbnamed (see separate entry), reworked and packaged as a Perl module by Rob Riepel and others. Last maintained April 2006.
  http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
  Licence: Newer BSD licence.

• Trick or Treat Daemon (ToTD) (link) was/is a small caching forwarder server, suitable for small networks and workstations. Coded in C by Feike W. Dillema and members of the WIDE Project.
  http://www.vermicelli.pasta.cs.uit.no/software/totd.html Last maintained August 2006.
  Licence: Simple permissive licence (Dillema's code) and older BSD licence (WIDE Project code).

• Yaku-NS (formerly ENS) (link) was/is a small, fast authoritative, caching forwarder, fully supporting zone transfers, aimed at embedded use. Does internal chroot, and attempts to prevent stack-smashing. Coded in C by Salvatore Sanfilippo. Appears to be unmaintained.
  http://www.kyuzz.org/antirez/ens.html
  Licence: GNU GPLv2 or later.

Related software:

• GNU adns (link) is a resolver library for C (and C++) programs, and a collection of useful resolver utilities, coded in C by Ian Jackson.
  http://www.chiark.greenend.org.uk/~ian/adns/
  Licence: GNU GPLv2 or later.

• Ares (link) is an asynchronous resolver library in C by Greg Hudson.
  ftp://athena-dist.mit.edu/pub/ATHENA/ares/
  Licence: MIT/X.

• BIND DLZ (BIND Dynamically Loadable Zones) (link) is a set of patches for BIND9 to make it use your choice of numerous back-end databases instead of flatfile RFC 1035 ("BIND") zonefiles, and reduce memory usage (since BIND9 no longer needs to load everything into RAM at once). Coded in C by Rob Butler.
  http://bind-dlz.sourceforge.net/
  Licence: Simple permissive licence with warranty disclaimer.

• Constrict (link) is a Python library for access to information parsed from the libbind library provided by BIND8. Coded in Python by Jason Smith.
  http://www.oes.co.th/projects/Constrict
  Licence: GNU GPLv2.

• dnsibs (link) is a daemon offering Perl/CPAN code (notably the Mail::SpamCannibal anti-spam tool and dbtarpit) access to DNS blocklist data stored in a BerkeleyDB database. (It apparently doesn't serve up normal sorts of DNS information, which is why I put it in the "related" category.) It's coded in C by Michael Robinton.
  http://www.spamcannibal.org/docs/dnsbls.html
  Licence: GNU GPLv2 or later.

• dnspython (link) is a Python toolkit for programmatic access to DNS functions, by Bob Halley.
  http://www.dnspython.org/
  Licence: Simple permissive licence with attribution requirement and warranty disclaimer.

• FireDNS (link) is a resolver library with emphasis on speed and asynchronous processing. Has low-timeout blocking functions. Can be used to replace standard libc resolver library functions like getbyhostname with much faster equivalent code. Written in C by Ian Gulliver.
  http://firestuff.org/projects/firedns/
  Licence: GNU GPLv2.

• LDAP sdb (link) is a patch to enable BIND9 to reach an LDAP back-end database instead of flatfile RFC 1035 ("BIND") zonefiles, using the simplified database interface "sdb". Coded in C by Stig Venaas.
  http://www.venaas.no/ldap/bind-sdb/
  Licence: Simple permissive licence with warranty disclaimer.

• ldns (link) is a library for access to DNS/DNSSEC data, relying on CPAN's NET::DNS module. Written in C by NLnet Labs.
  http://www.nlnetlabs.nl/ldns/ Licence: Newer BSD licence.

• Net::DNS (link) is a resolver library, coded in Perl by Michael Fuhr, Olaf Kolkman, and Chris Reinhardt.
  http://www.net-dns.org/
  Licence: GNU GPLv2 or later, or Artistic Licence.

• Poslib (link) is a resolver library and authoritative-server library in C++ by Meilof Veeningen.
  http://posadis.sourceforge.net/poslib/
  Licence: GNU GPLv2 or later.

• Resolvconf (link) is a client- (resolver-) side utility to mediate write access to the DNS client's /etc/resolv.conf file, keeping track of nameservers listed there and preventing multiple packages (DHCP clients, system-local nameservers, other) updating that file from interfering with each other. For it to work, software touching /etc/resolv.conf must be Resolvconf-aware. At this writing (2009-08), most but not all such software is Resolvconf-aware. There are two implementations: Original/Debian Resolvconf, http://packages.qa.debian.org/r/resolvconf.html coded in C under GPLv2 by Thomas Hood; and Openresolv, http://roy.marples.name/projects/openresolv, coded in C under a BSD licence by Ray Marples.

• skadns (link) is a small, asynchronous resolver library, coded in C by Laurent Bercot.
  http://www.skarnet.org/software/skadns/
  Licence: Original BSD licence with advertising clause.

--

Cheers,                                Before enlightenment, caffeine.
Rick Moen                              After enlightenment, caffeine.
rick@linuxmafia.com

Proprietary software:

• ANS: Authoritative Name Server (Nominum, Inc.) http://www.nominum.com/products/authoritative_name_server.php
• ATLAS (Verisign) - http://www.verisign.com/information-services/ATLAS/ Appears to be a Verisign-hosted service offering, only, not an externally available software product.
• BINDPlus (Information Network Eng. Gruup, Inc.) (appears to be defunct since late 1990s; was promoted by Jeffrey A. Williams)
• Cisco Network Registrar (Cisco Systems, Inc.) - http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
• CNS: Caching Name Server (Nominum, Inc.) https://partners.nominum.com/products.php?id=1
• Global Name Service (Nominum, Inc.): Was a hosted service only, and is now discontinued.
• IPControl (BT Global Services, formerly International Network Services, Inc.) - proprietary extensions to BIND9 http://www.globalservices.bt.com/LeafAction.do?RecNo=33: available lately only as "IP ControlSapphire Appliances" embedded appliance code, no longer just as software.
• NeDNS (Neteka, Inc.) - company's Web site has disappeared; product is apparently discontinued. Cited at http://directory.fsf.org/project/NeDNS/ (and was a patched version of BIND8 with support for "ACE-encoded" name records)
• Men & Mice Suite (formerly QuickDNS Pro, formerly QuickDNS; from Men&Mice) http://www.menandmice.com/
• Name Commander (formerly DNS Commander; from Incognito Software, Inc.) - http://www.incognito.com/products/name-commander/
• SheerDNS is an authoritative-only server with to unique distinction of having its zone records stored each in its own separate file, to facilitate atomic updates without restarting. Author probably intended to create open source but failed to specify a licence. (2009 update: I've talked about this problem, via e-mail, with author Paul Sheer. He is aware of not granting the right to independently maintain or redistribute this code, and has no intention to grant any additional rights to it.) Unmaintained since 2005. http://threading.2038bug.com/sheerdns/
• sqldjbdns/sqldns/pgsqldns http://untroubled.org/sqldjbdns/: a patched version of djbdns 1.02 that back-ends data into PostgreSQL. Author's patch code is under GPL v. 2 or later, but Daniel J. Bernstein has never purported to put djbdns 1.02 into "public domain", only v. 1.05.
• UltraDNS (UltraDNS Corporation) http://ultradns.com/: Appears to be a hosted service offering, only, not an externally available software product.
• Vantio Base Server (Nominum, Inc.) - http://www.nominum.com/products/vantio_base_server.php
• VitalQIP (Alcatel-Lucent, formerly Lucent Technologies, Inc.) - proprietary extensions to BIND9 to support names from DHCP and integrate with Microsoft Active Directory / Microsoft DNS http://enterprise.alcatel-lucent.com/?product=VitalQIP&page=overview

See also:

• Stephane Bortzmeyer's article "The choices for a nameserver", comparing BIND9, NSD, and PowerDNS.

• Brad Knowles's "Domain Name Server Comparison" presentations at LISA 2002 and RIPE 44.

• MaraDNS author Sam Trenholme's DNS software pages: (1, 2)