On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote:
> Hi list,
> I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to
> Obsd. I prefer it.
>
Great choice.
[snip]
> Now today I've nsd and unbound that I can use on my firewall.
> I don't need authoritative server, and I should use unbound.
> nsd and unbound have similar syntax and I reading from web I can resolve
dns
> with each of them.
>
> Now I'm confused...who use? Correct me if I'm wrong:
>
> 1) I must use only nsd for authoritative server (internet exposed) for my
> ipotetic zone (I can use it in my lan for dns resolver?).
>
> 2) I can use only unbound for lan dns resolving/caching/validating with
> zones if not needed an authoritative domain.
>
> 3) I can use nsd for authoritative server (internet exposed) and for lan
use
> unbound as recursive/cache dns with the authoritative server.
>
> 4) I can use unbound as authoritative server and for recursing and other.
>
>
> 5) NSD is the best for authoritative and unbound for other things.
As others have said:
unbound is a recursive resolver that can forward dns queries
upstream. It can perform in a limited role as an authoritative server
using local-zone but the configuration there is cumbersome if you have
more than a handful of hosts.
nsd is an authoritative server that's flexible enough to easily
replace bind as your authoritative server if that what you need.
You can combine the forwarding capabilities of unbound with the
authoritative capabilities of nsd to do everything that bind did. I'm
assuming the advantage of this setup is that the combination of
unbound and nsd has a smaller footprint or is more secure or more than
likely not both. The configuration isn't that difficult but there are
some gotcha's.
In my example I needed to be authoritative for a domain so I
configured nsd to serve the domain. The man pages for nsd explained
this well and it's quite simple. The trick is to have nsd serve the
domain on localhost only and not on port 53.
Then I configured unbound to be a recursive resolver that forwarded
requests for "example.com" to the local nsd. Here's the configuration
snippet. In my example the network is running at 192.168.10.0 so I
forwarded two zones:
## ================================================================
server:
...
## This setting is critical. Without it unbound won't forward
## requests to nsd running on localhost.
do-not-query-localhost: no
...
forward-zone:
name: "example.com."
forward-addr: 127.0.0.1@5300
forward-zone:
name: "168.192.in-addr.arpa."
forward-addr: 127.0.0.1@5300
## forward-zone:
## name: "." # use for ALL queries
## forward-addr: 8.8.8.8
## forward-addr: 8.8.4.4
## ================================================================
If you can setup bind then you shouldn't have problems setting up and
testing nsd to serve forward and reverse for a domain. Configuring nsd
on a alternate port is pretty simple. The config snippet about
redirects unbound to the local nsd.
That's probably answers more than you wanted. But I could see this
combination of nsd and unbound being popular among people looking for
a lighter weight alternative to bind.
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
[demime 1.01d removed an attachment of type application/pgp-signature]
