alt Hacker NewsShameless plug time:
My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.
Not one single serious security bug has been found since 2023. [1]
The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]
I’m actually really pleased just how secure MaraDNS is now that it’s getting real in depth security audits.
[1] https://samboy.github.io/MaraDNS/webpage/security.html
Replies
MaraDNS is much less popular than dnsmasq though.
I have several libraries that I've written. Not one single serious security bug in them has been found since 1991. Granted, nobody uses my libraries...
Not to diminish your team's achievement! :D But it's important to contextualize claims like this with information about what your userbase looks like
I remember being delighted finding maradns as an alternative to the “do everything” of dnsmasq way back when I set up a dns server, and more importantly, I haven't had to think about it since then.
> Shameless plug time: My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.
Out of curiosty: what is the point you’re trying to make? That there are alternatives to dnsmasq? That somehow your software is “better”?
This plug provides zero value to the dnsmasq discussion.
As others have pointed out: the more used a software is, the more scrutiny it gets and more bugs or edge cases are found.
good job. but it is amazing we are still writing core networking tools in vulnerable language such as c in 2026.
Flagged because this discussion about dnsmasq and another dns resolver implementation that has relatively no rollout worldwide by comparison is pointless.
That's a bit shameless, indeed.
dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.
Why should I switch over to something way less proven? I'm quite sure your software also has bugs, many still not located. Maybe because it's less popular/ less well known nobody cares to hunt for those bugs? Which means even if the numbers of found bugs is less in your software at the moment, and it may look more audited for this reason, it may actually be way less secure.
Well, as you bundle Lua 5.1 (as Lunacy), instead of making a library and loading it, and you bundled the 2012 version, you're probably affected by CVE-2014-5461 and others. Lua hasn't been security fix free.