Comparison of DNS server software
This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System name server software.
Servers compared
Each of these DNS servers is an independent implementation of the DNS protocols, capable of resolving DNS names for other computers, publishing the DNS names of computers, or both. Excluded from consideration are single-feature DNS tools and redistributions of servers listed here.DNS servers are grouped into several categories of specialization of servicing domain name system queries. The two principal roles, which may be implemented either uniquely or combined in a given product are:
- Authoritative server: authoritative name servers publish DNS mappings for domains under their authoritative control. Typically, a company would provide its own authority services to respond to address queries, or for other DNS information, for www.example.int. These servers are listed as being at the top of the authority chain for their respective domains, and are capable of providing a definitive answer. Authoritative name servers can be primary name servers, also known as master servers, i.e. they contain the original set of data, or they can be secondary or slave name servers, containing data copies usually obtained from synchronization directly with the primary server, either via a DNS mechanism, or by other data store synchronization mechanisms.
- Recursive server: recursive servers provide DNS name resolution for applications, by relaying the requests of the client application to the chain of authoritative name servers to fully resolve a network name. They also cache the result to answer potential future queries within a certain expiration period. Most Internet users access a recursive server provided by their internet service provider to locate internet hosts such as www.example.com.
BIG-IP DNS
[BIND]
BIND is the de facto standard DNS server. It is a free software product and is distributed with most Unix and Linux platforms, where it is most often also referred to as named. It is the most widely deployed DNS server. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now technically obsolete and not considered in this article. BIND9 is a ground-up rewrite of BIND featuring complete DNSSEC support in addition to other features and enhancements.Internet Systems Consortium started development of a new version, BIND 10. Its first release was in April 2010, but ISC involvement concluded with the release of BIND 10 version 1.2 in April 2014. ISC cited a lack of resources to continue development of BIND 10, and they reaffirmed their commitment to BIND9.
The BIND 10 codebase continues on as an open source project at http://bundy-dns.de/ It is not included in this comparison at this time.
[Cisco Network Registrar]
CNR includes a commercial DNS server from Cisco Systems usually used in conjunction with the CNR DHCP server. It supports high rates of dynamic update.[Dnsmasq]
Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS services to a small-scale network. It can serve the names of local machines which are not in the global DNS.Dnsmasq accepts DNS queries and either answers them from a small, local cache or forwards them to a real, recursive DNS server. It loads the contents of /etc/hosts, so that local host names which do not appear in the global DNS can be resolved.
[djbdns]
Djbdns is a collection of DNS applications, including tinydns, which was the second most used free software DNS server in 2004. It was designed by Daniel J. Bernstein, author of qmail, with an emphasis on security considerations. In March 2009, Bernstein paid $1000 to the first person finding a security hole in djbdns. The Source code is not centrally maintained and was released into the public domain in 2007. As of March 2009, there are three forks and more than a dozen patches to add additional features to djbdns.[Knot DNS]
Knot DNS is a free software authoritative DNS server by CZ.NIC. Knot DNS aims to be a fast, resilient DNS server usable for infrastructure and DNS hosting services. Knot DNS supports DNSSEC signing and among others hosts root zone, several top-level domains.[Knot Resolver]
Knot Resolver is a caching full DNS resolver from CZ.NIC, written in C and Lua and is available as free software. Knot Resolver is a sibling project of Knot DNS, each of them is independent and serves a different purpose. Knot Resolver is used by Cloudflare for 1.1.1.1, its free DNS service.[MaraDNS]
MaraDNS is a free software DNS server by Sam Trenholme that claims a good security history and ease of use.In order to change any DNS records, MaraDNS needs to be restarted. Like djbdns dnscache, the MaraDNS 2.0 stand-alone recursive resolver does not use threads.
[Microsoft DNS]
Windows DNS Server component of Microsoft DNS. The same software can be configured to support authoritative, recursive and hybrid mode. The software is integrated with Active Directory which makes it the default DNS software for many enterprise networks that are based on Active Directory. It also allows creating zones by the standard DNS zone file. The software comes packaged as a role in Windows Server. The server software is shipped with a command line application dnscmd, a DNS management GUI wizard, and a DNS PowerShell package. In Windows Server 2012, the Windows DNS added support for DNSSEC, with full-fledged online signing, with Dynamic DNS and NSEC3 support, along with RSASHA and ECDSA signing algorithms. It provides an inbuilt key storage provider and support for any third party CNG compliant key storage provider. User interface and PowerShell support for managing DNS and DNSSEC were improved as well.In the Windows Server 2016, the DNS Server supports DNS policies using which the admins can have more control over the name resolution process.
[NSD]
NSD is a free software authoritative server provided by NLNet Labs. NSD is a test-bed server for DNSSEC; new DNSSEC protocol features are often prototyped using the NSD code base. NSD hosts several top-level domains, and operates three of the root nameservers.[pdnsd]
Pdnsd is a caching DNS proxy server that stores cached DNS records on disk for long term retention. Pdnsd is designed to be highly adaptable to situations where net connectivity is slow, unreliable, unavailable, or highly dynamic, with limited capability of acting as an authoritative nameserver. It is licensed under the GPL.[Posadis]
Posadis is a free software DNS server, written in C++, featuring Dynamic DNS update support.[PowerDNS]
PowerDNS is a free software DNS server with a variety of data storage back-ends and load balancing features. Authoritative and recursive server functions are implemented as separate applications.[Secure64 DNS]
DNS Authority is commercial authoritative name server software from Secure64, the company that built Genuinely Secure DNS applications and operating system and completely automated the deployment of DNSSEC.DNS Cache is scalable, highly secure recursive DNS software from Secure64 which provides built-in protection against high-volume denial of service attacks, including Pseudo Random Sub Domain attacks.
[Simple DNS Plus]
Simple DNS Plus is a commercial DNS server product that runs under Microsoft Windows with an emphasis on a simple-to-use GUI. Maintenance of the software appears to have slackened in recent years.Unbound">Unbound (DNS Server)">Unbound
Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 as free software licensed under the BSD license by NLnet Labs. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond.[YADIFA]
YADIFA is a BSD-licensed, memory-efficient DNS server written in C. The acronym YADIFA stands for Yet Another DNS Implementation For All. It was created by EURid, which operates the.eu top-level domain.Features
Some DNS features are relevant only to recursive servers, or to authoritative servers. As a result, a feature matrix such as the one in this article cannot by itself represent the effectiveness or maturity of a given implementation.Another important qualifier is the server architecture. Some DNS servers provide support for both server roles in a single, "monolithic" program. Others are divided into smaller programs, each implementing a subsystem of the server. As in the classic Computer Science microkernel debate, the importance and utility of this distinction is hotly debated. The feature matrix in this article does not discuss whether DNS features are provided in a single program or several, so long as those features are provided with the base server package and not with third-party add-on software.
Explanation of features
; Authoritative; Recursive
; Recursion Access Control
; Secondary Mode
; Caching
; DNSSEC
; TSIG
; IPv6
; Wildcard
; Split horizon
Feature matrix
Platforms
In this overview of operating system support for the discussed DNS server, the following terms indicate the level of support:- No indicates that it does not exist or was never released.
- Partial indicates that while it works, the server lacks important functionality compared to versions for other OSs; it is still being developed however.
- Beta indicates that while a version is fully functional and has been released, it is still in development.
- Yes indicates that it has been officially released in a fully functional, stable version.
- Included indicates that the server comes pre-packaged with or has been integrated into the operating system.
| Server | BSD | Solaris | Linux | Mac OS X | Windows |
| BIND | |||||
| Microsoft DNS | |||||
| djbdns | |||||
| Dnsmasq | |||||
| Simple DNS Plus | |||||
| NSD | |||||
| Knot DNS | |||||
| Knot Resolver | |||||
| PowerDNS | |||||
| MaraDNS | |||||
| pdnsd | |||||
| Posadis | |||||
| Unbound | |||||
| Cisco Network Registrar | |||||
| YADIFA | |||||
| Secure64 DNS Authority | |||||
| Secure64 DNS Cache |