The "big four". The "CVE" links point to the National Vulnerability
Database's list of security issues for the program in question;
I also have a comparison of
DNS servers' security history
- BIND is
the swiss army knife of DNS servers. It has a lot of
features and can do pretty much everything. It's also
a big binary and sometimes difficult to configure. CVE
- Unbound and NSD make up a suite of
DNS servers; they are both from NLnet Labs.
one (NSD) puts your web page on
the Internet; the other (Unbound) looks for web pages on the Internet. NSD
CVE (None of those entries look to point to NSD; it
appears to have no CVE entries) Unbound
- PowerDNS (which
like Unbound/NSD, is two separate programs) has a lot of
flexibility with connecting to databases or what not to
resolve a DNS name. Used by Wikimedia, among others. CVE.
- MaraDNS. I think it's the
best one, but my opinion
is a little biased. It was once a single program,
now two separate programs (like Unbound/BSD and PowerDNS)
Easy-to-configure; tiny binary suitable for embedded systems. CVE
There are many many other DNS servers, both open source and non-open
Some other DNS servers:
Freely downloadable DNS servers
Caching DNS servers
Non-recursive DNS servers
- DjbDNS. Great
tiny two-program DNS suite that sadly hasn't been updated since 2001. Yes,
it does have security problems (That's a CVE link). Note that
there are still
people on the Internet who pretend DjbDNS 1.05 is magically perfectly
secure. Stagnant; there doesn't appear to be a currently maintained
unofficial fork, where "currently maintained" is defined as being able to
compile on modern Linux systems out of the box and being patched against all
CVE security holes.
is a non-recursive caching DNS server.
- pdnsd is a
recursive caching DNS server. Paul Rombouts is (was?) the current
maintainer of this program.
- Posadis is another DNS
server project, similar to MaraDNS. This server is now both
a resolving and an authoritative DNS server. Hasn't been updated in
Abandoned DNS server projects
- Knot DNS has DNSSEC support.
- MyDNS is an authoritative-only
DNS server which uses MySQL as a database back end. The most currently
updated version appears to be MyDNS-ng, the "next generation" version of MyDNS.
- SDNS is a project
written in the late 1990s by Sandia Labs. Like MaraDNS, this project
was written with security in mind. Since this is a government
project, the code is public domain. The program does not seem to be
downloadable anywhere, so I am mirroring it here. I would like to thank
Fred Cohen for informing me about this package.
- The Pliant language/package
comes with a
DNS server. This DNS server can not recursively process DNS queries
given a list of root servers.
- Twisted includes a
non-recursive DNS server.
- DnsJAVA is an authoritative-only
DNS server written in Java.
- The Eddit project includes a
- SheerDNS is a
simple non-caching DNS server that stores all records as their
These are DNS server projects which have not released any files for a
significant period of time, and are not fully functioning DNS servers
(either because the program did not have basic DNS functionality when
abandoned, the program was not documented before being abandoned, or
because the program was abandoned so long ago that it is not fully
functional on today's internet).
Proprietary DNS solutions
No, I have not listed every single DNS server that exists here.