Knot DNS: A high-performance, authoritative DNS server

Please consider subscribing to LWN Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

There was a time when BIND was the only open-source DNS server, but those times have changed and now there are more alternative DNS servers available. If you are looking for more speed, less memory used, better security, or just adding diversity to your DNS infrastructure, you might want to check out Knot DNS. It has just reached version 1.5.0, which brings memory and performance improvements, along with dynamic processing modules that can help with IPv6 network management. Knot DNS is now able to process more than half a million queries per second while keeping the memory usage below that of BIND 9.

What is Knot DNS?

Knot DNS started out as an open-source project licensed under GNU GPLv3 at CZ.NIC, the Czech Republic national domain registry. When CZ.NIC started to run its own name servers for the .CZ top-level domain (TLD), there were only two usable open-source DNS servers with full standard coverage and the ability to run a TLD: BIND and NSD. In due course, CZ.NIC Labs, an R&D department, was formed and the decision to create a fast, modern. and open DNS server was made. The decision was based on the idea that DNS protocol is one of the most important protocols of the Internet, and thus it's stability, security, and reliability would benefit from another DNS server implementation that was written from scratch with full standards compliance in mind.

The first public release of Knot DNS (0.8) was published in 2011 and the project has gone a long way since then. New features have been implemented, the performance was further improved, and the code has been refactored to also focus development on memory requirements. Knot DNS is now able to cater to TLD and root zone operators' needs, but it has also been successfully deployed in DNS-hosting scenarios. For a full list of features and configuration options, see the documentation, but let's just focus on the most notable features and improvements.

Features

Knot DNS is written in pure C as a threaded daemon. As the zone file data is shared among the server threads, there was a need to handle updates to the zones that could come from various sources: manual updates, incoming transfers (AXFR and IXFR), dynamic DNS, or DNSSEC signing. The updates must not leave the zone in an inconsistent state, so you need to ensure that the whole update, such as incoming AXFR, is applied atomically. Knot DNS utilizes a technique you might know from the Linux kernel: Read-Copy-Update (RCU) via the userspace RCU library. This allows Knot DNS to maintain its response speed even when the zone contents are being updated. This can, of course, be rather expensive memory-wise. Even though Knot DNS tries to mitigate this by using shallow copies whenever possible, the incoming zone transfer can still consume double the amount of memory.

Knot DNS is fully standards-compliant and interoperable with other DNS servers. The server can receive and send data via both IPv4 and IPv6, using UDP or TCP. Zone contents can be updated by editing the zone files, incoming and outgoing full (AXFR) and incremental (IXFR) zone transfers, or by Dynamic DNS. The update policy is controlled by IP access lists or cryptographic (TSIG) signatures. Support for Name Server Identifier (NSID), which is important for people running DNS in anycast mode, is also included. While the new releases track and implement new DNS standards, the server also implements RFC 3597 and thus it can handle unknown (future) DNS Resource Records.

Dynamic processing modules are code hooks that can plug into the query-response processing chain and alter the incoming and outgoing DNS messages according to a configured rule. This feature, introduced in version 1.5.0, makes Knot DNS into more than just a simple DNS server. Right now, there are two modules: synth_record and dnstap, and the team plans to add more to support geolocation and high-availability.

The dnstap module implements a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.

IPv6 reverse (PTR) and forward (AAAA) zones management can be a troublesome task, especially for ISPs with lots of residential customers. The IPv6 address space is vast and it's simply not possible to keep all reverse records in memory. The synth_record module has been developed as an answer to these troubles, as it can generate missing reverse (PTR) and forward records (A, AAAA) on the fly while maintaining the ability to serve real data if it is available.

The only drawback of the current implementation is that DNSSEC cannot be used to sign the generated resource records since the records need to be signed on the fly as they are generated. This will be addressed in the next release.

In Knot DNS 1.3.0, the zone file parser was migrated from a venerable Flex+Bison parser to a more modern Ragel State Machine Compiler parser, which brought much needed speed into zone parsing. For example, the new zone parser is able to process the .net zone, with 35 million records, in under ten seconds. The old parser would still be crunching the zone for another 1000 seconds. The zone file format is surprisingly permissive in terms of syntax, which you can see in the Ragel zone parser in the upstream Git repository.

When talking about performance, we can look at the response performance and speed. Knot DNS outperforms any other open-source DNS server available, with peak numbers exceeding 500,000 responses per second over UDP with a 10GbE network connection. Now, the famous Winston Churchill's quote may have come to your mind: "I only believe in statistics that I doctored myself". The DNS benchmarking scripts used to calculate this are freely available and everybody is thus able to reproduce the results. We discovered one important thing while benchmarking DNS: the network card chipset can make a huge difference. As a rule of thumb, the Intel server NIC chipsets are never a bad choice.

While the raw numbers are important if your DNS server is under attack (and that's just started to be common in last few years), it's also important to avoid becoming part of the attack in the first place. Paul Vixie and Vernon Schryver developed Response Rate Limiting (RRL) as an answer to recent Distributed Denial of Service (DDoS) attacks that use third party DNS servers with spoofed source IP addresses to reflect traffic to innocent victims. Knot DNS has implemented RRL since the 1.2.0 release to give DNS administrators the ability to be good netizens by not participating in these attacks, even inadvertently. This is especially important for high-performance DNS servers with high-speed connectivity, such as TLD servers.

CZ.NIC started DNSSEC signing in the .CZ zone back in September 2008 and has reached 37% penetration with 434,000 signed DNSSEC domains. Thus it shouldn't be really surprising that DNSSEC was on the feature list for Knot DNS from the beginning. The server will make sure that DNSSEC signatures don't expire and will maintain the SOA serial number. Knot DNS could serve DNSSEC-signed zones since its first public release, but it has also introduced the ability to sign the domains since the 1.4.0 release.

Domain signing is currently labelled as a technology preview, since the configuration, interface, and utilities might change in the future. However, the code is stable and if you want to just sign zones, you should give it a try.

Knot DNS also comes bundled with standard DNS utilities: kdig, khost and knsupdate that implement their BIND 9 counterparts.

Future Development

The upcoming Knot DNS 1.6.0 (aimed for end of 2014) will bring a reworked DNSSEC signing that will include Key and Signing Policy, its own DNSSEC key management utilities, inline (on-the-fly) signing, and migration from OpenSSL to GnuTLS. The latter switch was already planned due to much better support for PKCS#11 in GnuTLS that allows storing encryption keys in Hardware Security Modules (HSM). The recently discovered OpenSSL vulnerabilities just emphasized the need for heterogeneity in cryptographic libraries used by DNS servers.

A DNS server may be used for small personal zones, large TLD zones containing millions of records, as well as in deployments involving tens or hundreds of millions of small zones. While simple configuration files suffice for the first and second scenarios, it becomes cumbersome to read a huge configuration file with millions of configuration records when the DNS operator needs to add and remove zones from that file frequently (e.g., every second). Therefore, the need for a provisioning protocol has emerged and is on the roadmap for 2015.

Notable users

Get it

We obviously cannot list all Knot DNS users, but here is a list of some noteworthy users. As you might have guessed, we eat our own dog food, thus Knot DNS powers a whole one-third of .CZ nameservers (the rest are running BIND 9 and NSD). .CZ is not the only TLD to deploy Knot DNS; it has been handling .DK since 2012 . RIPE NCC has deployed [PDF] Knot DNS to run in a slave nameserver cluster serving 77 ccTLDs and 4,200 reverse zones with a peak traffic rate of 120,000 queries per second. We got O2 Czech Republic on board with Knot DNS 1.5.0 for its reverse IPv6 zones delegations, and CESNET, Czech National Research and Educational Network, has been running Knot DNS since late last year. The latest notable addition to the user base has been Active24.cz with more than 200,000 domains.

Developers can download and compile Knot DNS sources (releases or Git), but Knot DNS also has packages for most Linux distributions: Debian, Ubuntu (in a PPA), Fedora and Fedora EPEL, OpenSUSE, Arch Linux, and Gentoo. There's also a OpenWRT metapackage and a Knot DNS formula for HomeBrew.

I hope you will give Knot DNS a try. If you run into a problem, there's an issue tracker and the knot-dns-users mailing list for assistance. There's also Twitter and Google+. The Knot DNS team would be happy to hear from you, with problems, or success stories.

Index entries for this article GuestArticles Sury, Ondrej

[ The author is a Chief Scientist at CZ.NIC and is involved in Knot DNS development. He's also a Debian Developer and an open-source enthusiast. ] Log in to post comments)