Replace dnsmasq with BIND9

Just a thought, I realised that Nethserver is using dnsmasq as the DNS services, but could future versions have BIND9 services instead.

I only ask because Bind is more flexible and more suited to larger network infrastructures then dnsmasq, which would allow the server administrators more configuration possibilities.

I realise that this would involve some extra work, but would allow more of a industry standard within Nethserver (also this would allow for a separation between DNS and DHCP services, which in turn would reduce fallover issues – eg. if DHCP services fail then this setup would still allow DNS to function independently).

3 Likes

@medworthy, why do we need monsters :slight_smile:

As for DHCP server we can split DNSMASq and ISC-DHCP

2 Likes

Ok, I submit that DNSMasq is a viable alternative to Bind, but the Nethserver module / interface that controls this service could do with some work / more features (such as being able to define primary and secondary servers, reverse DNS etc. – I am thinking of similar functions that is incorporated within SUSEs YAST module.)

If NethServer will be a business product, with BIND9 as integrated module (of course with GUI), you can have your own Authoritative Server not only DNS forwarder as with DNSMASQ.
For NethServer as a Home User Product, DNSMASQ it’s enough.

A good comparison between BIND9 and DNSMASQ is here: https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

Assuming that you trust your upstream server isn’t spying on you or subverting your requests. :scream:

Cheers.

2 Likes

Hi Eddie,

You are right!
Sincerely, I wrote that sentence because many of community members still want NethServer as Home User Product and not NethServer as Business Product.
I want to use NS as Business Product. This option, BIND9, will be a step forward for a Business Product. IMO.

Take also a look to unbound which can directly query root DNS.

Before adding unbound, I evaluated and used bind (that I know well having managed a local ISP last century) on NethServer.
I’d select unbound to replace/complement dnsmasq.
I think it will not be hard to switch to unbound even today, with a few hours work.

Why do you have preferred unbound rather than bind?

I needed a recursive caching dns not an authoritative one.

1 Like

Just adding my two cents here. I would like a full featured DNS solution. I am currently frustrated with the lack of CNAME functionality in the current implementation. I am sure I will run into other limitations as well.

In order to use nethserver as a domain controller integrated with another microsoft domain controller will be unbounnd a reliable solution ? All articles read used bind 9

We have no idea since it hasn’t been tested. For now, we are using internal Samba 4 DNS.

I heard someone is currently testing it

Reversing the scenario: is supported by Microsoft the use of mixed AD Domain controllers with Windows and Linux?

Attach a NethServer installation via LDAP to AD is useful, replace the current DC with another one made by NethServer has been tested (if i remember correctly) as a viable path for an existing environment.

But use a dual DC configuration like this seems to set a little timebomb hoping that the timer will be broken.

See
Configure DHCP to update DNS records with BIND9
and
BIND9 DLZ DNS Back End
to interface Samba4, ISC-DHCPd and BIND9 with each other in order to get a professional Active Directory Controller including DHCP.

Zentyal works that way.

This allows to use BIND9 as a hidden primary nameserver with Let’s encrypt wildcard certificates, too.

1 Like

Hi

There should be both options:

Unbound for Home and some SME users/clients,
BIND for those who need a (the) standard DNS Server.

The Webinterface should allow creating domains, but also the diverse stuff like CNAME, TXT, PTR. At the moment the reverse will take whatever last entry you make pointing to that ip, as all are “A” records, only CNAMES possible are server aliases…

Issues users are having like with DKIM and other stuff would be MUCH less with such options.
The NethServer should come with a reasonable set of defaults, like mail, imap, smtp aliases when adding a mailserver, but also the correct MX and other options like DKIM and TXT.
Nowadays, these are needed for a well working mail service.

I’m an old hand with BIND, i was running that for more than 10 years on OpenBSD - you can’t get a more secure DNS server than that!
But i do like the options Unbound offers, OPNsense (My choice of separate firewall box/os) has that on board. That makes it extremly easy to “localhost” say *.facebook.com or *.youtube.com (and all country extensions like .de)…
:slight_smile:

The DHCP should also offer the option of setting the DNS FQDN when “fixing” an IP.
This is easily possible with both options.

That would open up a lot more possibilities for all kinds of use cases, home and business.

My 2 cents
Andy

2 Likes

Hi @paolo Thanks for mentioning this again… There have been several discussions about multi DC solutions. Although I disagree, the devs (represented by @davidep and @giacomo) have stated multiple times that multi DC will not be implemented. Their reasoning is: if you want multiDC, you better use MS Windows Server.
My personal reasoning is: in a serious environment you don’t allow single point of failure so dual DC is a MUST.
Again, I disagree on the view of the devs, but have to let this go and concentrate on adding modules that can be used for several different environments. In my case I concentrate on educational applications.

1 Like

@davidep @giacomo

In my opinion limiting the focus only to MS Windows Active Directory servers is careless. One Higher Regional Court, two universities, three city administrations and multiple companies went down for weeks within the last year in Germany - mostly because of attacks on the MS Windows Active Directory servers.

Linux distributions are much more robust against attacks and viruses (e.g Emotet). I suggest to reconsider multiple Active Directory controllers.

See Joining a Samba DC to an Existing Active Directory

1 Like

We already reconsidered it multiple times and I have to state again that such feature is currently out of our target for NethServer.
But since the project is open source, any contribution is welcome! :wink:

1 Like