(: June 5, 2019)
Trying to imagine a world of IT without Domain Name Servers (DNS) can be very intimidating and prohibitive to say the least. With all of the websites and servers accessed via the web around the world, who can dare imagine having a database of all of those IP Addresses in case you would wish to access a given resource? With such a question posed, the power and beauty of DNS immediately comes to the fore and I believe no one can refuse to embrace the simplicity, convenience and the sweetness that these systems have afforded the world wide web and the people in the globe as a whole.
With the food for thought in mind, an important part of setting up infrastructure is having an easy way of looking up your resources by setting up a DNS system so that the workforce have the luxury of just typing up their FQDN instead of IP addresses.
FQDN – A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet or in your local area network. An example is mail.sxi.io
This article looks at the four most used DNS applications. It explores their features and their various use cases. By virtue of the attributes shared, we believe you will be able to choose the one that will fit into your current use-case in case you would wish to implement one to better manage your infrastructure. Here we go..
“The things you do for yourself are gone when you are gone, but the things you do for others remain as your legacy.”
― Kalu Ndukwe Kalu
BIND which stands for “Berkely Internet Name Domain” is a free and Opensource software which is widely used in Linux servers for translating Domain names to IP address. BIND performs both of the main DNS server roles – acting as an authoritative name server for one or more specific domains, and acting as a recursive resolver for the DNS system generally. The current version of BIND is BIND 9.
Features of BIND
In BIND, different information can be presented to a client depending on the network a request comes from. This is primarily used to deny sensitive DNS entries from clients outside of the local network, while allowing queries from clients inside the local network.
Transaction SIGnatures (TSIG)
This feature ensures that a shared secret key exists on both primary and secondary nameserver before allowing a transfer. What this basically means is that the standard IP address-based method of transfer authorization is strengthened. This is because attackers would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
DNS Security Extensions (DNSSEC)
This feature primarily provide origin authentication of DNS data, authenticated denial of existence, and data integrity.
Supports Internet Protocol version 6 (IPv6)
Uses RNDC :Remote Name Daemon Control is a name server control utility/tool that allows secure command line administration of the named bind service both locally and remotely.
Response Rate Limiting (RRL) Feature
This feature in bind used in authoritative name servers only is an enhancement to the DNS protocol which serves as a mitigation tool for the problem of DNS amplification attacks. This substantially reduces the effects of DNS Distributed Denial of Service (DDoS) on client machines.
BIND can act as an authoritative and recursive name server.
This feature makes it possible for master DNS servers to notify slave servers of changes to zone data
Dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN. Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server. It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts.
Features of Dnsmasq. Source(http://thekelleys.org.uk/dnsmasq/doc.html)
- Dnsmasq provides full IPv6 support.
- Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X
- It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls.
- Resolves local DNS names: Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.
- Can forward all query types to upstream recursive DNS : Upstream servers can be configured in a variety of convenient ways, including dynamic configuration as these change on moving upstream network.
- Can cache common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled).
- Authoritative DNS mode allows local DNS names may be exported to zone in the global DNS. Dnsmasq acts as an authoritative server for this zone, and also provides zone transfer to secondaries for the zone, if required.
- DNSSEC validation may be performed on DNS replies from upstream nameservers, providing security against spoofing and cache poisoning.
- Specified sub-domains can be directed to their own upstream DNS servers, making VPN configuration easy.
- Internationalised domain names are supported.
You can be interested with: How to Install and Configure Dnsmasq on Ubuntu LTS
PowerDNS, founded in the late 1990s, is a premier supplier of open source DNS software, services, and support. According to PowerDNS, there are two PowerDNS nameserver products: the Authoritative Server and the Recursor. While most other nameservers fully combine these functions, PowerDNS offers them separately but can mix both authoritative and recursive usage seamlessly. What this means is that if you download different packages depending on your need. If you would wish to have an authoritative DNS, then get the authoritative package and the same goes for the recursive counterpart.
Featured of PowerDNS. Source (powerdns.com)
- PowerDNS is a free and OpenSource software
- Can serve both small and large needs: From the description, it can be deduced that PowerDNS has been designed to serve both the needs of small installations by being easy to setup, as well as for serving very large query volumes on large numbers of domains.
- Supports IPv4 and IPv6, UDP/TCP
- Through use of clever programming techniques, PowerDNS offers very high domain resolution performance.
- Security: library features have been used to mitigate the risks of buffer overflows.
- Remotely pollable statistics for real-time graphing: PowerDNS is able to give a lot of statistics on its operation which is both helpful in determining the scalability of an installation as well as for spotting problems.
- PowerDNS supports a variety of database backends such as MySQL, PostgreSQL, Microsoft SQL Server, Oracle, and Sybase database.
- Splits recursive name server and Authoritative name server functions.
- support for high-end features such as parental control, malware filtering, automated attack mitigation, subscriber communications and long-term query logging & searching.
Unbound is a free, open source validating, recursive, caching DNS resolver software under the BSD license. It is a recently developed DNS System that came into the DNS space to bring a fast and lean system that incorporates modern features based on open standards. Let us look at the features that Unbound has to offer.
Features of Unbound. Source (nlnetlabs.nl/projects/unbound/about/)
- Security and privacy: Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Moreover, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These modern standards include Query Name Minimization, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.
- Multiplatform: Unbound runs on FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows, with packages available for most platforms.
- As mentioned, it unbound is free, open source software under the BSD license
- Support for recursive functionality only: Unbound can only be used as a recursive name server hence cannot be implemented for scenarios where an authoritative name server is needed. This makes Unbound great for caching and resolving hosts on your own Local Area Network.