Monday March 26, 2007 at 16:59
Subject: Interesting Package review: PowerDNS
Keywords:
Fedora, Package reviews, PDNS, Tech
Posted by: Kevin Fenzi
I thought I would try and do some blogging about interesting packages that I use here that perhaps not too many people know about. Today I am going to look at the (PowerDNS) pdns packages. If you think that bind is the only DNS server out there, you might want to look into pdns. Read on for a review
When people think of DNS software for Linux at least, pretty much everyone knows and uses ISC Bind. It's been around for a really long time and thus has amazing market share, simply due to it having been the only software available for a long time.
There are now several alternatives however. The one that I have had good luck with is PowerDNS. It comes in several sub packages in Fedora. First there OS a pdns-recursor package. This is the one you want if you simply want a caching only nameserver. I use this package on my laptop so I don't need to mess with changing nameservers or have odd hangs from applications (like firefox) when moving from site to site with different DNS servers. It's simple: 'yum install pdns-recursor; chkconfig pdns-recursor on; service pdns-recursor start'. Now you can set your /etc/resolv.conf to use 'nameserver 127.0.0.1' and away you go.
If you need to serve authoritative domain information (ie, DNS information for domains that you run a authoritative server for), you can install the main 'pdns' package. Along with the main package you can select what back end you would like to use to store your DNS information. Available in Fedora are:
- pdns-backend-geo
- pdns-backend-ldap
- pdns-backend-mysql
- pdns-backend-pipe
- pdns-backend-postgresql
Included in the pdns package is a 'zone2sql' command to convert your old bind named.conf and zone files over to pdns database entries. The main config in the /etc/pdns/pdns.conf is well commented and uses a simple directive=value scheme. You can have the pdns server run a local webserver to allow you to monitor it, and the directives will let you do most anything that can be done with a bind named.conf.
So, why use this package instead of bind?
- Security. pdns has a pretty good security record, and bind has sure had some issues in the past
- Security. Since so many folks use bind, it's good to use something else simply to avoid monoculture.
- For a caching nameserver, the pdns-recursor is a small and simple application, no need to install the entire package like bind requires
- Choice of backends. If you have a lot of DNS data a database backend would be most useful
- Extra features like monitoring, geo look up (return result based on the geo location)
- Simpler config file syntax. How many of us out there have missed a }; in a bind config file?
- Written from the ground up instead of added to over the years
It's pretty easy to start out using pdns-recursor in places where you don't need a full DNS server. Hopefully this has let some folks know about pdns. It's really quite a nice little package. Take a look today.
(Post Reply)
| Comment |
anon Subject: Not convinced! |
Excellent point. <If you have a lot of DNS data a database backend would be most useful
Useful for what? <Written from the ground up instead of added to over the years
Incremental improvement + deprecation is not better?
| Comment |
trodgers Subject: Re: Not convinced! |
>.Useful for what? Useful for avoiding BIND's evil and picky zone file syntax...
| Comment |
d3vi1 Subject: RE: Not Conviced |
>Useful for what? Having integration with LDAP makes your life a lot better. Imagine having a web-site in which you could edit the DNS entries. Usually when a human-readable file is modified by an application and then opened for modification by a human, you start swearing because it looks like hell. Same goes for BIND. If I have Dynamic updates, the zone file starts to look like hell after bind finishes. Another reason would be because you could have replication of servers done at another level (no more notify and xfers). Fedora Directory Server supports multi-master replication, and having a DNS server in Romania and another one in the US means that you are depending on standard means for zone transfers, and if your master server dies (completely), you have to pick up the pieces. On the other hand having two DNS servers that don't know of each other and using a backend such as SQL or LDAP, that does the replication for you for DNS and other services is a relief. Third, bind journal files suck. If you want to change something in a dynamic zone, you have to stop your BIND server, change the file and start the BIND server after. It could be only 2 minutes, but it means that you are without a DNS server for that amount of time. >>Written from the ground up instead of added to over the years
>Incremental improvement + deprecation is not better? Not always. As time passes a program needs to be rewritten to allow for the easiest integration of the newest technologies. BIND wasn't designed to allow multiple backends, and has support for that now, but I doubt that it's that clean. Also BIND has views for zones, but you can't have a "view" only for 2 or 3 entries in the zone instead of all of it. GeoIP integration is also helpful (not saying that BIND doesn't have that).
| Comment |
Author:
Kevin Fenzi Subject: Re: not convinced |
>Useful for what? Anything a database can get you: Easy backups. Easy rollback to previous data. Easier querying of data. Integration with other systems that might read the database. Better structure to prevent problems with syntax in updates, etc. >>Written from the ground up instead of added to over the years
>Incremental improvement + deprecation is not better? I suppose it varies, but packages like ISC Bind and Sendmail continue to show security problems year after year. They were just not designed with security in mind. Sometimes the only way you can get massive structural changes in a software package is to re-write it.
| Comment |
Steve Webb Subject: Stay away from nscd too |
| Comment |
Author:
Sean Reifschneider Subject: Don't know about PowerDNS for heavy load, but... |