On 01/16/17 06:58, Damian McGuckin wrote:
> On Mon, 16 Jan 2017, Stuart Henderson wrote:
>
>> On 2017/01/16 15:37, Damian McGuckin wrote:
>>> On Mon, 16 Jan 2017, Stuart Henderson wrote:
>>>
>>>> In normal operations NSD _does_ run on port 53.
>>>
>>> Yes. But if you want both NSD and UNBOUND running on the same box, things
>>> need to change.
>>
>> Not necessarily, because they can run on different addresses. For
>> example you could have unbound bound to an internal address and NSD
>> listening to an external one.
>
> I am not an NSD/UNBOUND expert, but
>
> If you run NSD on the external link (pppoe0) and that external link does
> not come up, as when the external (ADSL) phone link is down, anything that
> NSD is handling for the internal machines in the network is unavailable.
> So it needs to run off an internal interface.
keep in mind, your OpenBSD box, like every Unix box, has a potental huge
number of IP addresses that can't be accessed by anything outside
without redirections. I speak of localhost addresses. Not just
127.0.0.1, but 127.0.0.0/8. There's no reason to use unusual ports.
So. You can run a recursive resolver, an authoritative server, and a few
(or a lot) selectively poisoned forwarding resolvers (for DNS
filtering), each on their own 127/8 address, and use PF or unbound to
select which one a particular user gets access to.
# ifconfig lo0 alias 127.0.0.2 netmask 255.255.255.255
$ ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xffffffff
NSD/UNBOUND require rethinking a lot of wrong-ideas that BIND permitted
and encouraged for years.
Nick.
