BIND vs ncsd

Jim Holland mailscanner at MANGO.ZW
Sun Jul 17 10:52:30 IST 2005


On Sat, 16 Jul 2005, Drew Marshall wrote:

> It does become more complex as my DNS servers are also authorative for 
> various domains as well as caching and Bind does make that easier, only 
> needing one IP address (I know there is a patch but I have never quite 
> got there). Who knows? Only thing that is certain is I am more confused 
> (Which doesn't take much) as to a preference.

I personally use Dan Bernstein's dnscache for local caching name service
and have found its performance to be excellent.  I also sympathise with
most of his arguments against BIND - especially the concept of keeping it
all simple, with separate executables for separate functions, simpler
configuration file formats, and for his greater attention to security
(default chroot installation for example).  It comes with many useful
utility programs that are very handy for use in batch files, producing
output in much more processable format than "dig".  I have never had any
problems with dnscache whatsoever, and it needs virtually no attention or
management.  I have only the following gripes against it:

	A "dig ... any" will only return NS records even if other records
	are cached for the domain.  But then "dig" is not part of the
	djbdns package . . .

	Dan Bernstein disparages anything that is not UNIX, so will
	not support an RPM version of dnscache, although I believe there
	are some out there.  This means that Linux-oriented people like
	me have more difficulty in understanding its logic (eg use of a
	/command directory and the unusual way the service is managed -
	see appended extract from pstree -ap for example).

I have not used djbdns for authoritative nameservice, so cannot comment
from experience. I use BIND named for traditional reasons (mainly so that
I am familiar enough with it to be able to support it for other people),
but follow Dan Bernstein's advice to keep authoritative nameservice and
caching nameservice quite separate, so operate them on different IP
addresses.  The BIND named service is configured to respond only to
queries on domains for which the server is authoritative and to reject any
other queries.  The caching nameservice is in fact on a private IP
address, so therefore totally inaccessible to external queries.  I plan to
drop BIND completely from the next server I set up and use only djbdns in
spite of its idiosyncracies as it seems to be inherently better designed, 
more flexible, more reliable and more secure than BIND.


Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

 |-svscanboot(761) /command/svscanboot
 |  |-readproctitle(764) service errors: ...
 |  `-svscan(763) /service
 |     |-supervise(765) dnscache
 |     |  `-dnscache(768)
 |     |-supervise(766) log
 |     |  `-multilog(769) t ./main
 |     `-supervise(767) archive
 |        `-(supervise,2894)

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list