On Fri, Oct 22, 2021 at 08:38:40AM +1000, Simon Wilson wrote:
> I have now setup Unbound as a caching name server on the Postfix
> server so it can resolve *anything*, but with Unbound configured to
> fwd to my local network BIND server for local domain addresses
> (private-address, private-domain, local-zone, stub-zone, etc.).
Running a local resolver on the MTA is a best-practice, even if most
queries are forwarded to something on the LAN, ...
Unbound is a good choice, and supports both stub zones and selective
forwarding with reasonably simple configuration clauses.
With validation enabled on the local resolver, you can also enable DANE.
Just make sure that 127.0.0.1 is the only resolver in /etc/resolv.conf.
Also, until some happy day when systemd-resolved is a well thought-out
and implemented DNS server, make all reasonable effort to avoid it, and
also dnsmasq. Use a real nameserver (unbound, BIND, or Knot).
--
Viktor.
