Saturday, August 15, 2009

I replaced BIND 9 with djbdns on FreeBSD

BIND 9 has been bugging me for a while now. We have an anti-spam email system which performs a ton of DNS lookups (we're talking 4.2 million queries a day) and works primarily as a caching name server.

In the past year or so, I've been upgrading the system from FreeBSD 6.2 to FreeBSD 7.2. Everything's been going well except for BIND which has suffered from general instability along the way as well as security issues. The biggest pain is that it crashes on occasion. It rarely crashes but you'd think that software gets more stable as it goes along. It's frustrating when you upgrade something and things get worse. It makes you question why you upgraded in the first place and in extreme cases to look for alternatives.

This whitepaper which compares BIND to djbdns led me to try out djbdns.

One thing which bothered me is that BIND takes up a crap load of memory... We're talking 600Mb+ and on a system with 4Gb of RAM, that's significant. I never bothered looking up how to decrease the memory usage.

Below are my instructions (mostly from here) for installing djbdns on FreeBSD. You'll notice that at the end I increase cache size to 100Mb. This is necessary as djbdns allocates RAM at start up and by default uses around 5Mb of RAM.

All in all, things looks promising for my djbdns testing and in summary BIND DNS is a memory hog, has security issues from time to time and can sometimes crash. That is annoying.

Install djbdns on FreeBSD
Install the port
sudo portinstall djbdns

sudo /etc/rc.d/named stop

Disable BIND and enable djbdns:
sudo vi /etc/rc.conf
--> Remove: named_enable="YES"
--> Add:    svscan_enable="YES"

Add relevant users:
sudo pw groupadd nofiles -g 800
sudo pw useradd dnslog   -g nofiles -u 810 -d /nonexistent -s /sbin/nologin
sudo pw useradd dnscache -g nofiles -u 811 -d /nonexistent -s /sbin/nologin

Add local DNS caching:
sudo dnscache-conf dnscache dnslog /data/dnscache

Tell svscan about the new service:
sudo mkdir /var/service
sudo ln -s /data/dnscache /var/service

Start up svscan:
sudo /usr/local/etc/rc.d/ start

Increase the cache size to 100Mb:
sudo sh -c "echo 100000000 > /var/service/dnscache/env/CACHESIZE"
sudo sh -c "echo 104857600 > /var/service/dnscache/env/DATALIMIT"
sudo svc -t /var/service/dnscache