Exploring the new Bind 10 name server
Performance
The response time of a DNS server can prove critical for the behavior of many other services, from the perceived responsiveness of a website through setting up calls in VoIP. With the Bind 10 installation for this article running on a virtual machine, the Linux Magazine test team conducted several comparative tests between Bind versions 9.9.2 and 10.
Figure 4 shows the results. Our choice of benchmarking tool was Dnsperf 2.0 by Nominum, a manufacturer of DNS appliances [4]. The tool uses a text file with records and types to query the A-record for host.local
. The benchmark can then run the text file several times; for the auth server in this article, four records were inspected 10,000 times.
We also tested the various storage options that Bind 10 offers (text file, SQLite DB, with and without memory cache). We had to use the default configuration for version 9.
In comparison, Bind 9 (at 3,400 queries per second) running on the same VM was just ahead of the quite obviously immature Bind 10. Dnsperf includes a second tool named Resperf for testing recursive resolvers; it first goes through a preheat phase, in which it fills the cache, before measuring the resolver throughput. Here, the test went even more obviously in favor of Bind 9, which managed about 3,000 queries per second compared with 1,600 for Bind 10.
Many Pitfalls
During the tests, yet more problems occurred. For example, after activating the cache for the zones that Bind 10 stored up in SQLite, we were only able to query the zones that were entered in the list of cache zones. We even had to enter the secondary zone that existed in the same SQLite database before we could query it. The fact that the auth server allows zone transfers by default is a 180-degree U-turn compared with the behavior of previous versions. Careless administrators are certainly at risk.
Gentoo users need to ensure that they build Python 3.2 with the sqlite
useflag; otherwise, the components that use Python do not work because they cannot access their configurations without this flag.
What is also currently missing is a way of listing the configured zones. An inquiry on the mailing list resulted in constructive suggestions on how to resolve this in certain configurations. A representative of the ISC confirmed both the absence of the feature, as well as the ongoing efforts to add it.
If you use ACLs for primary or secondary zones in your existing installation of Bind, or if you use views in Bind 9, you need to be aware that these features are not possible with the standard Bind 10 tools. Again, the authors of the Linux Magazine test received a negative response on the Bind mailing list. This may change once Bind 10 becomes more widespread outside of provider environments. Right now, these missing features might already be criteria that prevent migration.
Radical Cure Without Benefits
Bind 10 means radical change, without the administrator being rewarded with benefits that justify the effort. Although its newly acquired modularity makes Bind more easily customizable and more versatile, which might also be useful for an Internet provider who offers many primary zones, the functional limitations, such as the lack of views, and especially the lack of an option for running the authoritative and recursive name servers on one machine, might limit the use of Bind 10, at least for many administrators of corporate networks.
The DHCP component is, at most, recommended for experiments only and lives up to the warnings on the website. It would also have made more sense to use the command-line utility for managing zone content; however, this option is completely ruled out, and as long as Bind 9 still outperforms Bind 10, as the benchmark in this short article suggests, corporate admins really have little incentive to upgrade to the new version.
Problem Case: Open Recursive Name Servers
In recent months, misconfigured name servers have caused numerous distributed denial-of-service (DDoS) attacks. For example, the anti-spam organization "Spamhaus" experienced a DDoS attack around Easter that achieved an incredible bandwidth of 300Gbps.
A DNS DDoS attack typically involves the attacker using UDP to send many DNS requests with the spoofed source IP of the victim to tens of thousands of servers on the Internet. Open recursive name servers allow and respond to these requests for any IP address – and, as a consequence, send their responses to the victim, where data packets arrive simultaneously from all over the world. The attacker only needs to send very small queries, querying specific DNS records, to generate large responses of several kilobytes. This attack is often called the "DNS Amplification Attack."
Recursive name servers, then, always need an ACL to specify the IP network areas for which they are responsible. Only in the rarest cases will this actually be a global 0.0.0.0/0
; instead, the range should be restricted to a DMZ, intranet, or dialup areas. External laptops that need to access a corporate DNS should also originate from a clearly defined address range – a precaution that is possible thanks to VPN tunnels.
For Bind 10, Listing 7 shows the necessary query_acl
using the 10.1.0.0/16
network as an example. The entry
options { [...] allow-recursion { 10.1.0.0/16; 127.0.0.0/8; ::1; }; [...] }
produces an allow-recursion
ACL in the options block for the still-widespread Bind 9. (Peer Heinlein)
Infos
- Bind 10 sources: ftp://ftp.isc.org/isc/bind10/1.0.0/bind10-1.0.0.tar.gz
- Bind 10 in OBS: http://software.opensuse.org/package/bind10
- Bind 10 Admin Guide: http://bind10.isc.org/docs/bind10-guide.html
- Dnsperf: http://www.nominum.com/support/measurement-tools/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.