I had a play with DJBDNS after using BIND for years. Here's why I switched back: - No AXFR support It supports this.
No IXFR, no automatic notification of bind slaves (you get to run a separate notify script) ...
But yes, it is far easier to use, consumes very low amounts of memory and makes an excellent local resolver cache e&oe no roundrobin DNS without a patch (as in it returns all the A records in the same order every time, whereas bind does this in a different order ...)
A contrary view from the trenches: Around a year ago we tested DJB dnscache as the recursive DNS server in a high-volume ISP environment - mostly because we were not happy with BIND 9 performance at the time. Our conclusions were: - dnscache used *more* CPU than BIND 9 in our environment, effectively ruling it out - Not possible to get dnscache to listen to more than one IP address unless you introduce hacks/patches - Weird failures reported from users - Annoying installation process with lots of small programs that we don't want or need We then used BIND 8 for a while, due to its better performance than BIND 9. Earlier this year we finally found a BIND 9 configuration and version that worked well for us (but still too low performance). We finally switched to Nominum CNS (two servers) and one BIND 9 server as backup. We really like Nominum CNS, and we're happy. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Saturday 09 Apr 2005 8:29 am, sthaug@nethelp.no wrote:
At the risks of prolonging a thread that should have died Saturday.
- dnscache used *more* CPU than BIND 9 in our environment, effectively ruling it out
dnscache opens a separate port for each request, thus making DNS spoofing harder (unless you can sniff the packets, then you don't care), BIND doesn't do this, relying solely on query id to prevent spoofing (till DNSSEC or similar is deployed). Overly paranoid, perhaps, but I think it is important to understand that performance isn't everything. If you want the best performing DNS server last time Rick looked Microsoft DNS was well ahead of BIND, good luck to anyone trying to use it for a big recursive DNS.
- Weird failures reported from users
I've used dnscache in operational, if not terribly busy role, found like most of DJBs software it does what it says on the tin. It may do a lot less than it's competitors but it does it and keeps doing it. Even if you have to patch it to get it to compile <sigh>.
- Annoying installation process with lots of small programs that we don't want or need
Agreed.
sthaug@nethelp.no wrote:
A contrary view from the trenches:
Around a year ago we tested DJB dnscache as the recursive DNS server in a high-volume ISP environment - mostly because we were not happy with BIND 9 performance at the time. Our conclusions were:
- dnscache used *more* CPU than BIND 9 in our environment, effectively ruling it out
It'd be interesting to find the actual causes for this. Did you by chance consult the djbdns mailing list for hints?
- Not possible to get dnscache to listen to more than one IP address unless you introduce hacks/patches
It's easy enough to setup as many instances of dnscache as you have IP addresses and point them all at one central dnscache (typically on a loopback address). Assuming you've already setup the central dnscache, you need to execute the following commands: # dnscache-conf Gdnscache Ddnslog /etc/dnscacheX a.b.c.d # echo 127.0.0.1 > /etc/dnscacheX/root/servers/\@ # echo 1 > /etc/dnscacheX/env/FORWARDONLY # touch /etc/dnscacheX/root/ip/a.b.c # ln -s /etc/dnscacheX /service While I agree that it's more work than simply adding one line to a config file, in effect you've got no more than two variables: IP adress, netmask (which I happily assumed to be 255.255.255.0 above). It's trivial to write a script to handle this situation in a one-liner. Personally, I also like the added flexibility that this approach gives you.
- Weird failures reported from users
Did you actually investigate any of these?
- Annoying installation process with lots of small programs that we don't want or need
I found the installation process to be relatively straightforward, if a little awkward (as some of DJB's habits are). As for the 'lots of small programs' you don't want or need, I don't see the point. If you install BIND, you get a monolithic binary whereas djbdns splits the functionality into separate programs. Most people only use a fraction of the code in BIND, would you argue that its binary is too large? [snip]
version that worked well for us (but still too low performance). We finally switched to Nominum CNS (two servers) and one BIND 9 server as backup. We really like Nominum CNS, and we're happy.
I've read that Nominum CNS provides good performance. Unfortunately (in my book), it's not Open Source, though. Cheers, Tobias
participants (3)
-
Simon Waters -
sthaugļ¼ nethelp.no -
Tobias Reckhard