BIND: A Short History
BIND (Berkeley Internet Name Domain) is a software collection of tools including the world’s most widely used DNS (Domain Name System) server software. This feature-full implementation of DNS service and tools aims to be 100% standards-compliant and is; intended to serve as a reference architecture for DNS software.
Originally written in the 1980s at the University of California’s Berkeley campus, BIND is a free and open-source software package. The most recent major version, BIND 9, was initially released in 2000 and is regularly maintained by the Internet Systems Consortium.
For small or uncomplicated networks, BIND by itself is well suited to provide all DNS-related service functions. With BIND, you can run caching DNS servers, authoritative servers, or even both together.
Who Uses BIND?
BIND is the most commonly used DNS server software on the Internet. Typically, the people who manage BIND DNS servers day to day are network administrators or system administrators who are comfortable in Linux/UNIX. While BIND can also run on Windows hosts, doing so still requires in-depth knowledge of running open-source services on the system.
Many administrators prefer using BIND over, for example, Microsoft DNS, because it is open-source software that closely follows IETF standards (RFCs). With BIND, you can build your own custom tools to address specific DNS use cases and operational requirements. Note, though, that BIND only manages DNS, and not its closely related DHCP and IP address management counterpart services.
Why is BIND Valuable to Understand?
Knowing how to configure a BIND DNS server is valuable for a number of reasons. Network and development teams frequently use it, so knowing how to configure and use BIND will prove a necessary skill in either job. BIND also gives you very granular control over a DNS server. With it, you can very quickly start to understand the inner workings of providing core network services. Finally, if you happen upon a network that doesn’t use BIND, or is transitioning off it, the fundamental skills you pick up through the use of BIND will serve you well. Most of the other tools in the BIND software package other than the DNS server itself can be used with other DNS servers because they use the standard DNS messaging protocol.
Features & Capabilities of BIND
This isn’t an exhaustive list, but it should serve as a taste of what is possible to do with BIND DNS (especially for those who already know at least a little about DNS).
- Authoritative DNS: Publish DNS zones and records under the server’s authoritative control as a primary server or secondary server.
- Split DNS: Publish multiple views of the DNS namespace, such as providing different sets of data to internal users and the Internet at large. While each view is typically treated as a separate virtual server, in recent years BIND has added features to make it easier to share data between views.
- Recursive DNS (caching resolver): Fetch data from other DNS servers on behalf of client systems, including mobile devices, desktop workstations, and other servers.
- Dynamic update (DDNS): add or delete records in a primary server with a specific kind of DNS message (defined in RFC 2136).
- Efficient data replication: Copy data from the primary to secondary servers in a timely and efficient manner, including change notification from primary to secondary and incremental zone transfer requests from secondary to primary.
- DNS Security Extensions (DNSSEC): Cryptographically sign authoritative data, and cryptographically verify received data on a caching server. BIND supports the most recent iterations of DNSSEC standards, including elliptic curve cryptography.
- Transaction Signatures (TSIG) and Keys (TKEY): Cryptographically sign messages using either a pre-shared key or a dynamically negotiated key, and validate such signatures. BIND supports the latest standard signing algorithms, including those used by Microsoft Active Directory.
- DDOS mitigation: manage the impact of DDOS attacks with a number of different special response capabilities.
- IPv6: Support IPv6 both by publishing IPv6 addresses for names and by participating directly in IPv6 networking
Benefits of Using BIND
- BIND is customizable. If you can code in Perl, Python, BASH, or Powershell, you can build any custom tool you need for yourself and your network.
- BIND is free up-front. Unlike commercial DNS solutions (like BlueCat, Microsoft, or Infoblox), BIND costs nothing to start using. Most Linux/UNIX distributions have a BIND package prebuilt in their repositories.
- BIND has a large support community. The knowledge base and community for the use and troubleshooting of BIND is vast and global.
- BIND is an amazing tool to get started with. Most commercial implementations of DNS that you’ll run into in your career are based on BIND. Having the foundational knowledge needed to configure a BIND server will come in handy.
Why Are There Alternatives to BIND?
Alternatives to using BIND by itself come in two flavors: Competing open-source packages and commercial DNS offerings.
Open-source competitors exist primarily to provide diversity in the overall DNS ecosystems. Their developers make different choices about what to prioritize, such as raw caching DNS performance or DNSSEC performance, or they use a different data replication mechanism than the standard zone transfer formats.
On the other hand, large or more complicated networks tend to require a more complete solution for DNS, and DHCP, and IPAM in order to operate reliably. On a large scale, having to forcibly stitch an IPAM solution onto BIND DNS servers can create an unacceptable amount of unnecessary risk and work.
The problem with BIND at scale is that it contributes to what large organizations have a lot of already: network complexity. All the moving parts required to keep a network running – and running fast – are difficult to update and move in lockstep. BIND doesn’t make it easier and is often an antagonist in scenarios like this.
For example, what you might really like about BIND when you start using it – like the fact that you can instantly tinker with every little thing – becomes a major risk factor when a network is managed by tens or hundreds of disparate people and teams all at once. Providing meaningful entry points for self-service or API-based automation along with reasonable role-based access control requires a lot of effort which, again, is better spent driving the technical needs of the business.
To clarify, managing a handful of BIND servers is relatively easy. Managing a large number of them via manual configuration or homegrown tools requires human resources and technical knowledge that is better spent driving the technology needs of the business. Creating a new zone file, or adding a new DNS server, is straightforward when you only have a few, to begin with. Otherwise, network management becomes convoluted and burdensome.
Disadvantages of Using BIND
The BIND DNS server scales nicely. However, as noted above, managing BIND at scale requires extra tools, either commercially available, open-source, or homegrown. In addition:
- BIND only provides DNS services and tools. That means that managing closely related services like DHCP and IPAM in lockstep with BIND requires a broader management platform. This protects the data from diverging and conflicting, leading to outages.
- By itself, BIND doesn’t enable full-network visibility. Each DNS server is an island in terms of DNS traffic, and BIND does not offer any high-level view of DNS traffic across your network.
- BIND is easy to break. Its breadth and complexity of configuration options make it easy to make a syntax mistake that can take your network down. This is further exacerbated by occasional configuration syntax differences between versions of BIND.
Alternatives to BIND: A Case Study
One alternative to managing BIND by itself, for organizations that choose to invest, is a unified DNS, DHCP, and IPAM solution. Why? Because unifying these three services, so they can be managed in a common and coherent way, is the start to solving many of the problems that overextended BIND networks suffer from. This doesn’t mean losing the capabilities of the BIND software package; many such unified solutions include the BIND name server under the hood, giving you all the power and flexibility you need while encapsulating the management and de-risking your operations.
For example, if IP addresses are managed in the same system as DNS records, you run a lower risk of IP conflicts/outages. In fact, you can automate provisioning workflows between DNS, DHCP, and IPAM, just how you like them. This will not only protect a network from everyday errors but speed up IT operations significantly.
The unifying goal among technology leaders is to move toward comprehensive digital transformation. With this transformation comes the ability to reduce an organization’s reliance on specialists or esoteric experts (who inevitably go on vacation, change jobs, and otherwise leave their roles). It’s also about reducing the need for smart, capable people to have to do manual, repetitive work. Alternatives to BIND reduce the risk of catastrophic typos, streamline IT operations, and enable the digital transformation initiatives that require machine-speed network changes. Altogether giving tech-savvy people more stimulating projects than configuring servers one by one by one.
Learn BIND. Really, it’s good for you. Learn it to build your company’s network. Get a taste of how complex DNS and its related services can get, for those managing them at scale. Use your new knowledge to make networking better.
Ready to dive into everything BIND has to offer? Sharpen your skills and try this course today!
About the Author:
Chris Buxton is Manager of Tools and Tactics at BlueCat.
The post All About BIND DNS: Who, How, & Why appeared first on Linux Academy.