Comparison of DNS server software

This article presents a comparison of the features, platform support, and packaging of independent implementations of Domain Name System (DNS) name server software.

Servers compared

Each of these DNS servers is an independent implementation of the DNS protocols, capable of resolving DNS names for other computers, publishing the DNS names of computers, or both. Excluded from consideration are single-feature DNS tools (such as proxies, filters, and firewalls) and redistributions of servers listed here (many products repackage BIND, for instance, with proprietary user interfaces).

DNS servers are grouped into several categories of specialization of servicing domain name system queries. The two principal roles, which may be implemented either uniquely or combined in a given product are:

Authoritative server: authoritative name servers publish DNS mappings for domains under their authoritative control. Typically, a company (e.g. "Acme Example Widgets") would provide its own authority services to respond to address queries, or for other DNS information, for www.example.int. These servers are listed as being at the top of the authority chain for their respective domains, and are capable of providing a definitive answer. Authoritative name servers can be primary name servers, also known as master servers, i.e. they contain the original set of data, or they can be secondary or slave name servers, containing data copies usually obtained from synchronization directly with the master server, either via a DNS mechanism, or by other data store synchronization mechanisms.
Recursive Servers: recursive servers (sometimes called "DNS caches", "caching-only name servers") provide DNS name resolution for applications, by relaying the requests of the client application to the chain of authoritative name servers to fully resolve a network name. They also (typically) cache the result to answer potential future queries within a certain expiration (time-to-live) period. Most Internet users access a recursive server provided by their internet service provider to locate internet hosts such as www.example.com.

AnswerX

AnswerX is Akamai’s recursive DNS resolver (rDNS). It has evolved from the Xerocole acquisition. AnswerX is a modern resolver, supporting DNSSEC, IPv6, and full subscriber aware policy controls. It can be used for DNS firewall functionality, extensive logging, and a platform for service creation. AnswerX is sold as software working on common servers (no specialized hardware). The software is build to process millions of transactions per second on standard hardware.

BIND

BIND is the de facto standard DNS server. It is a free software product and is distributed with most Unix and Linux platforms, where it is most often also referred to as named (name daemon). It is the most widely deployed DNS server.^[1] Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now technically obsolete and not considered in this article. BIND9 is a ground-up rewrite of BIND featuring complete DNSSEC support in addition to other features and enhancements.

Internet Systems Consortium started development of a new version, BIND 10. Its first release was in April 2010, but ISC involvement concluded with the release of BIND 10 version 1.2 in April 2014. ISC cited a lack of resources to continue development of BIND 10, and they reaffirmed their commitment to BIND9.^[2]

The BIND 10 codebase continues on as an open source project at http://bundy-dns.de/ (ibid.) It is not included in this comparison at this time.

Cisco Network Registrar

CNR includes a commercial DNS server from Cisco Systems usually used in conjunction with the CNR DHCP (Dynamic Host Configuration Protocol) server. It supports high rates of dynamic update.

DNS Blast

DNS Blast is highly secure recursive DNS software from EfficientIP. It delivers carrier grade DNS performance for ISPs and enterprises enhancing security with deep analyses transactions at the heart of the DNS recursor. Processing 17 million queries per second, It can eliminate dozens of DNS clusters and load balancers, dramatically decreasing the total cost of ownership and simplifying the DNS infrastructure.

Dnsmasq

Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network. It can serve the names of local machines which are not in the global DNS.

Dnsmasq accepts DNS queries and either answers them from a small, local cache or forwards them to a real, recursive DNS server. It loads the contents of /etc/hosts, so that local host names which do not appear in the global DNS can be resolved.

djbdns

Djbdns is a collection of DNS applications, including tinydns, which was the second most used free software DNS server in 2004.^[1] It was designed by Daniel J. Bernstein, author of qmail, with an emphasis on security considerations. In March 2009, Bernstein paid $1000 to the first person finding a security hole in djbdns.^[3] The Source code is not centrally maintained and was released into the public domain in 2007. As of March 2009, there are three forks and more than a dozen patches to add additional features to djbdns.

gdnsd

gdnsd is a GPL3-licensed Authoritative DNS server written in C using libev and pthreads with a focus on high performance, low latency service. It does not offer any form of caching or recursive service, and does not support DNSSEC. The initial "g" stands for Geographic, as gdnsd offers a plugin system for geographic (or other sorts of) balancing, redirection, and service-state-conscious failover. If you don't care about that feature, you can ignore it and gdnsd still makes a great authoritative DNS server.

Knot DNS

Knot DNS is a free software authoritative DNS server by CZ.NIC. Knot DNS aims to be a fast, resilient DNS server usable for infrastructure (root and TLD) and DNS hosting services. Knot DNS supports DNSSEC signing and among others hosts root zone (K and L Root_name_servers), several top-level domains.

MaraDNS

MaraDNS is a free software DNS server by Sam Trenholme that claims a good security history and ease of use.^[4] ^[5] In order to change any DNS records, MaraDNS needs to be restarted. Like djbdns dnscache, the MaraDNS 2.0 stand-alone recursive resolver ("Deadwood") does not use threads.^[6]

Microsoft DNS

Windows DNS Server ^[7] component of Microsoft DNS. The same software can be configured to support authoritative, recursive and hybrid mode. The software is integrated with Active Directory which makes it the default DNS software for many enterprise networks that are based on Active Directory. It also allows creating zones by the standard DNS zone file. The software comes packaged as a role in windows server. The server software is shipped with a cmdline interface dnscmd,^[8] a DNS management GUI wizard, and a DNS PowerShell^[9] package. In Windows Server 2012, the Windows DNS added support for DNSSEC,^[10] with full-fledged online signing, with Dynamic DNS and NSEC3 support, along with RSASHA and ECDSA signing algorithms. It provides an inbuilt key storage provider and support for any third party CNG compliant key storage provider. User interface and PowerShell support for managing DNS and DNSSEC were improved as well. In the Windows Server 2016 Technical Preview, the DNS Server will support DNS policies using which the admins can have more control over the name resolution process.^[11]

Nominum Authoritative Name Server (ANS)

ANS is a commercial authoritative server from Nominum, a company whose chief scientist and chairman is Paul Mockapetris, the inventor of the DNS. ANS was designed to meet the needs of top level domain servers, hosters and large enterprises.

Nominum Vantio

Vantio is a commercial high-performance recursive caching server from Nominum, intended as a fast, secure alternative to BIND for service providers, enterprises, and government agencies.

NSD

NSD is a free software authoritative server provided by NLNet Labs. NSD is a test-bed server for DNSSEC; new DNSSEC protocol features are often prototyped using the NSD code base. NSD hosts several top-level domains, and operates three of the root nameservers.

NxFilter

NxFilter is free software caching DNS server provided by Jahastech. It provides DNS based web filtering, is managed by a web browser and runs on Windows.

pdnsd

Pdnsd is a caching DNS proxy server that stores cached DNS records on disk for long term retention. Pdnsd is designed to be highly adaptable to situations where net connectivity is slow, unreliable, unavailable, or highly dynamic, with limited capability of acting as an authoritative nameserver. It is licensed under the GPL.^[12]

Posadis

Posadis is a free software DNS server, written in C++, featuring Dynamic DNS update support.

PowerDNS

PowerDNS is a free software DNS server with a variety of data storage back-ends and load balancing features. Authoritative and recursive server functions are implemented as separate applications.

Secure64 DNS Authority

DNS Authority is commercial authoritative name server software from Secure64, the company that built Genuinely Secure DNS applications and operating system and completely automated the deployment of DNSSEC.

Secure64 DNS Cache

DNS Cache is scalable, highly secure recursive DNS software from Secure64 which provides built-in protection against high-volume denial of service attacks, including Pseudo Random Sub Domain (PRSD) attacks.

Simple DNS Plus

Simple DNS Plus is a commercial DNS server product that runs under Microsoft Windows with an emphasis on a simple-to-use GUI. Maintenance of the software appears to have slackened in recent years.

Unbound

Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD version 10.0 and beyond, and a version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.)

Domain Name Relay Daemon (dnrd)

Domain Name Relay Daemon is a caching, forwarding DNS proxy server. Most useful on vpn or dialup firewalls but it is also a DNS cache for minor networks and workstations. Licensed under GPL.

YADIFA

YADIFA is a BSD-licensed, memory-efficient DNS server written in C. The acronym YADIFA stands for Yet Another DNS Implementation For All. It was created by EURid, which operates the .eu top-level domain.^[13]

Yaku-NS

Yaku-NS is a GPL-licensed authoritative DNS server written in C, small footprint, trivial to configure. Features include forwarding to multiple external DNS servers, built-in ACL rules, root privileges squashing, chroot jail under unix systems and secure DNS IDs to prevent DNS forgery.

Features

Some DNS features are relevant only to recursive servers, or to authoritative servers. As a result, a feature matrix such as the one in this article cannot by itself represent the effectiveness or maturity of a given implementation.

Another important qualifier is the server architecture. Some DNS servers provide support for both server roles in a single, "monolithic" program. Others are divided into smaller programs, each implementing a subsystem of the server. As in the classic Computer Science microkernel debate, the importance and utility of this distinction is hotly debated. The feature matrix in this article does not discuss whether DNS features are provided in a single program or several, so long as those features are provided with the base server package and not with third-party add-on software.

Explanation of features

Authoritative: A major category of DNS server functionality, see above.

Recursive: A major category of DNS server functionality, see above.

Recursion Access Control: Servers with this feature provide control over which hosts are permitted DNS recursive lookups. This is useful for load balancing and service protection.

Slave Mode: Authoritative servers can publish content that originates from primary data storage (such as zone files or databases connected to business administration processes)--such servers are also called 'master' servers--or can be slave or secondary servers, republishing content fetched from and synchronized with such master servers. Servers with a "slave mode" feature have a built-in capability to retrieve and republish content from other servers. This is typically, though not always, provided using the AXFR DNS protocol.

Caching: Servers with this feature provide recursive services for applications, and cache the results so that future requests for the same name can be answered quickly, without a full DNS lookup. This is an important performance feature, as it significantly reduces the latency of DNS requests.

DNSSEC: Servers with this feature implement some variant of the DNSSEC protocols. They may publish names with resource record signatures (providing a "secure authority service"), and may validate those signatures during recursive lookups (providing a "secure resolver"). DNSSEC is becoming more widespread as the deployment of a DNSSEC root key has been done by ICANN. Deployment to individual sites is growing as top level domains start to deploy DNSSEC too. The presence of DNSSEC features is a notable characteristic of a DNS server.

TSIG: Servers with this feature typically provide DNSSEC services. In addition, they support the TSIG protocol, which allows DNS clients to establish a secure session with the server to publish Dynamic DNS records or to request secure DNS lookups without incurring the cost and complexity of full DNSSEC support.

IPv6: Servers with this feature are capable of publishing or handling DNS records that refer to IPv6 addresses. In addition to be fully IPv6 capable they must implement IPv6 transport protocol for queries and zone transfers in slave/master relationships and forwarder functions.

Wildcard: Servers with this feature can publish information for wildcard records, which provide data about DNS names in DNS zones that are not specifically listed in the zone.

Split horizon: Servers with the split-horizon DNS feature can give different answers depending on the source IP address of the query.

Feature matrix

Server	Authoritative	Recursive	Recursion ACL	Slave mode	Caching	DNSSEC	TSIG	IPv6	Wildcard	Free Software	Interface	split horizon
AnswerX	No	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	API, command line	Yes
BIND	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes (since 9.x)	Yes (since 4.x)	Yes	Web^{[Note 1]}, command line	Yes
PowerDNS	Yes	Yes	Yes	Yes^{[Note 2]}	Yes	Yes (since 3.0) ^{[Note 3]}	Yes (since 3.0)	Yes^{[Note 2]}	Yes	Yes	Web^{[Note 4]}, command line	Partial^{[Note 5]}
djbdns	Yes	Yes	Yes	Yes^{[Note 6]}	Yes	Partial^{[Note 7]}	No	Partial via generic records.	Partial^{[Note 8]}	Yes	command line and web (VegaDNS & NicTool)^[14]	Yes^{[Note 9]}
dbndns	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Partial	Yes	command line and web	Yes
pdnsd	Partial	Yes	Partial	Partial	Yes	No ^[15]	Partial	Yes	Yes	Yes	command line, pdnsd-ctl program	Partial
MaraDNS	Yes	Yes	Yes	Partial^{[Note 10]}	Yes	No	No	Partial	Yes	Yes	command line	No
Posadis	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Yes	Yes	command line, API	No
Unbound	Partial	Yes	Yes	N/A	Yes	Yes	No	Yes	N/A	Yes	command line, API	No
Dnsmasq	Partial^{[Note 11]}	No	No	No	Yes	Yes (since 2.69) ^{[Note 12]}	No	Yes	Yes	Yes	command line	Partial^{[Note 13]}
NSD	Yes	No	N/A	Yes	N/A	Yes	Yes	Yes	Yes	Yes	command line	No
Knot DNS	Yes	No	N/A	Yes	N/A	Yes	Yes	Yes	Yes	Yes	command line	No
dnrd	No	Yes	No	No	Yes	No	No	?	?	Yes	command line	No
gdnsd	Yes	No	No	No	No	No	No	Yes	Yes	Yes	command line	Yes
YADIFA	Yes	No	N/A	Yes	N/A	Yes	Yes	Yes	Yes	Yes	command line	No
yaku-ns	Yes	?	?	Yes	?	No	No	No	Yes	Yes	command line	?
Microsoft DNS	Yes	Yes	Yes^{[Note 14]}	Yes	Yes	Yes^{[Note 15]}	Yes^{[Note 16]}	Yes^{[Note 17]}	Yes	No	GUI, command line, API^{[Note 18]}, WMI^{[Note 19]}, RPC^{[Note 20]}	Yes^{[Note 14]}
Simple DNS Plus	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	GUI, Web, command line	Yes^{[Note 21]}
Nominum ANS	Yes	No	N/A	Yes	No	Yes	Yes	Yes	Yes	No	command line, api, SOAP Interface, SNMP	Yes
Nominum Vantio	No	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	No	command line, api, SOAP Interface, SNMP	Yes
DNS Blast	No	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	No	CLI, SOAP, REST, SNMP, DNSTAP	Yes
Secure64 DNS Authority	Yes	No	No	Yes	No	Yes	Yes	Yes	Yes	No	Command Line or Web GUI	Yes
Secure64 DNS Cache	No	Yes	Yes	No	Yes	Yes	No	Yes	Yes	No	Command Line or Web GUI	Yes
Server	Authoritative	Recursive	Recursion ACL	Slave mode	Caching	DNSSEC	TSIG	IPv6	Wildcard	Free Software	Interface	split horizon

↑ A BIND configuration module is available for Webmin in many Linux distributions.
1 2 IPv6 master/slave support in PowerDNS is incomplete in versions <3.0. Zone transfers in master/slave replication over IPv6 is supported since 3.0.
↑ Full DNSSEC support in PowerDNS arrived in version 3.0. In lower versions, it is currently restricted to being able to serve DNSSEC-related RRs.
↑ Powerdns.com suggested enhancements at
↑ Use the geoip backend for a split-horizon configuration.
↑ djbdns provides facilities to transfer zones; after completing the zone transfer, djbdns can act as an authoritative server for that zone. Consult the axfr-get documentation for further information.
↑ A patch for publishing authoritative DNSSEC-protected data is available at .
↑ djbdns supports wildcard DNS records, but not in a way that conforms with the RFCs.
↑ This is not the same as views in bind. But it is a solution with comparable capabilities. See: section of tinydns-data.
↑ MaraDNS cannot directly provide slave support. Instead, a zone transfer is needed, after which MaraDNS will act as an authoritative server for that zone. See DNS Slave for further information.
↑ dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use. A records are supported via /etc/hosts, and there is some MX, TXT and SRV record support via the command line.
↑ DNSSEC validation was added in Dnsmasq version 2.69 . Earlier versions could only pass through validation results from their own upstream nameservers.
↑ Dnsmasq can do basic split-horizon DNS based on the interface of the source request using the localise-queries configuration parameter.
1 2 In Windows Server technical Preview (2016), you can create DNS policies to control how a DNS Server handles DNS queries based on different parameters. This supports Recursion control, location aware responses, split-brain deployment, filters etc. configuration parameter.
↑ Windows Server 2008 R2 supports DNSSEC, however dynamic DNS is not supported for DNSSEC-signed zones. It is fully supported in Windows Server 2012. For earlier versions, including Windows Server 2003, DNSSEC functionality must be manually activated in the registry. In these versions, the DNSSEC support is sufficient to act as a slave/secondary server for a signed zone, but not sufficient to create a signed zone (lack of key generation and signing utilities).
↑ Microsoft DNS supports the GSS-TSIG algorithm for Secure Dynamic Update when integrated with Active Directory, using RFC 3645, an application of GSS-API RFC 2743.
↑ IPv6 functionality in the Microsoft DNS server is only available on Windows Server 2003 and newer.
↑ "Microsoft DNS Server API Reference". Msdn.microsoft.com. Retrieved 2011-10-26.
↑ "Microsoft DNS WMI Provider Specification". Msdn.microsoft.com. Retrieved 2011-10-26.
↑ MS-DNSP DNS Server Management Protocol Specification (uses RPCs)
↑ Simple DNS Plus does not have "views" in the same way as BIND, but has a "NAT IP Alias" feature which allows host records to resolve to different IP addresses depending on where the DNS request comes from.

Platforms

In this overview of operating system support for the discussed DNS server, the following terms indicate the level of support:

No indicates that it does not exist or was never released.
Partial indicates that while it works, the server lacks important functionality compared to versions for other OSs; it is still being developed however.
Beta indicates that while a version is fully functional and has been released, it is still in development (e.g. for stability).
Yes indicates that it has been officially released in a fully functional, stable version.
Included indicates that the server comes pre-packaged with or has been integrated into the operating system.

This compilation is not exhaustive, but rather reflects the most common platforms today.

Server	BSD	Solaris	Linux	Mac OS X	Windows
AnswerX	Yes	Yes	Yes	No	No
BIND	Yes	Yes	Yes	Yes	Yes^{[Note 1]}
Microsoft DNS	No	No	No	No	Included^{[Note 2]}
djbdns	Yes	Yes	Yes	Yes	No
Dnsmasq	Yes	Yes	Yes	Yes	No
Simple DNS Plus	No	No	No	No	Yes
NSD	Yes	Yes	Yes	Yes	No
Knot DNS	Yes	No	Yes	Yes	No
PowerDNS	Yes	Yes	Yes	Beta	No
MaraDNS	Yes	Yes	Yes	Yes	Partial
pdnsd	Yes	Partial^[16]	Yes	Yes	No
Nominum ANS	Yes	Yes	Yes	No	No
Nominum Vantio	Yes	Yes	Yes	No	No
Posadis	Yes	Yes	Yes	Yes	Yes
Unbound	Yes	Yes	Yes	Yes	Yes
Cisco Network Registrar	No	Yes	Yes	No	Yes
dnrd	Yes	No	Yes	No	No
gdnsd	Yes	Yes	Yes	Yes	No
YADIFA	Yes	Yes	Yes	Yes	No
yaku-ns	Yes	Yes	Yes	Yes	No
DNS Blast	Yes	No	No	No	No
Secure64 DNS Authority	No	No	Yes	No	No
Secure64 DNS Cache	No	No	Yes	No	No

↑ BIND is available for Windows NT-based systems (including Windows 2000, XP, and Server 2003) in a port known as ntbind.
↑ The functionality available with the Microsoft DNS server varies depending on the version of the underlying operating system; such as most Windows Server components, it is upgraded only with the rest of the operating system. Certain functionality, such as DNSSEC and IPv6 support, is only available in the Windows Server 2000-2003 version. Windows 2000 Server includes TSIG support. The Microsoft DNS Server is not available on Windows client operating systems such as Windows XP.

Packaging

Server	Creator	Cost (USD)	Public source code	Software license
AnswerX	Akamai	Unpublished price	No	Clickwrap license
BIND	Internet Systems Consortium	Free	Yes	BSD, MPL 2.0 for 9.11+
Microsoft DNS	Microsoft	Included with Windows Server	No	Clickwrap license
djbdns	Daniel J. Bernstein	Free	Yes	Public domain
Dnsmasq	Simon Kelley	Free	Yes	GPL
Simple DNS Plus	JH Software	$79 – $379	No	Clickwrap license
NSD	NLnet Labs	Free	Yes	BSD variant
Knot DNS	CZ.NIC	Free	Yes	GPL
PowerDNS	PowerDNS.COM BV / Bert Hubert	Free	Yes	GPL
MaraDNS	Sam Trenholme	Free	Yes	BSD variant
Nominum ANS	Nominum	Unpublished price	No	Clickwrap license
Nominum Vantio	Nominum	Unpublished price	No	Clickwrap license
pdnsd	Thomas Moestl and Paul Rombouts	Free	Yes	GPL
Posadis	Meilof Veeningen	Free	Yes	GPL
Unbound	NLnet Labs	Free	Yes	BSD
gdnsd	Brandon Black	Free	Yes	GPL
YADIFA	EURid	Free	Yes	BSD
yaku-ns	Salvatore Sanfilippo	Free	Yes	GPL
DNS Blast	EfficientIP	Unpublished price	No	Clickwrap license
Secure64 DNS Authority	Secure64	Unpublished price	No	Clickwrap license
Secure64 DNS Cache	Secure64	Unpublished price	No	Clickwrap license

References

1 2 Moore, Don (2004). "DNS server survey". Retrieved 2005-01-06.
↑ http://www.isc.org/blogs/isc-concludes-bind-10-development-with-release-1-2-project-renamed-bundy/
↑ "The djbdns prize claimed". Retrieved 2009-03-04.
↑ Mens, Jan-Piet (2008). Alternative DNS Servers: Choice and Deployment, and Optional SQL/LDAP Back-Ends (Paperback). UIT Cambridge Ltd. ISBN 0-9544529-9-2.
↑ Danchev, Dancho. "How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability". ZDNet. Retrieved 2009-10-10.
↑ "MaraDNS - A security-aware DNS server". MaraDNS. Retrieved 2010-12-15.
↑ http://www.microsoft.com/dns
↑ https://technet.microsoft.com/en-us/library/cc756116(v=ws.10).aspx
↑ https://technet.microsoft.com/library/jj649850.aspx
↑ https://technet.microsoft.com/library/dn593694
↑ https://technet.microsoft.com/en-us/library/dn765484.aspx
↑ "The pdnsd Homepage". Phys.uu.nl. Retrieved 2011-10-26.
↑ "About YADIFA". Retrieved 2013-04-11.
↑ "VegaDNS". Vegadns.sourceforge.net. 2009-09-28. Retrieved 2011-10-26. ,
↑ "pdns NEWS". Retrieved 2013-03-29. "no support for the DNSSEC protocol itself yet in pdnsd"
↑ "pdnsd homepage". Retrieved 2013-03-29. "pdnsd was started on Linux, and has since been ported to FreeBSD (and Cygwin and Darwin). 90% of the source code should be easily portable to POSIX- and BSD-compatible systems, provided that those systems support the POSIX threads (pthreads). The rest might need OS-specific rewrites."

External links

This article is issued from Wikipedia - version of the 11/22/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.