What is BIND?

Berkeley Internet Name Domain (BIND) is the most popular Domain Name System (DNS) server in use today. It was developed in the 1980s at the University of Berkley and is currently in version 9. BIND is an open source system free to download and use , offered under the Mozilla Public License.

BIND can be used to run a caching DNS server or an authoritative name server, and provides features like load balancing, notify, dynamic update, split DNS, DNSSEC, IPv6, and more.

History of BIND

BIND was written by four graduate students at the University of California, Berkeley — Douglas Terry, Mark Painter, David Riggle and Songnian Zhou, as part of the DARPA project (the predecessor of the modern Internet). In the mid-1980s, development was taken over by Paul Vixie of Digital Equipment Corporation, and in 2012 the project because the ownership of the Internet Systems Consortium (ISC).

The latest version of BIND, , was released in 2000 and offered support for DNSSEC, TSIG, nsupdate, IPv6, and remote name daemon control with encryption via shared secret. A newer version,

BIND 10, was released in 2014, but the ISC concluded its work on the project due to cost considerations, renamed it and delegated its development to the community.

BIND Components

BIND has the following main components:

Name Server

Maintains a DNS zone file and responds to DNS requests, acting either as a Caching-Only Name Server, for use by clients internal to an organization, or an Authoritative-Only Name Server, for use by external clients.

Lightweight Resolver

BIND provides a combination of a lightweight resolver library that can be run on DNS clients, such as host operating systems or routers, and a resolver daemon process which can run on a local host. Both communicate using a UDP-based Lightweight Resolver Protocol.

Name Server Tools

BIND provides tools that help manage a DNS system, including:

  • dig — allows users to run DNS queries and view server output.
  • host — converts hostnames to IP addresses.
  • nslookup — queries DNS servers for information about hosts and domains.
  • Remote Name Daemon Control (rndc) — allows administrators to control all operations of the name server via an encrypted channel.

Common BIND Operations and Features

BIND provides the following main features and capabilities:

  • Authoritative DNS — publishes DNS records under the server’s authoritative control
  • Cache-Only DNS — provides DNS name resolution for applications by relaying requests to an authoritative server, or acting as a slave DNS server that holds a read-only copy of the authoritative zone file
  • Basic DNS load balancing — can be achieved using multiple A records for one name
  • DNS notify — allows master DNS servers to notify slave servers of changes to zone data
  • Dynamic update — a method for adding, replacing or deleting records in a master server by sending a special type of DNS message (defined in RFC 2136)
  • Incremental zone transfer (IXFR) — allows slave servers to transfer only modified data, instead of the entire DNS zone (defined in RFC 1995)
  • Split DNS — allows different views of the DNS space to internal and external resolvers — for example to hide internal DNS data from external clients
  • Transaction Signatures (TSIG) — makes it possible to authenticate DNS messages by cryptographically signing them with a shared secret (defined in RFC 2845)
  • Transaction Key (TKEY) — makes it possible to negotiate a shared secret between two hosts (defined in RFC 2930)
  • DNSSEC — the latest version of BIND supports cyptographic authentication of DNS information through DNSSEC extensions (defined in RFC 4033, 4034, 4035)
  • IPv6 — BIND enables the use of AAAA records to translate hostnames to new IPv6 IP addresses

For more information on these features and their usage, refer to BIND 9 Administration Reference Manual .

Advantages of BIND

BIND enjoys several important advantages, which make it by far the most popular DNS server on the Internet:

  • Broad usage and strong community — BIND is a de facto standard for DNS in Linux systems, and is actively supported by a large open source community.
  • Stable — BIND is used in millions of production DNS servers and is known for stable and predictable operation.
  • Good platform support — BIND supports Linux, NetBSD, FreeBSD, OpenBSD, macOS and Windows.
  • Comprehensive feature set — BIND is one of the only DNS servers that covers all basic DNS functionality — see Wikipedia’s of BIND with other DNS servers. detailed comparison

Disadvantages of BIND

  • Security and vulnerabilities — BIND 4 and BIND 8 suffered from major significant issues; BIND version 9 was a complete rewrite that resolved those issues. BIND 9 also suffered from over 50 known vulnerabilities, which are on the ISC website and have been patched in latest versions. The huge popularity of BIND means it is a major target for attackers and users must keep informed of security issues and upgrade regularly. clearly disclosed
  • Limited replication capabilities — BIND does not enable replicating the DNS backend database. It only allows replication via traditional master/slave configuration.
  • Changes require restart — in BIND, any change to DNS zone files requires a restart. This can be an issue for large DNS servers that maintain multiple zone files.
  • No caching for individual packets or queries — BIND cannot cache specific packets or queries requested previously by DNS clients, which can have performance benefits. It can only cache the entire DNS zone, when acting as a caching or forwarding server.

The following are disadvantages common to BIND and other first-generation DNS servers like PowerDNS and Microsoft DNS:

  • Slow propagation — global propagation of DNS changes commonly take 1–2 days
  • Lacks traffic management features — cannot route traffic to the most appropriate server using parameters like user location, server load, server capabilities, etc.

Managed DNS Services

It is quite complex to independently setup a DNS server, whether using BIND or other software. Many organizations prefer to use DNS as a service, provided by their hosting company or specialized DNS service providers. Using DNS as a managed service has several advantages:

  • Instant setup — no need to install and configure DNS
  • Less overhead — no need to monitor and maintain DNS systems
  • Guaranteed uptime — most DNS providers guarantee uptime of 99.9% or higher, with backup and recovery built in, which is difficult to achieve with your own server
  • Improved capabilities — some DNS services provide enhanced features, such as DNS load balancing with external monitoring of server uptime

The downsides of using a managed DNS service is a monthly subscription cost, reduced configuration flexibility, and a reliance on the DNS provider in terms of performance, uptime and security.

Next-Generation DNS Solutions: Beyond BIND

DNS technology has advanced beyond first-generation solutions like BIND. Modern DNS servers can help you achieve things you never thought you could do with DNS.

NS1 provides a next-generation DNS server with several unique capabilities, made possible by an improved DNS implementation and an API that lets resources communicate their status and important meta data to the DNS server:

  • Instant propagation — NS1’s managed DNS service provides a global network that can propagate DNS changes in milliseconds.
  • Location aware — NS1 obtains geographical metadata about every DNS resource, determines user location via geo-IP, and performs proximity-based routing for every user request.
  • Bandwidth and connectivity aware — NS1 performs regular health checks on resources to check availability, bandwidth and network latency, and uses this data to route users to the most responsive available resource.
  • Load, capacity and cost aware — NS1 determines internal traffic parameters for each resource such as load, capacity and number of current connections, or even the cost of the resource (e.g. for CDNs) — and makes an optimal routing decision.

NS1 is available both as a managed service, and as a server you can deploy in your network, just like BIND:

  • NS1 Managed DNS Service — based on a global anycasted network with 24 PoPs connected to Tier 1 Internet Service Providers, with hundreds of Gbps of capacity at all times. Guaranteed 100% uptime and very high performance compared to traditional DNS solutions, as well as next-gen DNS features.
  • NS1 Private DNS — a next-gen DNS server you can deploy in your data center, to dramatically improve performance and enjoy next-gen DNS features that BIND and similar products do not have.

Other resources







Did you find this article valuable?

Support Cyber Security by becoming a sponsor. Any amount is appreciated!