DNS management software

Last updated May 29, 2024

DNS management software is computer software that controls Domain Name System (DNS) server clusters. DNS data is typically deployed on multiple physical servers. The main purposes of DNS management software are:

Background

In 1995, there were only 70,000 domains in existence.^[1] The way to register them was by email^[2] and the way to publish them was BIND. By mid-1997, the domain count was 1.3 million.^[3] As the number of domains and internet hosts skyrocketed, so too did the quantity of DNS data and the time required to manage it. Sysadmins responded by writing Perl or Shell scripts that helped automate DNS changes. These scripts were mostly in-house tools. The closest thing to widely available DNS management software was the BIND module in webmin, which provided web tools for editing BIND zone files.

During the late 1990s, the sheer quantity of DNS data was overwhelming the tools available to manage it. The cost of managing the data instigated the birth of DNS management software. The costs can best be explained by illustration. In 1998, three of the largest web hosting companies (HostPro, Interland, and Vservers) each hosted about 100,000 DNS zones. DNS changes were made by telnetting to a BIND master and editing zone files with a text editor. A staff of several DNS admins performed this task all day, every day. Their changes would only take effect after a BIND reload. Because disks were slow, it took several hours for BIND to do a full reload. If a DNS admin made a typo in a zone file, BIND would fail to parse that file and die. Often after hours of processing. Whoever noticed BIND wasn't running would have to read the logs, find the zone file with the error, manually review the file, fix the error, and then try starting BIND back up. Once up, the changes could propagate to the DNS slaves via zone transfers. Changes often took more than 24 hours to fully propagate.

DNS and databases

While struggling with the challenges of editing zone files, more than a few sysadmins noticed that SQL is a terrific place to store DNS data. By moving the Single Source of Truth from text files into SQL, DNS data could be validated and constrained before acceptance into the database. Export scripts could convert the SQL to zone files. Rsync could replace named-xfer for distribution, increasing security and reducing propagation time. Among large hosting providers, it became fashionable to store DNS data in SQL and build a custom interface for managing it. mysqlBind is one such DNS manager. It provides a web interface for data input and exports the data to BIND zone files.

In 2000, Daniel J Bernstein released Djbdns. One of the novel features was that tinydns, the included authoritative DNS server, served DNS directly from a CDB database. The cdb had to be compiled from a plain text file whose format was designed to be edited by scripts. Tinydns quickly became the second most popular DNS server and a number of DNS managers were released for it, including: VegaDNS, SuaveDNS, and NicTool.

In 2005, PowerDNS was released. One of its features was the ability to serve DNS data directly out of the SQL database, bypassing the export step entirely. PowerDNS also spawned a number of DNS managers that provide web interfaces to its SQL data store.

DDNS

Using the RFC2136 DDNS update protocol, it is possible to change DNS zones without accessing the zone files. Management tools known to work that way are Admin4 and NicTool via its nsupdate^[4] export mechanism.

Service providers

DNS service providers often deploy different types of DNS servers in their networks. In addition, different answers may be provided to DNS clients based on the clients' geographic location, as determined by their IP address (GeoIP). The most practical way to manage such critical Internet infrastructure has been to rely on databases and complex DNS management software to ensure homogeneity and avoid single points of deployment errors.

DNS management software comparison

Feature	NicTool	VegaDNS	mysqlBind	Webmin	Admin4	Microsoft DNS	SuaveDNS	Xname	dnsadmin	fmDNS	Micetro
Language	Perl & JS	PHP	C	Perl	Python	C	PHP & Perl	PHP & Perl	C	PHP & JS	C++
Database	MySQL	MySQL	MySQL	flat files	-	flat files or Active Directory	MySQL	MySQL	MySQL	MySQL	SQLite, MS SQL, PostgreSQL
Delegated Permissions	Yes	3 groups	Yes	No	No	No	No	No	No	Yes	Yes
Open Source	Yes^[5]	Yes	Yes	Yes	Yes	No	No	No	No	Yes	No
Latest Release	2017	2016	2016	2017	2016	2012	2003	2005	2003	2021	2021

DNS server support

Name	NicTool	EfficientIP	VegaDNS	mysqlBind	Webmin	Admin4	Microsoft DNS Manager	fmDNS	Infoblox
BIND	Yes	Yes	No	Yes	Yes	Yes	No	Yes	No
tinydns	Yes	No	Yes	No	No	No	No	No	No
PowerDNS	Yes	No	No	No	No	?	No	No	No
MaraDNS	Yes	No	No	No	No	?	No	No	No
NSD	Yes	Yes	No	No	No	?	No	No	No
Microsoft DNS Server	No	Yes	No	No	No	No	Yes	No	No
Infoblox	No	No	No	No	No	No	No	No	Yes
EfficientIP	No	Yes	No	No	No	No	Yes	No	Yes

BIND zone file format

The BIND zone file format is a widely used industry standard documented in RFC 1035. Several other DNS servers, including PowerDNS, NSD, Knot DNS, Microsoft DNS Server, and Micetro by MEn&Mice have the ability to read BIND zone files and serve from them.

Resource record types supported

Name	NicTool	VegaDNS	mysqlBind	Webmin	Admin4	Microsoft DNS Manager	ProBIND	fmDNS	Micetro
A,NS,SOA,PTR	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
MX,TXT,CNAME	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
KEY	No	No	No	Yes	Yes	Yes	No	Yes	Yes
AAAA	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes
LOC	Yes	No	No	Yes	Yes	No	No	No	Yes
SRV	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
NAPTR	Yes	No	Yes	No	Yes	Yes	No	Yes	Yes
SSHFP	Yes	No	No	No	Yes	No	No	Yes	Yes
RRSIG	Yes	No	No	No	Yes	Yes	No	No	Yes
NSEC	Yes	No	No	No	Yes	Yes	No	No	Yes
DNSKEY	Yes	No	No	No	Yes	Yes	No	Yes	Yes
DS	Yes	No	No	No	Yes	Yes	No	Yes	Yes
NSEC3	Yes	No	No	No	Yes	Yes	No	No	Yes
NSEC3PARAM	Yes	No	No	No	Yes	Yes	No	No	Yes
IPSECKEY	Yes	No	No	?	Yes	?	?	No	Yes
DNAME	Yes	No	No	?	Yes	Yes	?	Yes	Yes
SPF	Yes	No	No	Yes	Yes	No	No	Yes	Yes

Microsoft DNS manager supports DNSSEC from Windows Server 2012 onwards. Some of the DNSSEC records can not be directly added but are generated during zone signing and managed as such.

DNS software homogeneity

Primary reasons for DNS providers (especially root operators) to use different DNS servers is code diversity and application performance. Code diversity makes it less likely that a performance or security bug in one DNS server could be exploited to inflict a Denial of Service attack upon an organization. It is for this reason that NSD and Knot DNS are frequently used by root and TLD operators. DNS management software can greatly simplify publishing DNS data to varying DNS servers.^{[ citation needed ]}

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

BIND is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software, and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

The djbdns software package is a DNS implementation. It was created by Daniel J. Bernstein in response to his frustrations with repeated security holes in the widely used BIND DNS software. As a challenge, Bernstein offered a $1000 prize for the first person to find a security hole in djbdns, which was awarded in March 2009 to Matthew Dempsky.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

ifconfig is a system administration utility in Unix-like operating systems for network interface configuration.

Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems.

A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which a specific organization or administrator manages. A DNS zone is an administrative space allowing more granular control of the DNS components, such as authoritative nameserver. The DNS is broken up into different zones, distinctly managed areas in the DNS namespace. DNS zones are not necessarily physically separated from one another; however, a DNS zone can contain multiple subdomains, and multiple zones can exist on the same server.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

IP address management (IPAM) is a methodology implemented in computer software for planning and managing the assignment and use of IP addresses and closely related resources of a computer network. It does not typically provide Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services, but manages information for these components. Additional functionality, such as controlling reservations in DHCP and other data aggregation and reporting capabilities, is also common. Data tracked by an IPAM system may include information such as IP addresses in use, and the associated devices and users. Centralized collection of this information may support troubleshooting and abuse investigations.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server, router advertisement and network boot features, intended for small computer networks.

mysqlBind/unxsBind is a DNS management software system. It supports Internet Systems Consortium BIND Domain Name System (DNS) and is distributed as open source software under the GNU General Public License.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

In computer networking, split-horizon DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.

MaraDNS is an open-source Domain Name System (DNS) implementation, which acts as either a caching, recursive, or authoritative nameserver.

Cisco Prime Network Registrar (CNR) is a Cisco software product that includes components for Domain Name System (DNS) services, Dynamic Host Configuration Protocol services, Trivial File Transfer Protocol (TFTP) services, and Simple Network Management Protocol functions. CNR provides a regional and local management structure and is supported on server hardware and software based on 32-bit and 64-bit architectures. This product is now called Cisco Prime Network Registrar.

<span class="mw-page-title-main">Knot DNS</span>

Knot DNS is an open-source authoritative-only server for the Domain Name System. It was created from scratch and is actively developed by CZ.NIC, the .CZ domain registry. The purpose of this project is to supply an alternative open-source implementation of an authoritative DNS server suitable for TLD operators to increase overall security, stability and resiliency of the Domain Name System. It is implemented as a multi-threaded daemon, using a number of programming techniques and data structures to make the server very fast, notably Read-copy-update or a special kind of a radix tree.

References

↑ "Internet Domain Survey, 1995". ISC. Retrieved April 30, 2013.
↑ Simerson, Matt. "Domain Registration in 1996". Archived from the original on June 5, 2015. Retrieved April 30, 2013.
↑ "Internet Domain Survey, July 1997". ISC.
↑ A, Beeson. "NicTool Export BIND nsupdate". github.
↑ Simerson, Matt. "NicTool Source Repository". GitHub. Retrieved September 25, 2013.

External links

DNS Providers at Curlie
Address Management at Curlie

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Internet Domain Survey, 1995". ISC. Retrieved April 30, 2013.

[2] Simerson, Matt. "Domain Registration in 1996". Archived from the original on June 5, 2015. Retrieved April 30, 2013.

[3] "Internet Domain Survey, July 1997". ISC.

[4] A, Beeson. "NicTool Export BIND nsupdate". github.

[5] Simerson, Matt. "NicTool Source Repository". GitHub. Retrieved September 25, 2013.

[1]

[2]

[3]

[4]

[5]