13.5 djbdns

BIND can be very secure, with the proper precautions . Unfortunately, as BIND has grown, the number of supported features has grown as well. Consequently, most implementations of BIND ship with very few security precautions in place. If a DNS administrator is not familiar with the steps required to secure a DNS server, BIND can be an easy target for an attacker.

One solution is to use an alternative to BIND. The most commonly used alternative is djbdns. Named for its creator, Dan Bernstein, djbdns is a minimal DNS server. It was designed to be small and secure.

Djbdns improves security in several ways. Most of these security enhancements can also be done with BIND, but they are not enabled by default. One of the primary security enhancements administrators get with djbdns is that by default it runs in its own chrooted jail. This separates djbdns from the rest of the operating system and prevents the djbdns user from being able to access files in other parts of the system. Djbdns also separates caching functions from authoritative functions. If a server is only acting as an authoritative name server, it will not be able to perform any recursive queries. Djbdns also uses various security enhancements to secure zone transfers.

There are some downsides to djbdns. The primary concern is that it does not handle zone transfers in the same manner other DNS servers do. This means that while it is possible to set up a BIND server and Windows DNS server as primary and secondary servers, it is not as easy to set up a BIND server and djbdns server as primary and secondary servers.