Why does pfSense not use BIND by default?

DominikHoffmann

Follow-up questions:

Would there be an advantage to installing the BIND package and running that?
If I did that, would it functionally replace the Resolver or Forwarder components?

Gertjan

@dominikhoffmann said in Why does pfSense not use BIND by default?:

Why does pfSense not use BIND by default?

Do you use bind ?
bind is ... huge.
It's a project that went the same way as OpenVPN : it was 'opensource' and everybody added what he wanted. And worse, everything is split out over dozens of configuration files.
It can forward - resolve, be authoritative, does DNSSEC, does dynamic updating, can be a master, hidden master, slave can handle interfaces that "go down" and "come back" without a reload needed.
It's the (IMHO) typical program that can not (like no way) be mastered with a GUI.
bind works well, but it's a command line only program.
You'll be needing

a text editor,
know how to work with all the testing tools,
have a solid knowledge of what DNS is. There is no place for 'presuming' anymore - with bind, it's the real thing.

The real reason is : no one integrates bind as a package or system and then offers it to the public for 'free' like pfSense 2.6.0. User going to ask for support.
Nobody want to 'support' bind for some one else.
If Netgate decides to use bind , they will, for sure, stop giving pfSense for free.
bind is like a Boeing 737 MAX : buying one doesn't mean you can fly one.
You'll be needing 'some' training. It will be the old fashioned 'learn' thing. The good news is : it's free !! (although, you will need some time).
There will be a big advantage at the end : you will know now what DNS is, thus basically understanding what 'Internet' is.

Again : this is my opinion.
I'm using bind for decades on my own dedicated servers for all my domain names. Played with all the tricks and options.
In the beginning, it was 'hard', 'scary' and 'frustrating'. The smallest errors meant : mail down and web sites down (my company).
And I went to school to play with system(back then) like a Prime, VAX, and messed around with a PDP11. Looking back now : things were so easy actually back then, and we didn't know shit ....

@dominikhoffmann said in Why does pfSense not use BIND by default?:

Would there be an advantage to installing the BIND package and running that?

It's possible to stop unbound and use another process that does the same job.
You can already chose between unbound, the resolver, and the forwarder (dnsmasq).
But you can only use one on a system, as the DNS process needs to bind to port '53' and you can't have tow process listing to the same port.
The same thing goes for mail processes, web servers etc.

Using bind on pfSense makes things harder.
You have to deal with bind.
And
The awkward way how it is totally incomplete "hidden" behind a GUI.

It's hard, and painfull, to admin bind like that.
I chose for nano.

edit :
https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

Netgate needed a resolver, as pfSense is a device that does not need host a domain name server, or a mail server, or a public web server.
Our ISP's, in the past, forced us to sue their DNS (ISP) servers, so a simple forwarder was great - pfSense used dnsmasq before. It was small, fast, and fitted for the job.
These times are over now.
The world has been devices in two parts :
The ones that uses DNS as it is meant to be used by what Internet actually is : they use the root servers.
And the others, who want to hand over their DNS traffic to some third party source. They could have chosen their ISP DNS (they still exist), but no .........