Why was nslookup removed from FreeBSD 10?

Frank Leonhardt frank2 at fjl.co.uk
Sun Jan 26 21:22:03 UTC 2014

On 26/01/2014 18:22, David Demelier wrote:
> On 25/01/2014 20:52, Frank Leonhardt wrote:
>> On 25/01/2014 19:37, Mark Tinka wrote:
>>> On Saturday, January 25, 2014 09:13:08 PM Frank Leonhardt
>>> wrote:
>>>> Unbelievable, but true - someone somewhere thought that
>>>> removing nslookup from the base system was the way to
>>>> go.
>>>> Why? Can anyone shed any light on how this decision was
>>>> made?
>>> If you read:
>>>      http://www.freebsd.org/releases/10.0R/relnotes.html
>>> Under the "2.3. Userland Changes" section, you will notice:
>>>      "BIND has been removed from the base system.
>>>       unbound(8), which is maintained by NLnet Labs, has
>>>       been imported to support local DNS resolution
>>>       functionality with DNSSEC. Note that it is not a
>>>       replacement of BIND and the latest versions of BIND
>>>       is still available in the Ports Collection. With
>>>       this change, nslookup and dig are no longer a part
>>>       of the base system. Users should instead use
>>>       host(1) and drill(1) Alternatively, nslookup and
>>>       dig can be obtained by installing dns/bind-tools
>>>       port. [r255949]"
>>> So install /usr/ports/dns/bind-tools and you're a happy guy.
>>> As to the philosophy of it all, no point arguing. Fait
>>> accompli.
>>> Mark.
>> As you and Waitman both pointed out, nslookup IS part of BIND, yet as I
>> said in the diatribe following the question in my post, so is "host" and
>> that's still there. Also Windoze has nslookup but doesn't include BIND.
>> I agree there's no point arguing unless you know the rational behind
>> what appears an arbitrary decision; hence my question. Was this simply
>> an oversight or is there a thought-out reason for it that one can take
>> issue with?
>> IIRC, nslookup was present in 4.3BSD, and I'm pretty sure it existed
>> before that. (That's BSD, not FreeBSD). Its relied on in scripts. The
>> reason for dropping it from the base system must be pretty spectacular.
>> FreeBSD 10.0 might be better known as FreeBSD Vista, at this rate.
>> Regards, Frank.
> Please don't piss off, there was thousands of reasons for removing BIND
> from base. It generates at least 5 security advisories by year. FreeBSD
> has a great feature called "ports" / "packages". Of course it's always
> great to have a fully functional system just after an installation. But
> can you seriously use a FreeBSD fresh install? I think you need to
> install a bunch of packages before :-).
> So just a pkg install bind-tools is not so hard, isn't it?
> Regards,
> David.

All this is may be true, but I was asking about nslookup, specifically 
not BIND (as I pointed out in the original question). If you read most 
of this thread, people just want to talk about BIND and as a result I 
can see why you'd think this was the agenda when it wasn't. I'm having a 
few interesting off-list discussions about the merits or otherwise of 
BIND and where BIND10 is going, but that's not a question (feel free to 
join in by email).

So, to get back to the question, the problem is that nslookup is missing 
from base. Why?

Yes, it was part of BIND, but it needn't be as it uses its own resolver 
(which is one of its long-running criticisms, but in this case it's a 

Dig and host were also part of BIND. BIND's dig has been replaced in 
ldns by the semi-compatible "drill". BIND's host has been replaced on 
FreeBSD 10.0 by an ldns re-write. BIND's nslookup, the oldest utility of 
them all,  the one that people use for scripting because it's been there 
since the beginning of time (nearly), the one that's available 
(out-of-the-box) on every platform including Microsoft - is suddenly GONE!

If someone's not involved in server-type stuff and don't use shell 
scripts the significance of this may be less hard to see, but the reason 
for having a base system, unlike the disparate Linux distributions where 
nothing can be taken for granted, is that you can take a script written 
in 1986 that has limited itself to base-system utilities and it will 
STILL RUN in 2014.

So did this happen because someone decided that there was no need to 
have a DNS server in base when all that was needed was a caching 
resolver, and the nslookup utility was simply overlooked. Or did someone 
decide that nslookup was a problem and dropped it. Or is it on someone's 
To Do list and got missed off that way?

More information about the freebsd-questions mailing list