Hi all, I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my home network with DNS. I have a custom zone (only for LAN use) set up and previously used BIND successfully (but that VM crashed and its disk was hosed...) both as authoritative and caching/resolving.
So now I am trying to learn to set up NSD to be authoritative for my small zone and Unbound to serve the LAN with all other queries. But there is a problem: 1. Unbound successfully responds to queries and provides lookup to the LAN machines for "the internet". 2. NSD successfully responds to queries for the custom zone. 3. But I cannot get Unbound to get a reply from NSD... I have tried multiple combinations of ports and interface bindings and I suspect that I am missing something simple here. Currently I have set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - so there should not be a conflict. In fact it works fine if I use dig @localhost <LANhostname> and dig @192.168.x.91 <internethostname> respectively, but the second version only provides an answer-less response if asked for a LAN hostname. Unbound is set to ask localhost for the stub zones, forward and reverse. And, yes, I could of course use Unbound to serve my local zone and drop NSD - but that would be giving up... It's supposed to work from all I read! :-) I have also tried having NSD listen on 127.0.0.1@5353, and telling unbound to use that as the stub-address, while then having Unbound listen on 127.0.0.1 as well as 192.168.x.91 to be able to set 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I can't test NSD with dig as it can't use an alternative port. A possibly related question: I can't seem to be able to use shortnames. The domain part should be picked up from the host name as given in /etc/myname, but that does not seem to work as I expect, I always have to provide the FQDN. Again something I have missed perhaps? Anyway, I am staring blindly at the config files now and really need help figuring it out. I have removed all that is commented, otherwise it's the default except for changes of course. Thanks for any clue bats coming my way... /Johan * resolv.conf lookup file bind nameserver 192.168.x.91 # cat /etc/myname dns03.my.domain # cat /etc/hosts 127.0.0.1 localhost ::1 localhost 192.168.x.91 dns03.my.domain dns03 # cat /var/unbound/etc/unbound.conf # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ server: interface: 192.168.x.91 interface: ::1 do-not-query-localhost: no access-control: 192.168.x.64/24 allow access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Uncomment to enable DNSSEC validation. # auto-trust-anchor-file: "/var/unbound/db/root.key" root-hints: /var/unbound/etc/root.hints remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock stub-zone: name: "my.domain" stub-addr: 127.0.0.1 stub-zone: name: "x.168.192.in-addr.arpa" stub-addr: 127.0.0.1 # cat /var/nsd/etc/nsd.conf # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ server: hide-version: yes verbosity: 1 database: "" # disable database ## bind to a specific address/port ip-address: 127.0.0.1 remote-control: control-enable: yes zone: name: "my.domain" zonefile: "master/my.domain" zone: name: "x.168.192.in-addr.arpa" zonefile: "master/192.168.x.rev"