By on December 4, 2004

I’ve been setting up a new server lately, and in the process I’ve been reevaluating a lot of the software I use on my servers. One of the things I’ve been dreading more than anything else is moving over DNS services. My old server runs BIND, and has 40+ domain files,not counting reverse lookups.

So I started poking around and found djbdns. So far, I’ve been very impressed with it. It’s built from a number of small, lightweight programs (vs BIND’s monolithic ‘named’), the config file format is less verbose and (slightly) less arcane, it’s reportedly more scalable, and there’s apparently never been a known exploit. It can even automatically version new DNS records and maintain reverse lookups.

Am I missing something here? If djbdns is as great as it appears to be, why is most of the Internet’s DNS traffic still handled by BIND? UNIX admins have a pretty good history of snagging better tools when they come along (sendmail is an increasingly rarer bird, and telnet’s on the way out), so what’s the catch with DNS alternatives?

If you swear by djbdns or another BIND alternative, or have run screaming from one, I’d love to hear from you. Leave a comment.

(Incidentally, the Wikipedia article on DNS that I linked to is by far the clearest explanation of DNS that I’ve ever read. If you’ve always wondered how your PC finds its way around the Internet, have a read).



  1. I ran screaming from djbdns some time ago when, examining BIND alternatives, I gave it a whirl and had some issue with it (can’t remember now; probably some compile-time setting or something). When I asked for help on the mailing list I was told bluntly that I didn’t know what I was doing, and that I should re-read an RFC before asking for help. I reinstalled BIND and haven’t looked back.

    It’s not that I’m ignorant or stupid; it’s that when asking a question I was immediately marked as a idiot, for “not reading the source”, and frankly I can do without that kind of abuse from a software developer. Dan can keep his DNS alternative; I’ll stick with BIND.

  2. djbdns is moderately widely used. The domain registrar Dotster uses it, for example. Something like “nmap -P0 -p U:53 -sV -sU -n”, with a recent version of nmap, will tell you what DNS is being used.

    There are some barriers to its adoption: the fact that most OSes come pre-installed with BIND; the bitter rivalry between Dan Bernstein and the BIND people; and the separation of functions that means you have to run your DNS server and DNS cache on separate IP addresses.

    You forgot to mention djbdns’ best attribute: it runs in a chroot sandbox automatically (it MUST run in a chroot sandbox). To get BIND running in a sandbox is quite a hassle.

    Personally I like it a lot and find BIND to be a complicated mess by comparison.

Comments are closed. If you have something you really want to say, email and we‘ll get it added for you.