Back to article
Buck DNS Monoculture with BIND Alternatives
Painless DNS, part 1
July 31, 2008
Painless DNS, part 1 by Carla Schroder
Out of several good choices, we're going to look at MaraDNS and Dnsmasq. MaraDNS is great for both caching and authoritative name serving, and claims to be highly secure. Dnsmasq is a great program for name services on the LAN: DNS caching, local name resolution, and DHCP.
Honorable mentions go to PowerDNS and NSD, which I'll get to at some future date. PowerDNS, like MaraDNS and BIND, is both an authoritative name server and caching resolver. NSD is a robust, fairly-simple-to-use authoritative-only server. How robust? At least one of the root nameservers, k.root, switched from BIND to nsd.
Other DNS Servers
The most reliable way to future-proof software is to give it the right license. MaraDNS is released under a BSD-type license, and Dnsmasq uses the GPL. There are no guarantees, of course, but if they ever do become abandonware, or turn closed-source like Nessus, it will be legal for someone else to pick them up and carry on.
This is why I started looking for alternatives to my personal favorite DNS server suite, djbdns. Professor D. J. Bernstein, its creator and maintainer, does not allow the distribution of modified binaries. You may distribute patches, and you may modify it for personal use to your heart's content. Which is nice, but there is no way to build a community of developers and users to monitor and improve it, or to keep it alive. The future of djbdns is entirely dependent on Professor Bernstein. [note: Since this was originally published, djbdns has been released into the public domain.]
Being Your Own Hostmaster
Other considerations are security and uptime — can you keep your DNS server running and available, and keep the bad persons out? No DNS means visitors cannot reach your sites, unless they are canny and motivated enough to dig up and use your IP addresses. Cracked DNS means cracked everything on your network, including encrypted sessions.
To let the world know about your authoritative server you must register it. Your domain name registrar should provide this service. They usually require two IP addresses. It's not a bad idea to have a second DNS server hosted remotely, instead of having both of them on the same network. Ask a friend to host your secondary in exchange for you returning the favor, or use a commercial service.
Different registrars have slightly different requirements for the information they need from you. MaraDNS comes with the askmara command to help with this. After you set up your zone files, query them like this:
The main MaraDNS configuration file is /etc/maradns/mararc. Start with a nice clean fresh one and save the old one as a reference. (You'll also find example configuration files in the source tarball.) Suppose your domain is alrac.com, with the IP address of 220.127.116.11:
The first line is the IP address of the DNS server. The second line tells Maradns to run in a chroot jail, and the location of the chroot. The third line tells MaraDNS to run in authoritative mode. This line must come before any lines defining the zone files. The fourth line configures /etc/maradns/db.alrac.com as the zone file for alrac.com. Don't forget the trailing dot on alrac.com.
Now we can create the zone file, /etc/maradns/db.alrac.com. Zone files contain the following fields:
You may order your entries however you like. MaraDNS contains a nifty shortcut for PTR records — the FQDN4 field, or "Fully-qualified domain name, IPv4", which automatically creates the PTRs. Be careful to not create duplicates — you just want one per IP address. If you prefer to write them out the long way, they look like this:
What if you have additional sub-domains, like forums.alrac.com and support.alrac.com? No problem, just add more A records:
Simple Load Balancing
Come back next week for more MaraDNS and Dnsmasq fun, and don't forget to read MaraDNS' exceptionally good documentation and man pages.
Article courtesy of Enterprise Networking Planet, originally published October 24, 2006