BIND 9

An authoritative DNS server answers requests from resolvers, using information about the domain names it is authoritative for. You can provide DNS services on the Internet by installing this software on a server and giving it information about your domain names. The BIND 9 documentation includes a description of the Primary/Secondary/Stealth Secondary roles for authoritative servers.

RRL

Response Rate Limiting (RRL) is an enhancement to named to reduce the problem of "amplification attacks" by rate-limiting DNS responses. This feature is on by default because it has proven to be so effective; it’s now even more effective with DNS Cookies, which focus rate-limiting on unknown clients. DNS cookies, per RFC 7873, are exchanged between client and server to provide IP address identity, helping to prevent attacks using forged IP addresses. Servers enforcing cookies are less susceptible to being used as an effective attack vector for DNS DDOS attacks.

Minimal ANY Responses

Queries for ANY records are a possible abuse mechanism because they typically extract a response much larger than the query. The minimal-any option reduces the size of answers to UDP queries for type ANY by implementing one of the strategies in "draft-ietf-dnsop-refuse-any": returning a single arbitrarily-selected RRset that matches the query name rather than returning all of the matching RRsets.

DLZ

Dynamically Loadable Zones (DLZ) enable BIND 9 to retrieve zone data directly from an external database. Not recommended for high-query rate authoritative environments.

Minimum Re-load Time

Update your BIND 9 server zone files with the remote name daemon control (rndc) utility, without restarting BIND 9. For those times when you do have to restart, the ‘map’ zone file format can dramatically speed up reloading a large zone file into BIND 9, such as on restart.

HSM Support

HSMs are used to store key material outside of BIND 9 for security reasons. BIND 9 supports the use of Hardware Security Modules through the OpenSSL PKCS#11 provider, which ISC has helped to improve.

DNSSEC with Inline Signing

BIND 9 fully supports DNSSEC and has a mature, full-featured, easy-to-use implementation. Once you have initially signed your zones, BIND 9 can automatically re-sign dynamically updated records with inline signing. BIND’s Key and Signing Policy utility will help you maintain your DNSSEC implementation, periodically updating keys and signatures according to the policy you establish.

Catalog Zones

Catalog zones facilitate the provisioning of zone information across a nameserver constellation. Catalog zones are particularly useful when there is a large number of secondary servers. This feature will automatically propagate new zones added to the primary to the secondary servers, or remove zones deleted from the primary, eliminating the need for separate scripts to do this.

dnstap

Dnstap is a fast, flexible method for capturing and logging DNS traffic, developed by Robert Edmonds at Farsight Security, Inc. Dnstap is supported by several open-source DNS servers, including BIND. Using dnstap enables capturing both query and response logs, with a reduced impact on the overall throughput of the BIND server than native BIND logging. Messages may be logged to a file or to a UNIX socket. Support for log-file rotation will depend on which option you choose. A utility ‘dnstap-read’ has been added to allow dnstap data to be presented in a human-readable format.

Scaleable Primary-Secondary Hierarchy

A DNS authoritative system is composed of a primary with one or more secondary servers. Zone files are established and updated on a primary server. Secondaries maintain copies of the zone files and answer queries. This configuration allows scaling the answer capacity by adding more secondaries, while zone information is maintained in only one place. The primary signals that updated information is available with a NOTIFY message to the secondaries, and the secondaries then initiate a zone transfer from the primary. BIND 9 fully supports both the AXFR (complete transfer) and IXFR (incremental transfer) methods, using the standard TSIG security mechanism between servers. There are a number of configuration options for controlling the zone updating process.

A resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name.

NX Domain re-direct

When a customer searches for a non-existent domain (NXDOMAIN response), you can redirect the user to another web page. This is done using the BIND 9 DLZ feature.

EDNS Client Subnet Identifier

The EDNS Client Subnet feature passes a subnet address along with the DNS request, for use in selecting a customized answer. This feature is designed to help locate cached content geographically close to the client for faster response time. ISC’s ECS implementation is deployed at Quad9, among other access providers. This feature is available in the BIND 9 Subscription Edition, a premium version of BIND offered to support subscribers.

Prefetch

Prefetch popular records before they expire from the cache. This will improve the performance delivered to end users for resolving names that have short expiration times.

Flexible Cache Controls

From time to time you may get incorrect or outdated records in the resolver cache. BIND 9 gives you the ability to remove them selectively or as a group.

Views - Split DNS

BIND 9 is unique in providing the ability to configure different views in a single BIND server. This allows you to give internal (on-network) and external (from the Internet) users different views of your DNS data, keeping some DNS information private.

Resolver Rate-limiting

BIND 9 offers two configuration parameters, fetches-per-zone and fetches-per-server. These features enable rate-limiting queries to authoritative systems that appear to be under attack. These features have been successful in mitigating the impact of a DDoS attack on resolvers in the path of the attack.

DNSSEC Validation

Protect your clients from imposter sites by validating DNSSEC. In BIND 9, this is enabled with a single command. BIND 9 also has a Negative Trust Anchor feature, which temporarily disables DNSSEC validation when there is a problem with the authoritative server’s DNSSEC support. BIND 9 offers support for RFC 5011 maintenance of root key trust anchors.

Response Policy Zones - RPZ

A Response Policy Zone or RPZ is a specially constructed zone that specifies a policy rule set. The primary application is for blocking access to domains that are believed to be published for abusive or illegal purposes. There are companies that specialize in identifying abusive sites on the Internet, which market these lists in the form of RPZ feeds. For more information on RPZ, including a list of DNS reputation feed providers, see https://dnsrpz.info.

DNS Privacy

BIND supports QNAME minimization by default. This feature minimizes leakage of excessive detail about the query to systems that need those details. BIND will be supporting two different encryption mechanisms, DNS over HTTPS (DoH) and DNS over TLS (DoT), in BIND 9.18. These implementations are available in the development branch today.