djbdns - Continuous DNS service without continual software upgrades
This is tinydns.org
Please note that this website is tinydns.org. It used to be
accessible via djbdns.com or djbdns.org. The holder of those two
domain names registered them before I could. For a time, he served up
a frame linking to tinydns.org. He then let the registration lapse,
and now the usual search page idiots have it. Thanks, guy.
Note that djbdns is not subject to the DNS vulnerability announced July 8. From the CERT Advisory: "Daniel J. Bernstein is credited with the original idea and
implementation of randomized source ports in the DNS resolver."
djbdns is a replacement for BIND. It is secure, reliable, small,
fast, etc etc etc. Just like all of Dan Bernstein's tools. Dan has his own home page for djbdns. We've got this one
so we can distribute our enhancements to djbdns.
dnscache is a recursive resolver, intended to be listed in
/etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP
and TCP as needed. It imposes restrictions on what it will return;
that's why it was written. It will only provide data obtained from
authoritative servers. These servers are found via a chain of
delegations from authoritative servers starting from the configured-in
roots. That's part of its security model. If it were to do anything
less, it would be subject to the same cache-poisoning style attacks
that work on the current insecure DNS servers.
tinydns does authoritative nameserving via UDP only; it does not do
recursive nameserving, nor does it answer TCP queries (axfrdns does
that). The only hosts that should ask tinydns for a host are recursive
nameservers, such as those found in /etc/resolv.conf, like djbdns or
BIND. Tinydns should never be listed in /etc/resolv.conf. Tinydns
interoperates properly with every authoritative and recursive
nameserver I know of, and supporting all the standards needed to do
axfrdns does authoritative nameserving via TCP, and is also the zone
transfer server. The zone transfer client is axfr-get. Both of these use
Dan Bernstein's ucspi-tcp helpers. Why separate programs? To limit
security incursions, and because many sites do not need zone transfers.
As BIND has shown, excessive functionality is a root to
Testimonials: lycos. Any others?
amplification attacks are becoming more widespread. Fortunately,
the default installation of djbdns is immune to these kinds of
attacks. Tinydns doesn't do any recursive queries, so no
amplification is possible. Dnscache is not an open resolver by
default. In order for your dnscache installation to be open to
queries from everyone, you would need to create many files of the form
"#." in /service/dnscache/root/ip/. Don't do that.
"All your *.com and *.net are belong to us."
Verisign threatens to corrupt the Domain Name System
again. Late in the evening of 2003-09-15 they introduced wildcard *.com and
*.net A records into the top-level domain name servers. They resolved
to 18.104.22.168. They removed those records, but threaten to
reinstate them. Russ Nelson has written a patch to ignore this IP
address. Turns out that about a dozen registrars are doing this,
so you can ignore multiple IP addresses.
Note that .name uses wildcard records legitimately, and so may some of
the other registrars, e.g. the contract for .museum specifies that
*.museum is expected. The trouble with Verisign is that their
contract does not.
AiDA Systems provides
djbdns support, by phone, online (remote via ssh), and on-site. Also,
preconfigured/custom built djbdns and/or qmail servers. Load
balancing, Replication, virtual hosting and mysql support at
affordable prices. It's time to give up buggy/insecure BIND. Call Now:
Curti provides commercial support for djbdns in Switzerland.
offers support for djbdns in France and nearby countries.
They also provide support for qmail, and other djbware.
Consultants sells support for Debian GNU/Linux, IDS/Firewall,
djbdns and qmail in Brasil.
Inc. provides remote and onsite commercial support for djbdns.
Other services include outsourced DNS hosting and training on djbdns
installation and maintenance. Call us at (408) 877-2544.
qmail, djbdns, and many other software packages, prefereably in the
OpenSource area. Remote admin work, as well as e-mail and phone
support and custom programming is available.
Limited sells support for qmail, djbdns, and other open source
network infrastructure software. Remote and on-site management and
installation, email and phone support is available. We operate mostly
in Ireland and the UK.
does support for djbdns mostly in Poland and other European
countries. They also provide remote (by telephone, internet) help for
almost all GPL un*ix server tools and do remote administration.
provides djbdns consulting services in Asia and Europe
(UK/France). Customised djbdns solutions for platforms such as FreeBSD,
Linux and Solaris.
Informatica, SA is a company which focuses on offering consulting
services; we support qmail (content and virus-scanning), djbdns,
ezmlm, publicfile, apache, etc in various configurations. We operate
mostly in Portugal, but provide remote access installations/support in
Linugen provides professional
support and integration services for djbdns and ldap integration in
Sekosystems is a german company
specialized in consulting, integration, administration and security
services for open source based systems. We provide commercial support
for a wide range of open source software, including qmail and djbdns
within Germany, Cameroon and nearby countries.
provide commercial support for qmail and djbdns. We also provide
solutions and support for all email servers and internet security.
Technologies provides consulting services (qmail, djbnds, Linux, content
and virus scanning) in Spain. Our focus is reliability and security.
Remote and on-site management andinstallation, email and phone support
PoderNet, S.A. de
C.V. provides professional support and consulting for djbdns, qmail,
vpopmail and many other OpenSource software packages in Mexico.
Saffron Solutions is a
customer-focused IT services company offering computer system, network,
and security consulting and systems integration. Based in Boston, MA,
Saffron Solutions provides qmail, djbdns, and other open source
software support to customers in the US and Canada.
Internet Solutions provides commercial support for djbdns in
Germany. Focused on internet security, high availability and
is a company specialized in the development of Internet solutions. We
offer djbDNS services, from installation to performance optimization.
DeepRoot Linux provides
support for djbdns, qmail, other DJB / DJB-like software, gnu/Linux
and Debian in India.
RIEGER - Consulting &
Management offers consulting, installaton and adminstrative
services for qmail, djbdns and other software including help with
general server tasks to customers located in Germany and nearby
Alpha-Tech Soluções provides
support for djbdns and open source software in general, as well as website
Switching to djbdns because of BIND's bugs, or simple misfeatures
like the format of the zone files?
Michael Handler wrote a SRV patch, which
lets tinydns-data and axfr-get work natively with SRV records. This
patch also has a work-around for BIND's improper compression of PTR
Interested in DNS-LOC (inserting your location into your DNS)?
djbdns supports DNS-LOC.
Dan Peterson needed to set a SOA
contact address other than what tinydns-data sets, so he wrote a
new data file record type, 'D'. It defines the contact address to be used for all
subsequent records. An empty contact address means that tinydns-data
should resume manufacturing a contact address.
Note, should you
happen to care about such things: This record creates a
context that prevents you from re-ordering the 'data' file.
Also note that Dan now recommends simply using a pre-processor to generate 'Z' lines instead.
Guilherme Balena Versiani has added support for SRV+NAPTR.
Anders Brownworth wants SRV and NAPTR records without patching
djbdns, so he wrote a web page that builds
generic SRV/NAPTR records.
ldap2dns is designed to write binary data.cdb files used by
tinydns from data retrieved from an LDAP database. Lynn Winebarger
has a patch for
ldap2dns (along with a script to translate named.conf and zone
files to ldif) to support slave zones with autoaxfr. It also adds the
ability to output a tcprules set to support axfrdns. It collates
prefixes with more specific ip addresses so you don't get weird
DNS data publication
Bruce Guenter has sqldjbdns, a SQL DNS server
based on djbdns.
John Levine has a patch to rbldns which lets you have A and TXT
records in the root of the zone. This lets people access
http://korea.services.net even though korea.services.net is the root of
his DNSBL zone.
"Mrs. Brisby" has written ldapdns. ldapdns is a tool that
gateways dns requests (which used to use a djbdns backend but no
longer does) to a nearby ldap server. It requires djbdns and openldap.
Note this is not ldap2dns, or even similar (except in name).
ldap2dns works in tandem with tinydns, whereas with ldapdns, queries are
answered based on LIVE information in the ldap server.
Neither is it tinyldap (which is an LDAP server, not a DNS server).
Gerrit Pape has a simply updated dynamic DNS solution, called tinydyndns, which updates a
DNS name whenever you check mail in a POP3 mailbox.
Bob Vincent wrote tinyddns, which
uses a client and server architecture for updating tinydns dynamically.
The list of ICANN's root servers that comes with djbdns
is out of date. This command will fetch a new version: wget http://www.internic.net/zones/named.root -O - | grep ' A ' | tr -s ' ' | cut -d ' ' -f4 > /etc/dnscache/root/servers/\@
The Open Root Server Confederation has a page on configuring
djbdns to work with its root servers and thus to enable use of the augmented
djbdns is more than just a dnscache and a tinydns authoritative
server. It also has a dns client library. Luca Morettoni has written
which uses the DJB library for DNS query. It's a good example for
using the dns client library.
Database replication via the "Zone transfer" mechanism
Jos Backus wrote a dnsnotify program to send out BIND notify
messages. James Raftery
modified it to notify all
servers, and set the AA bit. It takes a zone and a list of slave
addresses, builds a NOTIFY request and sends it to each of the slaves,
printing the result. This in turn will cause each slave to do a SOA
lookup and serial number comparison, followed by a zone transfer if
the serial number has changed. Further, Andrew Pam modified it to
create tinydns-notify, in
order to be able to send "NOTIFY" messages only to his slaves that are
running BIND, and only when their zones have changed. Brad Peczka has further modified it for machines with multiple IP addresses.
If you don't have perl or NET::DNS, you may want to use Joseph
program, written in C.
Luca Morettoni wrote zonenotify,
which is a notify sender written in C.
Matt Armstrong wrote autoaxfr. It wraps
axfr-get to read a control file.
Russ Nelson wrote axfr. Axfr builds tinydns's
data file from a combination of single-zone files beginning with
primary, and subdirectories of secondaried files beginning with axfr.
The name of the subdirectory is the IP address of the primary. Chris
K. Young wrote a man page.
Sean Hunter suggests add-* scripts of the following form:
Russ Nelson also wrote update-domains, which
works with the axfr program to allow a DNS peer to publish their list
of secondary domains on a web page. He uses it in a crontab owned by tinydns like this:
The definitions of errno in djbdns (and tcpserver)
do not work with the newest glibc (2.3.1). Debian and redhat are
updating to this glibc. Executables compiled with older glibc's (2.3)
abort on startup, and recompilation with 2.3.1 is not possible. Mate
Wierdl has patches for some
of djb's softwares. The specific patch for djbdns is also
Erwin Hoffmann points out that
a one-line sed script
will fix most of DJB's software.
TCP queries have the potential to cause dnscache to catch a
SIGPIPE if the remote side closes the socket before the write
finishes. This causes dnscache to exit. There is a trivial patch
which causes djbdns to ignore SIGPIPE.