Hi all,
I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
home network with DNS. I have a custom zone (only for LAN use) set up
and previously used BIND successfully (but that VM crashed and its
disk was hosed...) both as authoritative and caching/resolving.
So now I am trying to learn to set up NSD to be authoritative for my
small zone and Unbound to serve the LAN with all other queries. But
there is a problem:
1. Unbound successfully responds to queries and provides lookup to the
LAN machines for "the internet".
2. NSD successfully responds to queries for the custom zone.
3. But I cannot get Unbound to get a reply from NSD...
I have tried multiple combinations of ports and interface bindings and
I suspect that I am missing something simple here. Currently I have
set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
so there should not be a conflict. In fact it works fine if I use dig
@localhost <LANhostname> and dig @192.168.x.91 <internethostname>
respectively, but the second version only provides an answer-less
response if asked for a LAN hostname.
Unbound is set to ask localhost for the stub zones, forward and reverse.
And, yes, I could of course use Unbound to serve my local zone and
drop NSD - but that would be giving up... It's supposed to work from
all I read! :-)
I have also tried having NSD listen on 127.0.0.1@5353, and telling
unbound to use that as the stub-address, while then having Unbound
listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
can't test NSD with dig as it can't use an alternative port.
A possibly related question: I can't seem to be able to use
shortnames. The domain part should be picked up from the host name as
given in /etc/myname, but that does not seem to work as I expect, I
always have to provide the FQDN. Again something I have missed
perhaps?
Anyway, I am staring blindly at the config files now and really need
help figuring it out. I have removed all that is commented, otherwise
it's the default except for changes of course.
Thanks for any clue bats coming my way...
/Johan
* resolv.conf
lookup file bind
nameserver 192.168.x.91
# cat /etc/myname
dns03.my.domain
# cat /etc/hosts
127.0.0.1 localhost
::1 localhost
192.168.x.91 dns03.my.domain dns03
# cat /var/unbound/etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
server:
interface: 192.168.x.91
interface: ::1
do-not-query-localhost: no
access-control: 192.168.x.64/24 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Uncomment to enable DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"
root-hints: /var/unbound/etc/root.hints
remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock
stub-zone:
name: "my.domain"
stub-addr: 127.0.0.1
stub-zone:
name: "x.168.192.in-addr.arpa"
stub-addr: 127.0.0.1
# cat /var/nsd/etc/nsd.conf
# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
server:
hide-version: yes
verbosity: 1
database: "" # disable database
## bind to a specific address/port
ip-address: 127.0.0.1
remote-control:
control-enable: yes
zone:
name: "my.domain"
zonefile: "master/my.domain"
zone:
name: "x.168.192.in-addr.arpa"
zonefile: "master/192.168.x.rev"
