BIND

The most widely used Name Server Software

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications.  The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley.

BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

BIND and DNS

The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. The BIND software distribution contains all of the software necessary for asking and answering name service questions.

The BIND software distribution has three parts:

1. Domain Name Resolver

resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. (Many operating system distributions use the BIND resolver library.) The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name.

2. Domain Name Authority server

An authoritative DNS server answers requests from resolvers, using information about the domain names it is authoritative for.  You can provide DNS services on the Internet by installing this software on a server and giving it information about your domain names.

3. Tools

We include a number of diagnostic and operational tools. Some of them, such as the popular DIG tool, are not specific to BIND and can be used with any DNS server.

Why Use BIND?

BIND is transparent open source.  If your organization needs some functionality that is not in BIND, you can modify it, and contribute the new feature back to the the community by sending us your source.

BIND has evolved to be a very flexible, full-featured DNS system. There are three typical applications for DNS services and BIND has the features needed for each of them.

As the first, oldest and most commonly deployed solution, there are more network engineers who are already familiar with BIND than any other system.

Internet Service Provider – Public Recursive and Authoritative service

The ISP normally provides DNS resolver services for networks it connects to the Internet, including both homes and businesses. Businesses using the ISP for transport may want to use their internal resolvers as the first option in a list, including the ISPs resolvers if the enterprise’s internal systems are busy.Many ISPs also offer authoritative DNS hosting services for their enterprise customers.

We recommend ISP’s close their resolvers. This means, they should limit access to clients who are on their network, to prevent others from using their resolvers to launch DDOS attacks on others.

Key BIND features of interest to ISPs include:

Response Policy Zones – Use RPZ to selectively block access to infected sites hosting malware, or block access to domains you may have a legal requirement to exclude.

NXDOMAIN redirection – When a customer searches for a domain that isn’t there (NXDOMAIN response), you can substitute a response that redirects the user to another web page. ISPs use this to serve up search pages, or advertising. You can serve a different zone file depending on what domain the person was looking for, using wildcards. So, for example, you can send all users searching for non-existent domains in *.fr to a search site in French. This is supported in BIND using Dynamically Loadable Zones (DLZ).

DDOS mitigation – Anyone can be subject to a DDOS attack, but in practice, this is typically a bigger problem for service providers than for enterprises. It is possible to deny either resolver or authoritative DNS services. BIND has features to mitigate both kinds of attacks. Response Rate Limiting (RRL) has proven to be very helpful in mitigating amplification attacks against authoritative servers. Some experimental new features in BIND also help mitigate resolver exhaustion due to DDOS. These new rate limits for recursive servers are currently available only in our premium service provider release.

Cache management – ISPs provide better response time by optimizing the availability of information in their cache. BIND 9.10 includes a new feature, DNS Pre-fetch, that refreshes popular entries in the cache. BIND also provides operators with flexible options for removing entries from the cache. It is possible to flush a single record, or an entire tree. This is useful to quickly eliminate wrong information that can get into the cache (cache poisoning).

DNSSEC negative trust anchors – ISPs providing DNSSEC validation service for their users need the flexibility to disable validation selectively for domains that are temporarily ‘broken’. The negative trust anchor provides that flexibility. This is a new feature, available to ISPs in the premium ‘subscription’ version of BIND.

Enterprise – Private Recursive, Private and Public Authoritative service

Enterprises typically provide recursive resolvers for their internal clients, as well as authoritative services, to publish their own enterprise.com domains.

Key features of interest to Enterprise users include:

Operational familiarity – BIND is single software system that supports both authoritative and recursive functions. While it is recommended to run authoritative and recursive functions on separate servers, you can use the same software for both functions. In an enterprise that might not need a lot of DNS servers, it can simplify operations to only have to use one system. BIND is the only DNS software that can be either authoritative or a full recursive resolver.

Views – Often the enterprise would like to have some authoritative domains that are for internal users only. For example, Widgets.com might have one web site for customers and the general public, but a different site just for employees. The employee web site could include confidential internal information, such as hr policies. This can be done in either of two ways. BIND views can be used to provide different responses to internal vs. external clients. With the release of BIND 9.10, multiple views can now share zones, so those zones that are valid both internally and externally do not need to be duplicated.

Split-DNS – Alternatively, an enterprise could have different authoritative servers for internal and external clients, and simply publish some zones on the internal servers only.  Both the internal and external zones can be managed from a single ‘master’ BIND system.

DNSSEC – BIND supports both DNSSEC validation in resolver mode, and DNSSEC signing, or publication of signed zones, in authoritative mode. Enterprises can easily enable DNSSEC validation in their resolver for their internal users to protect those users from ‘spoofed’ domains.  With BIND, the enterprise can sign their zones published externally, but may elect to leave internal-only zones unsigned.

Top-level Domain – Public Authoritative DNS

Top-level domain publishers include the publishers of generic TLDs, such as .com, .org and .edu, and country-code domains such as .ca (Canada) and .uk (United Kingdom), also known as ‘ccTLDs’. Domain publishers are only concerned with BIND authoritative service features.

Provisioning and DNSSEC operations are two key technical challenges for a TLD operator. Top-level domain publishers have the challenge of maintaining a large number of zones, with frequent additions and changes.

Scalable Provisioning – BIND supports a hierarchical system for large-scale provisioning, using the roles of master and slave with standardized DNS update mechanisms that propagate changes from a single master to many slaves. The operator updates a BIND master server with new information. The master server sends out a NOTIFY message to the slaves, which will then request a zone transfer as needed. BIND supports standard IXFR (incremental) and AXFR (full) zone transfers with T.sig security. Over the years we have added many tuning options for making this system perform well at large scale. (Catalog of these options at zytrax.com)

In-line DNSSEC Signing – TLD operators are also are under significant mandates to DNSSEC-sign their zones. In-line signing for DNSSEC is an extremely helpful BIND feature for this purpose. With in-line signing it is possible to maintain a very large number of zone files(e.g. over 1 million).

Quantum Signing – A generic top level domain is more likely to have a very large zone file than a large number of zone files. For this application, the BIND quantum signing feature is helpful. The DNSSEC cryptographic operations can take several minutes to sign a very large zone.  Quantum signing allows you to ‘serve while signing,’ so re-provisioning doesn’t cause service interruption. Some GTLD operators using BIND have zone files that are hundreds of thousands of lines long.

Hardware Security Module (HSM) integration – HSMs are sometimes required for ultimate protection of encryption key materials. With the release of BIND 9.10.0, BIND supports native PKCS-11 for outsourcing cryptography to an HSM. With prior versions, use of an HSM is supported via a ‘softHSM’ intermediary.

Last modified: March 20, 2015 at 3:50 pm