DJBDNS is a simple and secure DNS implementation by Prof. Daniel J. Bernstein, because he feels that BIND's security history is very poor.

DJBDNS consists of 6 parts:

  • dnscache - the local dns cache/resolver.
  • tinydns - the local dns server.
  • walldns - a "reverse DNS wall".
  • rbldns - a dns blackholing service.
  • axfrdns - a zone-transfer server.
  • axfr-get - a zone-transfer client.

DJBDNS' main program, tinydns, does not implement all the features of BIND, such as zone-transfers. DJB feels that it is better to re-use existing tools (such as rsync and ssh) than to implement separate protocols for zone-transfers, as was done with bind. However, for compability, DJBDNS includes tools called axfrdns and axfrdns-get, to provide zone-transfers "the bind way".

DJBDNS also implements parsing of host data as a separate program. DNS caching and recursive resolving is also implemented as a separate program. The result of these design decisions is a dramatic reduction in code size and complexity of the daemon program that answers lookup requests. Prof. Bernstein (and many others) feel that this is true to the spirit of the Unix operating system, and makes security verification much simpler.

DJBDNS is licensed to permit free redistribution and use, and the source code is publicly disclosed, but the license does not permit distribution of modifications (and is thus not open source or free software).

External link