djbdns - Continuous DNS service without continual software upgrades
This is tinydns.org
Please note that this website is tinydns.org. It used to be
accessible via djbdns.com or djbdns.org. The holder of those two
domain names registered them before I could. For a time, he served up
a frame linking to tinydns.org. He then let the registration lapse,
and now the usual search page idiots have it. Thanks, guy.
Mirrors:
USA (Alaska)
Argentina
Australia 1
Australia 2 (out-of-date)
Belgium (broken as of 2004-08-29)
Bosnia and Herzegovina
England
Germany
Ireland
Italy
Korea
Poland
Slovenia
Turkey
Wales (broken as of 2004-08-29)
Other languages:
Sie suchen eine
deutschsprachige Seite
zu djbdns?
Or a
Japanese
one?
Or a
Turkish
one?
Or a
Brazilian Portugese
one ?
This web site also has
standard HTML 2.0 navigation facilities,
which you can use by
enabling the link bar support in your web browser,
if you haven't already done so.
Introduction
djbdns is a replacement for BIND. It is secure, reliable, small,
fast, etc etc etc. Just like all of Dan Bernstein's tools. Dan has his own home page for djbdns. We've got this one
so we can distribute our enhancements to djbdns.
dnscache is a recursive resolver, intended to be listed in
/etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP
and TCP as needed. It imposes restrictions on what it will return;
that's why it was written. It will only provide data obtained from
authoritative servers. These servers are found via a chain of
delegations from authoritative servers starting from the configured-in
roots. That's part of its security model. If it were to do anything
less, it would be subject to the same cache-poisoning style attacks
that work on the current insecure DNS servers.
tinydns does authoritative nameserving via UDP only; it does not do
recursive nameserving, nor does it answer TCP queries (axfrdns does
that). The only hosts that should ask tinydns for a host are recursive
nameservers, such as those found in /etc/resolv.conf, like djbdns or
BIND. Tinydns should never be listed in /etc/resolv.conf. Tinydns
interoperates properly with every authoritative and recursive
nameserver I know of, and supporting all the standards needed to do
so.
axfrdns does authoritative nameserving via TCP, and is also the zone
transfer server. The zone transfer client is axfr-get. Both of these use
Dan Bernstein's ucspi-tcp helpers. Why separate programs? To limit
security incursions, and because many sites do not need zone transfers.
As BIND has shown, excessive functionality is a root to
security disasters.
Testimonials: lycos. Any others?
News
-
2006-03: DNS
amplification attacks are becoming more widespread. Fortunately,
the default installation of djbdns is immune to these kinds of
attacks. Tinydns doesn't do any recursive queries, so no
amplification is possible. Dnscache is not an open resolver by
default. In order for your dnscache installation to be open to
queries from everyone, you would need to create many files of the form
"#." in /service/dnscache/root/ip/. Don't do that.
-
2003-10:
"All your *.com and *.net are belong to us."
Verisign threatens to corrupt the Domain Name System
again. Late in the evening of 2003-09-15 they introduced wildcard *.com and
*.net A records into the top-level domain name servers. They resolved
to 64.94.110.11. They removed those records, but threaten to
reinstate them. Russ Nelson has written a patch to ignore this IP
address. Turns out that about a dozen registrars are doing this,
so you can ignore multiple IP addresses.
Note that .name uses wildcard records legitimately, and so may some of
the other registrars, e.g. the contract for .museum specifies that
*.museum is expected. The trouble with Verisign is that their
contract does not.
Articles
- LWN - A look at djbdns
- Kuro5hin - Preventative DNS
- Security Focus - BIND is insecure.
Commercial support
Commercial support for djbdns is available:
- LIGHTWERK
provides support for djbdns, qmail and most other Bernstein
software. Support is mainly provided for Germany and nearby countries.
- LinuxIS
Consulting, LLC supports qmail, djbdns, and many other software
packages. Remote admin work, as well as e-mail and phone support is
available. They accept Visa, M/C, Amex and Paypal as forms of
payment.
- Quist Consulting provides
support for djbdns.
- MNIS
does support for djbdns in France.
- AiDA Systems provides
djbdns support, by phone, online (remote via ssh), and on-site. Also,
preconfigured/custom built djbdns and/or qmail servers. Load
balancing, Replication, virtual hosting and mysql support at
affordable prices. It's time to give up buggy/insecure BIND. Call Now:
(888)466-8171
- Flavio
Curti provides commercial support for djbdns in Switzerland.
- IDEALX
offers support for djbdns in France and nearby countries.
They also provide support for qmail, and other djbware.
- Martin
Paljak creates DNS solutions using djbdns.
- RWM
Consultants sells support for Debian GNU/Linux, IDS/Firewall,
djbdns and qmail in Brasil.
- Protectix,
Inc. provides remote and onsite commercial support for djbdns.
Other services include outsourced DNS hosting and training on djbdns
installation and maintenance. Call Toll Free (866) 776-9255.
- Oeko.neT supports
qmail, djbdns, and many other software packages, prefereably in the
OpenSource area. Remote admin work, as well as e-mail and phone
support and custom programming is available.
- Enigma Consulting
Limited sells support for qmail, djbdns, and other open source
network infrastructure software. Remote and on-site management and
installation, email and phone support is available. We operate mostly
in Ireland and the UK.
- IT ZONE
does support for djbdns mostly in Poland and other European
countries. They also provide remote (by telephone, internet) help for
almost all GPL un*ix server tools and do remote administration.
- Integricity Corporation
provides djbdns consulting services in Asia and Europe
(UK/France). Customised djbdns solutions for platforms such as FreeBSD,
Linux and Solaris.
- EUROTUX
Informatica, SA is a company which focuses on offering consulting
services; we support qmail (content and virus-scanning), djbdns,
ezmlm, publicfile, apache, etc in various configurations. We operate
mostly in Portugal, but provide remote access installations/support in
Europe.
- Linugen provides professional
support and integration services for djbdns and ldap integration in
Europe.
- Sekosystems is a german company
specialized in consulting, integration, administration and security
services for open source based systems. We provide commercial support
for a wide range of open source software, including qmail and djbdns
within Germany, Cameroon and nearby countries.
- Linux4biz
provide commercial support for qmail and djbdns. We also provide
solutions and support for all email servers and internet security.
- Optima
Technologies provides consulting services (qmail, djbnds, Linux, content
and virus scanning) in Spain. Our focus is reliability and security.
Remote and on-site management andinstallation, email and phone support
is available.
- PoderNet, S.A. de
C.V. provides professional support and consulting for djbdns, qmail,
vpopmail and many other OpenSource software packages in Mexico.
- Saffron Solutions is a
customer-focused IT services company offering computer system, network,
and security consulting and systems integration. Based in Boston, MA,
Saffron Solutions provides qmail, djbdns, and other open source
software support to customers in the US and Canada.
- Tegtmeier
Internet Solutions provides commercial support for djbdns in
Germany. Focused on internet security, high availability and
performance optimization.
- Emuadmin
is a company specialized in the development of Internet solutions. We
offer djbDNS services, from installation to performance optimization.
- DeepRoot Linux provides
support for djbdns, qmail, other DJB / DJB-like software, gnu/Linux
and Debian in India.
- RIEGER - Consulting &
Management offers consulting, installaton and adminstrative
services for qmail, djbdns and other software including help with
general server tasks to customers located in Germany and nearby
countries.
- Alpha-Tech Soluções provides
support for djbdns and open source software in general, as well as website
development.
Documentation
- Switching to djbdns because of BIND's bugs, or simple misfeatures
like the format of the zone files?
-
Dan Bernstein has a web page for people
switching from BIND.
-
So has Adam McKenna.
- Felix von Leitner has a FAQ.
- Luis Toro Teijeiro has
translated the djbdns documentation into Spanish.
- Gerrit Pape has created
man pages
from Dan's documentation, augmenting it with a page for tinydns-edit
which Dan doesn't document.
- Jonathan de Boyne Pollard has both
debunked several myths about djbdns and
documented (and provided solutions for) some of its actual problems.
- Jonathan de Boyne Pollard has created a (very primitive)
djbdns "big picture".
- Luca Morettoni wrote a djbdns
HOW-TO in Italian.
- MAENO Toshinori has translated the djbdns documentation into Japanese.
- Henning Brauer has writen Life with djbdns.
- Jack Howard has written a set of
commands which can be cut-n-pasted to fetch, compile, and install
djbdns. Configuration is still up to you, of course.
- Johan Struijk has some web-based DNS query tools.
Discussion
Please read
the djbdns section of FAQTS before asking for help on
discussion fora.
- Dan has a mailing list for djbdns.
There's a searchable
archive and
a newsgroup.
-
Luca Morettoni and ZioBudda's staff have an Italian
mailing list, with searchable
archives.
- Please use
tinydns-showctl and dnscache-showctl, which are analogous to qmail's
qmail-showctl, when you want to provide information
about your djbdns configuration.
Contributions
A few people have contributed enhancements:
Packages
- Mate Wierdl has an RPM of djbdns. So
does Andy Dustman.
- Gerrit Pape has Debian packages.
Convenience tools for various resource record types
djbdns supports all possible resource record types with a generic syntax.
- Rob Mayoff provides
a tool for generating SRV records and RP records
in the djbdns generic record syntax.
- Michael Handler wrote a SRV patch, which
lets tinydns-data and axfr-get work natively with SRV records. This
patch also has a work-around for BIND's improper compression of PTR
records.
- Interested in DNS-LOC (inserting your location into your DNS)?
djbdns supports DNS-LOC.
- Dan Peterson needed to set a SOA
contact address other than what tinydns-data sets, so he wrote a
new data file record type, 'D'. It defines the contact address to be used for all
subsequent records. An empty contact address means that tinydns-data
should resume manufacturing a contact address.
Note, should you
happen to care about such things: This record creates a
context that prevents you from re-ordering the 'data' file.
Also note that Dan now recommends simply using a pre-processor to generate 'Z' lines instead.
- Guilherme Balena Versiani has added support for SRV+NAPTR.
- Anders Brownworth wants SRV and NAPTR records without patching
djbdns, so he wrote a web page that builds
generic SRV/NAPTR records.
- Luca Morettoni created an IPv6 (AAAA) record generator.
Log management and analysis
djbdns server logs are formatted to be easily machine-readable, not
human-readable.
- Faried Nawaz has a DNScache logfile
formatter, and Kenji Rikitake modified it to be a TinyDNS
logfile formatter.
- Rob Mayoff has some notes on the tinydns
log file format and the dnscache
log file format.
- Greg Ward wrote parse_djbdns_log,
which parses both types of logfiles.
- Ask Bjørn Hansen wrote Tinydns-RRD. It
generates realtime graphs from your tinydns logs by using rrdtool. It
works well with high traffic DNS servers.
- Nate Campi has DNS traffic-graphing
scripts.
- James Raftery has a patch to include more cache
stats.
Database management
- Web-based data editors:
- Adam McKenna has written twa (tinydns web admin).
- Inter7's dnsadmin
- suaveDNS
- VegaDNS
- NicTool
- OSU OSL's Maintain
- Sauron, DNS & DHCP
- Magnus Bodin has written valtz, a simple validation
tool for tinydns-data zonefiles. Also able to filter file(s) from
errors, not allowed zones and not allowed record types.
- Jonathan de Boyne Pollard has written
a patch to tinydns-data to diagnose a greater range of data file errors
including some particularly common ones such as putting some values in the wrong fields.
- Balázs Nagy has a modification to tinydns-data which causes it to
accept
multiple filenames on the command line. Each file's timestamp is
the default for all zones defined in that file.
Data generation and conversion
- Bennett Todd has a set of programs to work with BIND zone
files.
- tinydns-data-pull copies over a set of BIND files using ssh.
- tinydns-data-compactor consolidates forward and reverse records.
- tinydns-data-beautify sorts and combines like-records together.
Andrew Pam has some patches
to it.
- Henning Brauer has published his method for exporting DNS records from a mysql database
into tinydns's data file.
- Dennis Fleurbaaij exports DNS records from PostGres
- Kirill Miazine has his own tool to generate the
tinydns data file.
- Ward Vandewege has a pre-processor to create a whole zone using a
simple one-line syntax.
- Daniel Erat has written a small program to convert BIND zone files
to tinydns-data format (for cases where AXFR isn't available). It's
available from his homepage.
- Michael K. Stella has written a program to copy
dhcp information into djbdns.
- ldap2dns is designed to write binary data.cdb files used by
tinydns from data retrieved from an LDAP database. Lynn Winebarger
has a patch for
ldap2dns (along with a script to translate named.conf and zone
files to ldif) to support slave zones with autoaxfr. It also adds the
ability to output a tcprules set to support axfrdns. It collates
prefixes with more specific ip addresses so you don't get weird
exclusions.
DNS data publication
- Bruce Guenter has sqldjbdns, a SQL DNS server
based on djbdns.
- John Levine has a patch to rbldns which lets you have A and TXT
records in the root of the zone. This lets people access
korea.services.net even though korea.services.net is the root of
his DNSBL zone.
- John M. Simpson has a patch to rbldns to return per-record
IP/TXT information.
- Jonathan de Boyne Pollard has written
a patch to make tinydns and axfrdns publish complete CNAME answers,
in the way that other DNS server softwares do and that RFC 1034 describes.
- "Mrs. Brisby" has written ldapdns. ldapdns is a tool that
gateways dns requests (which used to use a djbdns backend but no
longer does) to a nearby ldap server. It requires djbdns and openldap.
Note this is not ldap2dns, or even similar (except in name).
ldap2dns works in tandem with tinydns, whereas with ldapdns, queries are
answered based on LIVE information in the ldap server.
Neither is it tinyldap (which is an LDAP server, not a DNS server).
DNS lookup
- Uwe Ohse has a patch to allow
any client to access DNScache. He also has a patch to get dnsfilter
replace the IP address by the hostname. He also has a patch to
cause tinydns to bind to
multiple IP addresses.
- Dan Peterson has a patch for dnscache so it can bind to
multiple IP addresses and serve queries on those IP addresses from
the same cache.
- Matthias Andree has instructions on how to force dnscache to
timeout if you have a transient
(aka dialup) Internet connection.
- Florent Guillaume has a patch to dnscache which lets you save and
load the cache.
- Thomas Mangin has a round-robin
patch for dnscache.
Note that this is for dnscache, not tinydns.
Jonathan de Boyne Pollard has written
an explanation of why this almost certainly won't do what you really want.
- Laurent G. Bercot has a patch to
djbdns to allow dnscache to resolve a name or forward it depending
on the zone of the query.
- Russ Nelson has written a patch to convert given A responses into
NXDOMAIN. This helps with registrars that improperly insert
wildcard records (*cough* Verisign *cough*).
- The list of ICANN's root servers that comes with djbdns
is out of date. Jonathan de Boyne Pollard has written
instructions on how to bring this list up to date.
- The Open Root Server Confederation has a page on configuring
djbdns to work with its root servers and thus to enable use of the augmented
root.
- Jonathan de Boyne Pollard has written
a patch to prevent dnscache encountering loops in ${FORWARDONLY} mode.
- Jonathan de Boyne Pollard has written
a patch to allow a more useful separator character in the ${DNSCACHEIP} environment variable
that the dns library in djbdns uses.
- Jonathan de Boyne Pollard has written
dnsqrx, which performs the task of dnsqr but allows one to explicitly specify the target server
to be queried, like dnsq.
- Jonathan de Boyne Pollard has written
a patch to add a dnsnamex command to djbdns, which prints all of the names that an
IP address maps to, instead of just the first one like dnsname does.
- Jonathan de Boyne Pollard has written
a patch to dnscache that improves its handling of CNAME resource records.
- djbdns is more than just a dnscache and a tinydns authoritative
server. It also has a dns client library. Luca Morettoni has written
qmail-rblchk,
which uses the DJB library for DNS query. It's a good example for
using the dns client library.
Database replication via the "Zone transfer" mechanism
- Jos Backus wrote a dnsnotify program to send out BIND notify
messages. James Raftery
modified it to notify all
servers, and set the AA bit. It takes a zone and a list of slave
addresses, builds a NOTIFY request and sends it to each of the slaves,
printing the result. This in turn will cause each slave to do a SOA
lookup and serial number comparison, followed by a zone transfer if
the serial number has changed. Further, Andrew Pam modified it to
create tinydns-notify, in
order to be able to send "NOTIFY" messages only to his slaves that are
running BIND, and only when their zones have changed.
- If you don't have perl or NET::DNS, you may want to use Joseph
Tam's dns-notify
program, written in C.
- Luca Morettoni wrote zonenotify,
which is a notify sender written in C.
- Matt Armstrong wrote autoaxfr. It wraps
axfr-get to read a control file.
- Russ Nelson wrote axfr. Axfr builds tinydns's
data file from a combination of single-zone files beginning with
primary, and subdirectories of secondaried files beginning with axfr.
The name of the subdirectory is the IP address of the primary. Chris
K. Young wrote a man page.
Sean Hunter suggests add-* scripts of the following form:
#!/bin/sh
[ -f primary.$1 ] || touch primary.$1
exec /usr/local/bin/tinydns-edit primary.$1 temp/primary.$1.new add alias ${1+"$@"}
- Russ Nelson also wrote update-domains, which
works with the axfr program to allow a DNS peer to publish their list
of secondary domains on a web page. He uses it in a crontab owned by tinydns like this:
20 4 * * * cd root/217.160.170.133; http@ www.fte.to crynwr.txt | /usr/local/bin/update-domains
- John R Levine wrote dnsrefresh, a perl script
that provides BIND style zone updates by looking at the refresh time
and zone serials. It's useful when your primary insists on runing
BIND.
- Luc Pardon has instructions to make axfrdns work
with BIND9 slaves who use IXFR.
Miscellaneous contributions
- Felix von Leitner has three packages
- An ipv6 patch for djbdns.
- An ipv6 patch for ucspi-tcp (for axfr).
- His libdjb packages up Dan's libraries.
- Jul has written a configuration tool.
- Lennert Buytenhek wrote a patch that causes tinydns to keep its
mmap() of the data.cdb file open for at most one second, instead of the default
one hundred queries.
Other (not djbdns-specific) DNS-related sites
- DNS Frequently Given Answers
- DNS Resources Directory
- RFC 1035
Recommended patches
- The definitions of errno in djbdns (and tcpserver)
do not work with the newest glibc (2.3.1). Debian and redhat are
updating to this glibc. Executables compiled with older glibc's (2.3)
abort on startup, and recompilation with 2.3.1 is not possible. Mate
Wierdl has patches for some
of djb's softwares. The specific patch for djbdns is also
here.
Erwin Hoffmann points out that
a one-line sed script
will fix most of DJB's software.
- TCP queries have the potential to cause dnscache to catch a
SIGPIPE if the remote side closes the socket before the write
finishes. This causes dnscache to exit. There is a trivial patch
[local]
which causes djbdns to ignore SIGPIPE.
Russell Nelson
Many improvements by Jonathan de Boyne Pollard
Last modified: Tue May 30 19:37:43 EDT 2006