CrossNodes Briefing: BIND
The Berkley Internet Name Domain (BIND) offers Domain Name Services (DNS) for many Internet servers. The basic functionality of the open software remains deceptively simple. When a server receives a request for an Internet site, for example, www.crossnodes.com, it checks a database of names to find the appropriate IP address. If the name is not found, the server forwards the request to known servers on the network. This process repeats until a server that recognizes the name provides the connection.
Although the basic functionality seems simple, BIND remains a complex software program. Multiple versions exist, and recently, reports noted security holes in the various versions. Updates to the code are now available.
The software, which is distributed as open source by the Internet Services Consortium (ISC), runs on Unix systems. Some estimate that BIND enables up to 90 percent of all Internet connections, but ISC reports that users run BIND on such systems as AIX, HP-UX, Linux, Solaris, and Windows NT and 2000.
A Problem of Versions
University of California, Berkeley graduate students developed the first version, but the ISC released several versions in the intervening years. In addition, it is open source software, and users have customized the software in the field. This means that several sites still use earlier versions to preserve their customized code. This makes it difficult to think about BIND as a single product. The most popular versions include:
- Version 4.X: an early version, BIND 4 establishes primary, secondary, and cached servers. It does not support dynamic updates to its database of sites, and it lacks any method of collecting change notices from other BIND servers. In addition, it sends a single message each time it forwards a request. ISC recommends using the latest version of BIND and warns that some exchanges between Version 9.X and Version 4.X are unpredictable.
- Version 8.X: based on the core code used in early versions, this software supports dynamic updates to the DNS and accepts change notifications from other servers running BIND 8.x. It also extends logging and security, and it improves performance. Version 8.X uses a master-slave model that allows one server to control a zone, while the other servers in the zone use copies of the DNS. Version 8.X bundles requests to other servers to better utilize communications links, and it supports Internet Protocol version 6.
- Version 9.X: created from scratch, Version 9.x represents a more robust implementation of BIND. The software supports Internet Protocol version 6, a user-configurable cache, improved performance, and enhanced auditing capabilities. It adds a level of security with its support for DNSSEC, which supports signed zones, and TSIG for signed DNS requests. Version 9.X also supports multiprocessor servers.
Global Load Balancers (GLB)
Communications managers also use BIND or an add-on product to help balance processing requests between servers. BIND servers use GLB to re-route traffic to preferred servers or servers with a lighter workload. Vendors provide three approaches to balance processor loads. The BIND DNS can route requests to the GLB, which in turn, routes the request. As an alternative, some users implement the GLB to monitor traffic and change addresses as needed. Other servers integrate the GLB with the DNS.
Some ISPs use blocking as a security measure, and this can disrupt the GLB. Communications managers, therefore, must confer with their ISP and verify that their firewall permits readdressing before they install the GLB.
Communication managers who want to implement an Internet server need to consider BIND. It is best to use the latest versions and to monitor the ISC web site for upgrades after the program is installed. Managers also need to ensure that their ISP, firewall, and other security components support BIND, especially if they plan to implement GLB with the software. They also need to realize that this is open source software. With a little searching, managers may find a customized BIND implementation that eliminates their investment in getting the software to work the way they need it to operate. Taking the time now to investigate BIND can save time and money later.
Gerald Williams serves as Director of Quality Assurance for Dolphin Inc., a software development company. Williams has extensive background in technology and testing, previously serving as Editorial Director with National Software Testing Labs (NSTL), Executive Editor with Datapro Research, and Managing Editor of Datapro's PC Communications reference service.