Network orchestration with Micetro: open-source DNS

Do you BIND your network to tradition? Or have you let it be free and Unbound? Or perhaps you harnessed the PowerDNS? (This does not indicate the characteristics of these open-source DNS implementations, I just wanted to write this joke.)

Technology, including network technology, is science. And as such, it’s born in open standards and expert collaboration, whether we’re talking about the computer scientists at Berkeley Labs in the 70s and 80s or the work the IETF has been doing for decades to ensure the internet (the biggest network of all) exists reliably and answers the challenges of our new, ever more connected world.

Enterprise networks aren’t the internet, but the technology that powers them comes from the peer-reviewed, openly managed sources of DNS and DHCP. Open-source software can exist not only because of talented and passionate developers but also the open standards that set the path for them.

DNS, in particular, is an inherently open technology. It has to be: its one-and-only job is to be available to anyone asking for information about a domain. Of course, in enterprise settings, that ‘anyone’ is a limited number of people, but the fact remains. And open-source DNS is a popular choice for enterprise networks, too. They carry all the benefits of open-source: reliability, security, highly scalable development. And, more often than not, they’re free. (Not counting any professional support and maintenance that you might buy.)

In this series about looking around the platforms and services Micetro supports, we thought we’d start with open-source DNS. You can use Micetro with:

• BIND (natively)
• Unbound
• PowerDNS (the authoritative component, through a connector script)

There is more open-source DNS software available, and in the right hands the Men&Mice Generic DNS Server Controller is a highly capable orchestrator. But as enterprise businesses tend to gravitate toward these “big three,” we’ll limit our examination to them. (Additionally, official Men&Mice support only extends to these.)

BIND

BIND is the ‘grandaddy’ of DNS software. The fact that it’s short for “Berkeley Internet Name Domain” almost tells everything you need to know about its history and purpose.

BIND is the de facto DNS server on Unix-like systems (and the most widely used DNS software, period, as of 2015) and was developed initially by internet (née ARPANET) pioneers in California in the 1980s. That’s almost 40 years of history! We’ve talked about DNS not moving as fast as other technologies since it needs to remain stable and functional for mission-critical applications (in addition to cat pictures; whether that’s mission-critical or not, we’ll leave up to you) – BIND follows that pattern as well. The latest version of BIND is 9, released in 2000. That’s averages to less than one major version every five years over its history, even though of course BIND has been continuously patched since 9 was released.

Of course, frequent releases don’t mean better quality or more features, just as fewer (major) releases don’t signal stale development. BIND is actively developed and maintained by ISC, patched for vulnerabilities and the like. (And we, running BIND on our own virtual appliances, are patching our software along with them.)

All this comes down to the fact that you’d be hard-pressed to find a more feature-full DNS software than BIND. (The BIND toolset also includes nslookup and dig. And remember: friends don’t let friends use nslookup.) It supports, to just name a few, multiple views, IPv6, RRL (Response Rate Limiting) and DNSSEC, and TSIG keys. BIND can be used as either authoritative or recursive name server, depending on what you need. There’s a treasure trove of features and functionality in BIND. There are literally books (plural) that have been written on it. But if you’re coming from Microsoft DNS, a better introduction to BIND (and DNS in general) would be the DNS&BIND training courses we offer. Jumpstart your BIND chops or Leap Ahead with us. (Puns intended.)

Micetro handles BIND natively, with a DNS Server Controller (a tiny daemon running alongside BIND on your DNS server) that translates between BIND and Micetro. In the user interface and through the API, you get to control BIND as if you interfaced with it directly – but with the added benefit of having access to all the other environments (plus rich DHCP and IPAM data) at the same time.

Unbound

The Unbound DNS server was developed in the early 2000s by our friends at NLnet Labs, following the design from two developers at Kirei and Nominet. Originally written in Java, it was later re-written in C for better performance. (The folks at the University of Amsterdam wrote a paper in 2015 on the performance analysis of DNS software: read it here.)

While it doesn’t have BIND’s illustrious history, Unbound was born from the 'Age of the Internet’ and thus built around a modular framework (something BIND is also pivoting toward, with version 10) with support for all that a modern network can ask for: DNSSEC, IPv6, DoT and DoH, among others. In fact, thanks to its performance and security, it was made the default name server in FreeBSD and OpenBSD.

We’ve long been a fan of Unbound and wrote some blogs over the years about the benefits of using it. Our caching virtual appliance comes with Unbound, should you want to use it. Its support for authoritative DNS is partial, though. (You can use forward and reverse resolution of A records, but perhaps best limit it to smaller networks.)

Unbound is an excellent choice for recursive and caching, and we’re always for a diverse configuration of environments for redundancy and performance tweaking. Micetro excels in orchestrating diverse networks, so why wouldn’t you take advantage of it?

PowerDNS

PowerDNS, being from the 1990s, falls between BIND and Unbound historically. Not quite the history of the ARPANET days but not yet the rapidly shifting landscape of the internet as we know it. Originally proprietary, the company released the code under the GPL in 2002.

PowerDNS is different from BIND and Unbound in that while it also can be used as either an authoritative or recursive DNS server, it supplies separate packages for each. Depending on which one you need, you download the appropriate package – from that point, though, both can work together in happy unison.

Due to its scalability, PowerDNS can be a good choice for large enterprise networks. It also supports all the standard functionality you’d expect from a DNS software, such as DNSSEC and IPv6.

Micetro supports PowerDNS (with MySQL backend) with the Generic DNS Server Controller and a connector script. Whether you inherited a PowerDNS setup from a merger or recent acquisition or want to deploy it on your own: Micetro has your back.

More open-source DNS than you can shake a stick at

The nature of the open-source software world is that everything has almost as many variants as there are developers. It’s almost like the Loki TV show, except there’s no TVA to prune your options for an open-source DNS server.

Men&Mice cannot possibly keep up with all of them, at least not if we want to keep our developers sane. (And we do. We ❤️ our developers.) But if you’re so inclined, use the Generic Server Controller and the PowerDNS connector script as a guide and experiment! After all, that’s how open-source works. Just be sure to let us know your findings: we’re happy to work with the community in making better options available for everyone.

This concludes our adventure into the land of open-source DNS. Next time we’ll visit the neighboring kingdom of open-source DHCP and see what we find.