DNS Server Software
A guide to the major DNS server implementations — authoritative servers, recursive resolvers, and specialized tools for every deployment scenario.
Major DNS Software Packages
From full-stack servers to specialized authoritative and recursive implementations
The most widely deployed DNS software on the internet. A full-featured authoritative and recursive server that has served as the reference implementation of the DNS protocol for decades.
Learn More →A high-performance validating, recursive, and caching DNS resolver. The preferred choice for secure resolver deployments — ships as the default resolver in many Linux distributions and BSD systems.
Learn More →A modular DNS platform with separate Authoritative Server and Recursor products. Known for its database backends (MySQL, PostgreSQL, SQLite) and REST API — popular with ISPs and hosting providers.
Learn More →A fast, flexible DNS server written in Go with a plugin-based architecture. The default DNS server in Kubernetes — each plugin handles one DNS function, making it highly composable for cloud-native environments.
Learn More →A lightweight DNS forwarder and DHCP server designed for small networks. Ships on home routers (OpenWrt), Linux desktops (NetworkManager), and embedded systems. Not suitable for high-volume production resolvers.
Learn More →A high-performance authoritative-only DNS server built by the .cz TLD operator. Designed for large-scale TLD and enterprise deployments — features fast zone loading, DNSSEC automation, and zone signing.
Learn More →Name Server Daemon — a simple, reliable authoritative-only DNS server focused on security and correctness. Used by root servers and TLD operators. Pairs well with Unbound (resolver) for a split authoritative/recursive architecture.
Learn More →A modern recursive resolver with a modular Lua-based scripting engine. Supports DNS-over-HTTPS, DNS-over-TLS, DNSSEC validation, and response policy zones. Used by ISPs and privacy-focused DNS services.
Learn More →Authoritative vs. Recursive: Choose the Right Tool
An authoritative server holds the zone files for your domains and answers definitively for records in those zones. It does not resolve third-party domains. Use an authoritative server when you are hosting your own DNS zones — for your domain names, internal infrastructure, or as a secondary for another provider. Best choices: BIND 9, PowerDNS Authoritative, Knot DNS, NSD.
A recursive resolver answers queries from clients by walking the DNS hierarchy — querying root, TLD, and authoritative servers on their behalf. It caches responses and (optionally) validates DNSSEC. Use a recursive resolver when you want to provide DNS service to clients on your network. Best choices: Unbound, PowerDNS Recursor, Knot Resolver.
At a Glance
| Package | Role | Vendor | Platform | Language | DNSSEC | Config Complexity |
|---|---|---|---|---|---|---|
| BIND 9 | Auth + Recursive | ISC | All | C | Yes | Complex |
| Unbound | Recursive only | NLnet Labs | Linux/BSD/Mac | C | Yes | Moderate |
| PowerDNS Auth | Auth only | Open-Xchange | All | C++ | Yes | Moderate |
| PowerDNS Recur | Recursive only | Open-Xchange | All | C++ | Yes | Moderate |
| CoreDNS | Flexible | CNCF | All/K8s | Go | Plugin | Low |
| dnsmasq | Forwarder/DHCP | S. Kelley | Linux/Embedded | C | No | Low |
| Knot DNS | Auth only | CZ.NIC | Linux/BSD | C | Yes | Moderate |
| NSD | Auth only | NLnet Labs | Linux/BSD | C | No | Low |
| Knot Resolver | Recursive only | CZ.NIC | Linux | C/Lua | Yes | Moderate |
Split Authoritative / Recursive Architecture
Running a single server as both authoritative and recursive is a common beginner configuration — and a security risk. An authoritative server that also resolves queries can be used as an open resolver for amplification attacks, and recursive functionality adds attack surface to your authoritative infrastructure.
The recommended pattern is to separate these roles onto different servers or at least different processes. Your authoritative server answers only for your zones (no recursion). Your recursive resolvers answer only for your clients (no authoritative zones).
- Authoritative: Knot DNS or NSD — minimal attack surface, no recursion
- Recursive: Unbound — DNSSEC validating, configurable RPZ, per-client rate limiting
- Disable recursion on BIND 9 authoritative servers:
recursion no; - Restrict recursive resolvers to authorized client IPs only