djbdns - Continuous DNS service without continual software upgrades

This is

Please note that this website is It used to be accessible via or The holder of those two domain names registered them before I could. For a time, he served up a frame linking to He then let the registration lapse, and now the usual search page idiots have it. Thanks, guy.

Note that djbdns is not subject to the DNS vulnerability announced July 8. From the CERT Advisory: "Daniel J. Bernstein is credited with the original idea and implementation of randomized source ports in the DNS resolver."

Mirrors: USA (Alaska) Argentina Australia 1 Australia 2 (out-of-date) Belgium (broken as of 2004-08-29) Bosnia and Herzegovina England Ireland Italy Korea Poland Slovenia Turkey Wales (broken as of 2004-08-29)

Other languages: Or a Japanese one? Or a Turkish one? Or a Brazilian Portugese one ?

This web site also has standard HTML 2.0 navigation facilities, which you can use by enabling the link bar support in your web browser, if you haven't already done so.


djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. Just like all of Dan Bernstein's tools. Dan has his own home page for djbdns. We've got this one so we can distribute our enhancements to djbdns.

dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. It imposes restrictions on what it will return; that's why it was written. It will only provide data obtained from authoritative servers. These servers are found via a chain of delegations from authoritative servers starting from the configured-in roots. That's part of its security model. If it were to do anything less, it would be subject to the same cache-poisoning style attacks that work on the current insecure DNS servers.

tinydns does authoritative nameserving via UDP only; it does not do recursive nameserving, nor does it answer TCP queries (axfrdns does that). The only hosts that should ask tinydns for a host are recursive nameservers, such as those found in /etc/resolv.conf, like djbdns or BIND. Tinydns should never be listed in /etc/resolv.conf. Tinydns interoperates properly with every authoritative and recursive nameserver I know of, and supporting all the standards needed to do so.

axfrdns does authoritative nameserving via TCP, and is also the zone transfer server. The zone transfer client is axfr-get. Both of these use Dan Bernstein's ucspi-tcp helpers. Why separate programs? To limit security incursions, and because many sites do not need zone transfers. As BIND has shown, excessive functionality is a root to security disasters.

Testimonials: lycos. Any others?



Commercial support

Commercial support for djbdns is available:




A few people have contributed enhancements:


Convenience tools for various resource record types

djbdns supports all possible resource record types with a generic syntax.

Log management and analysis

djbdns server logs are formatted to be easily machine-readable, not human-readable.

Database management

Data generation and conversion

DNS data publication

DNS lookup

Database replication via the "Zone transfer" mechanism

Miscellaneous contributions

Other (not djbdns-specific) DNS-related sites

Recommended patches

Russell Nelson
Many improvements by Jonathan de Boyne Pollard
Last modified: Sun Jan 16 12:27:30 EST 2011

Powered by djbdns