Djbdns
Encyclopedia
The djbdns software package is a DNS
implementation created by Daniel J. Bernstein
due to his frustrations with repeated BIND
security holes
. A $1000 prize for the first person to find a privilege escalation
security hole in djbdns was awarded in March 2009 to Matthew Dempsky.
, djbdns's tinydns component was the second most popular DNS server (number of served domain).
djbdns has never been vulnerable to the cache poisoning vulnerability reported in July 2008, but it has been discovered that it is vulnerable to a related attack.
The source code
has not been centrally managed since 1991 and was released into the public domain in 2007. As of March 2009, there are three forks
, one of which is dbndns
, the fork of the Debian Project, and more than a dozen patches
to address shortcomings exist.
, and recursive
resolving
are also implemented as separate programs. The result of these design decisions is a dramatic reduction in code size and complexity of the daemon
program that answers lookup requests. Daniel J. Bernstein (and many others) feel that this is true to the spirit of the Unix
operating system, and makes security verification much simpler.
. Until that day, the package was distributed as license-free software, which prevented the distribution of modified versions of djbdns which was in conflict with the principles of Open source software which made the inclusion in many Linux distribution
s infeasible if not impossible.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
implementation created by Daniel J. Bernstein
Daniel J. Bernstein
Daniel Julius Bernstein is a mathematician, cryptologist, programmer, and professor of mathematics at the University of Illinois at Chicago...
due to his frustrations with repeated BIND
BIND
BIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
security holes
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. A $1000 prize for the first person to find a privilege escalation
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
security hole in djbdns was awarded in March 2009 to Matthew Dempsky.
, djbdns's tinydns component was the second most popular DNS server (number of served domain).
djbdns has never been vulnerable to the cache poisoning vulnerability reported in July 2008, but it has been discovered that it is vulnerable to a related attack.
The source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
has not been centrally managed since 1991 and was released into the public domain in 2007. As of March 2009, there are three forks
Fork (software development)
In software engineering, a project fork happens when developers take a legal copy of source code from one software package and start independent development on it, creating a distinct piece of software...
, one of which is dbndns
Dbndns
dbndns is a fork of the djbdns software package, maintained by the Debian Project, made possible by the release of djbdns to the public domain.Most notably, this now includes IPv6 support....
, the fork of the Debian Project, and more than a dozen patches
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
to address shortcomings exist.
The main djbdns components
The djbdns software consists of server, client, and some miscellaneous configuration tools.Servers
- dnscache — the dns resolver and cache.
- tinydns — a database-driven dns server.
- walldns — a "reverse DNS wall", providing IP to domain name lookup only.
- rbldns — a server designed for dns blacklisting service.
- pickdns — a database-driven server that chooses from matching records depending on the requester's location. (This feature is now a standard part of tinydns.)
- axfrdns — a zone-transfer server.
Client tools
- axfr-get — a zone-transfer client.
- dnsip — simple address from name lookup.
- dnsipq — address from name lookup with rewriting rules.
- dnsname — simple name from address lookup.
- dnstxt — simple text record from name lookup.
- dnsmx — mail exchanger lookup.
- dnsfilter — looks up names for addresses read from stdin, in parallel.
- dnsqr — recursive general record lookup.
- dnsq — non-recursive general record lookup, useful for debugging.
- dnstrace (and dnstracesort) — comprehensive testing of the chains of authority over dns servers and their names.
Design
In djbdns, different features and services, such as AXFR zone transfers, are split off into separate programs. Zone file parsing, DNS cachingCache
In computer engineering, a cache is a component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored elsewhere...
, and recursive
Recursion
Recursion is the process of repeating items in a self-similar way. For instance, when the surfaces of two mirrors are exactly parallel with each other the nested images that occur are a form of infinite recursion. The term has a variety of meanings specific to a variety of disciplines ranging from...
resolving
Resolve
Resolve may refer to:*Resolution *"Resolve" , by the Foo Fighters*Resolve * Resolve *RESOLVE, a dispute resolution-related non-profit group...
are also implemented as separate programs. The result of these design decisions is a dramatic reduction in code size and complexity of the daemon
Daemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
program that answers lookup requests. Daniel J. Bernstein (and many others) feel that this is true to the spirit of the Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
operating system, and makes security verification much simpler.
Copyright status
On December 28, 2007, Bernstein released djbdns into the public domainPublic domain
Works are in the public domain if the intellectual property rights have expired, if the intellectual property rights are forfeited, or if they are not covered by intellectual property rights at all...
. Until that day, the package was distributed as license-free software, which prevented the distribution of modified versions of djbdns which was in conflict with the principles of Open source software which made the inclusion in many Linux distribution
Linux distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...
s infeasible if not impossible.
External links
- djbdns official homepage
- A guide to djbdns
- The djbdns section of FAQTS
- Unofficial website
- A djbdns guide and tutorial with addon — Jonathan de Boyne Pollard's debunking of several myths relating to djbdns — Jonathan de Boyne Pollard's list of the several known problems in djbdns
- Supporting newer record formats through generic records.
- LWN (Linux weekly news) looks at djbdns