On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: > Hi list, > I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to > Obsd. I prefer it. >
Great choice. [snip] > Now today I've nsd and unbound that I can use on my firewall. > I don't need authoritative server, and I should use unbound. > nsd and unbound have similar syntax and I reading from web I can resolve dns > with each of them. > > Now I'm confused...who use? Correct me if I'm wrong: > > 1) I must use only nsd for authoritative server (internet exposed) for my > ipotetic zone (I can use it in my lan for dns resolver?). > > 2) I can use only unbound for lan dns resolving/caching/validating with > zones if not needed an authoritative domain. > > 3) I can use nsd for authoritative server (internet exposed) and for lan use > unbound as recursive/cache dns with the authoritative server. > > 4) I can use unbound as authoritative server and for recursing and other. > > > 5) NSD is the best for authoritative and unbound for other things. As others have said: unbound is a recursive resolver that can forward dns queries upstream. It can perform in a limited role as an authoritative server using local-zone but the configuration there is cumbersome if you have more than a handful of hosts. nsd is an authoritative server that's flexible enough to easily replace bind as your authoritative server if that what you need. You can combine the forwarding capabilities of unbound with the authoritative capabilities of nsd to do everything that bind did. I'm assuming the advantage of this setup is that the combination of unbound and nsd has a smaller footprint or is more secure or more than likely not both. The configuration isn't that difficult but there are some gotcha's. In my example I needed to be authoritative for a domain so I configured nsd to serve the domain. The man pages for nsd explained this well and it's quite simple. The trick is to have nsd serve the domain on localhost only and not on port 53. Then I configured unbound to be a recursive resolver that forwarded requests for "example.com" to the local nsd. Here's the configuration snippet. In my example the network is running at 192.168.10.0 so I forwarded two zones: ## ================================================================ server: ... ## This setting is critical. Without it unbound won't forward ## requests to nsd running on localhost. do-not-query-localhost: no ... forward-zone: name: "example.com." forward-addr: 127.0.0.1@5300 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5300 ## forward-zone: ## name: "." # use for ALL queries ## forward-addr: 8.8.8.8 ## forward-addr: 8.8.4.4 ## ================================================================ If you can setup bind then you shouldn't have problems setting up and testing nsd to serve forward and reverse for a domain. Configuring nsd on a alternate port is pretty simple. The config snippet about redirects unbound to the local nsd. That's probably answers more than you wanted. But I could see this combination of nsd and unbound being popular among people looking for a lighter weight alternative to bind. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)____.___o____..___..o...________ooO..._____________________ Christopher Sean Hilton [chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]