Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting Steve Litt (sl...@troubleshooters.com): > The syntax isn't "stub zone", it's "local zone". They use the "stub > zone" syntax for something else. Thank you for turning me on to Unbound > --- it's twice as easy as Bind9 and djbdns. You're very welcome. I quote below (in part) the documentation at https://nlnetlabs.nl/documentation/unbound/unbound.conf/ , entry for 'stub zone options': The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config entry for unbound with stub-addr: . The unbound resolver can then access the data, without referring to the public internet for it. Sounds relevant, but you be the judge. Having never needed to use Unbound for anything but pure recursive-server duty, I've not yet bothered to sort these other features out. I gather that the keyword 'local-zone' has this function: Consider adding server: statements for domain-insecure: and for local-zone: name nodefault for the zone if it is a locally served zone. The insecure clause stops DNSSEC from invalidating the zone. The local zone nodefault (or transparent) clause makes the (reverse-) zone bypass unbound's filtering of RFC1918 zones. But I'd have to read up before understanding what 'filtering of RFC1918 zones' refers to specifically. Me, I like to just keep authoritative and recursive functions totally separate. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
On Thu, 6 Sep 2018 17:34:37 -0700 Rick Moen wrote: > Quoting Steve Litt (sl...@troubleshooters.com): > > > I've found the way for Unbound itself to do simple on-subnet auth > > without a separate auth server, and will reveal them tomorrow. > > That is doubtless the 'stub zone' functionality I mentioned in > http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound , > after seeing it in the documentation. (I've never needed it, so never > read up on how it works.) The syntax isn't "stub zone", it's "local zone". They use the "stub zone" syntax for something else. Thank you for turning me on to Unbound --- it's twice as easy as Bind9 and djbdns. I'm right now writing dual web pages on nginx and Unbound, that contain how to do simple stuff with each and both. I'll post the link when done. Thanks, SteveT Steve Litt September 2018 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting Steve Litt (sl...@troubleshooters.com): > I've found the way for Unbound itself to do simple on-subnet auth > without a separate auth server, and will reveal them tomorrow. That is doubtless the 'stub zone' functionality I mentioned in http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound , after seeing it in the documentation. (I've never needed it, so never read up on how it works.) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
I've found the way for Unbound itself to do simple on-subnet auth without a separate auth server, and will reveal them tomorrow. Thanks. SteveT On Sun, 19 Aug 2018 21:22:40 -0400 Steve Litt wrote: > On Tue, 7 Aug 2018 13:27:25 -0700 > Rick Moen wrote: > > > > Most highly rated comment: > > > > I run my own local recursive nameservers even on my portable > > devices. Totally not interested in using anyone's resolvers but my > > own. > > > > Ding! > > > > 1. apt-get install unbound > > 2. sed -i '1s;^;nameserver 127.0.0.1\n;' /etc/resolv.conf > > So it's been about 2 weeks I've been using unbound, and subjectively, > my web browsing has slowed, compared to the straight 8.8.8.8 and > 8.8.4.4 I used before. Sometimes the browser's status bar says > "resolving" during those delays, and sometimes it doesn't. > > It's been about 4 or 5 years since I last used djbdns, but IIRC I > didn't have such delays with djbdns. > > So there may come a time when I'll be asking you for the name of a > different caching DNS server. But first, I just five minutes ago read > the info on: > > https://nlnetlabs.nl/documentation/unbound/howto-optimise/ > > and based on that configured my 2 core, 16gRAM Daily Driver Desktop as > follows: > > > ### BE SURE to use unbound-checkconf > ### before enabling a changed conf file! > > > # FORWARD-ZONE SECTION > # The following is how you query google DNS instead of root servers > # I chose to query the root servers and commented it out. > #forward-zone: > #name: "." > #forward-addr: 8.8.8.8 > #forward-addr: 8.8.4.4 > > > # REMOTE-CONTROL SECTION!! > # Enable use of unbound-control > # Remote control is very, very useful > # Use judgement re security > # Use doublequotes on filenames, unbound should read them > # from /etc/unbound > # Create keys and certs by running unbound-control-setup > remote-control: > control-enable: yes > control-use-cert: yes > server-key-file: "unbound_server.key" > server-cert-file: "unbound_server.pem" > control-key-file: "unbound_control.key" > control-cert-file: "unbound_control.pem" > > > > # SERVER SECTION!! > server: > use-syslog: yes > > # Guard against future default changes: no systemd ever! > use-systemd: no > > # Speed UDP > so-reuseport: yes > > # use all CPU cores, I have 1 CPU with 2 cores > num-threads: 2 > > # power of 2 close to num-threads > msg-cache-slabs: 2 > rrset-cache-slabs: 2 > infra-cache-slabs: 2 > key-cache-slabs: 2 > > # more cache memory, rrset=msg*2 > rrset-cache-size: 100m > msg-cache-size: 50m > > # more outgoing connections > # depends on number of cores: 1024/cores - 50 > outgoing-range: 450 > > # Larger socket buffer. > # OS may need config, so I don't use it > #so-rcvbuf: 4m > #so-sndbuf: 4m > > # Faster UDP with multithreading (only on Linux). > so-reuseport: yes > > # Other stuff, see > # https://www.tecmint.com/setup-dns-cache-server-in-centos-7/ > # Enable dig command with allow_snoop > access-control: 0.0.0.0/0 allow_snoop > > > The preceding assumes you have quite a bit of RAM, and it's based on > having 2 cores. > > Subjectively, the preceding configuration improved my lookup speed. > > Everyone please understand that as far as I know, there's no automatic > storage of cache to disk before a reboot or before downing, restarting > or reloading unbound. Do any of those things and you lose all cache, > so web browsing will be slow when hitting any website, including ones > that came right up before your action. For debugging purposes, I > created the following shellscript: > > == > #!/bin/sh > rm temp.cache > unbound-control dump_cache > temp.cache > #unbound-control reload > unbound-control stop > unbound-control start > unbound-control load_cache < temp.cache > == > > In the preceding, users of runit should substitute "sv stop unbound" > and "sv start unbound" for the equivalent unbound-control commands: > Works much better and really dumps cache before the cache reload. > > The preceding completely restarts unbound without a significant loss > of cache (but with a full reread of /etc/unbound/unbound.conf. Notice > that unbound seems to poll its config file, because changes you make > to /etc/unbound/unbound.conf *sometimes* produce changed behavior > immediately, without rereading, restarting hupping, etc. By the way, I > couldn't find anywhere documentation on what it does when receiving a > hup. I do know from runit that hupping doesn't stop and restart, > because the uptime doesn't change. > > Lookup speed is very important when web browsing because modern > websites access many, many domains. For instance, when I
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting Renaud (Ron) OLGIATI (ren...@olgiati-in-paraguay.org): > Sadly, Debian and Devuan have nothing that compares with the Drak* tools. Standards of what are desirable tools for system administration, They Do Differ[tm]. On that foundation (diversity of opinions) we derive horse racing, among other accomplishments of civilisation. ;-> ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting Renaud (Ron) OLGIATI (ren...@olgiati-in-paraguay.org): > If you are looking for a distro with easy-to-use GUI interface, and > without systemd, you might consider PCLinuxOS, and its suite of Drak* > configuration apps inherited from Mandrake / Mandriva / Mageia. Or one can use Devuan. It runs bash in xterms. ;-> -- Cheers, "I am a member of a civilization (IAAMOAC). Step back Rick Moenfrom anger. Study how awful our ancestors had it, yet r...@linuxmafia.com they struggled to get you here. Repay them by appreciating McQ! (4x80) the civilization you inherited." -- David Brin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
On Tue, 21 Aug 2018 22:04:36 +0100 Simon Hobson wrote: > Ouch - like I said, the message is clear that they don't want to support and > promote it. Given that one of the main reasons for people to run OS X Server > is for the "easy to use GUI", I'd say that it pretty well removes most of the > reasons for using it rather than the "harder to use"* Linux/BSD/Whatever > alternatives. If you are looking for a distro with easy-to-use GUI interface, and without systemd, you might consider PCLinuxOS, and its suite of Drak* configuration apps inherited from Mandrake / Mandriva / Mageia. Cheers, Ron. -- The magic of our first love is our ignorance that it can ever end. -- Benjamin Disraeli -- http://www.olgiati-in-paraguay.org -- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > I'm not much of a BIND9 expert, so I'll happily try out something else > if it's considered to be more secure. I concur with Steve's comments about the desirability of separating recursive service from authoritative service -- and I _am_ a BIND9 longtime admin. ;-> ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > I want to switch from macOS Server to unbound for a local LAN DNS as > its DNS features will be deprecated soon, but my reading tells me that > unbound only acts as a recursive nameserver, not authoritative. > > What’s the general consensus on a good authoritative server to pair > with unbound? NSD, from the same authors. IMO. If you can run those distinct functions (authoritative and recursive) on different IPs, good, and that's recommended security practice in any event. (The recursive server logically should be an inside machine and well protected.) If you cannot, then there are a couple of different ways of running both daemons on the same IP. My favourite at the moment is to use dnsproxy. But You said 'local LAN DNS'. This leaves me wondering whether you really need a full-blown authoritative server for that use-case. In case you were unaware, Unbound does do "stub-zones", which might be enough for your local-LAN needs. > I can see both knot and nsd are packaged in devuan, but have no > experience with any outside BIND9 and macOS. I respect Knot DNS, but have no direct experience with it. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Quoting Steve Litt (sl...@troubleshooters.com): > So it's been about 2 weeks I've been using unbound, and subjectively, > my web browsing has slowed, compared to the straight 8.8.8.8 and > 8.8.4.4 I used before. Sometimes the browser's status bar says > "resolving" during those delays, and sometimes it doesn't. > > It's been about 4 or 5 years since I last used djbdns, but IIRC I > didn't have such delays with djbdns. It couldn't hurt to compare results among recursive nameservers available on Linux. FWIW, I've never seen either Unbound or any other such software display symptoms such as you imply -- with the exception of cases where the nameserver repeatedly tried IPv6-based resolution, that timed out, and the nameserver fell back on IPv4-based resolution.[1] Open-source (and maintained) recursive nameservers for Linux, from my bestiary (http://linuxmafia.com/faq/Network_Other/dns-servers.html): o BIND9 (recusive functionality thereof) o dnscache from djbdns o Deadwood (next-generation effort from the MaraDNS author) o PowerDNS Recursor o Unbound I'm not including the MaraDNS suite in the above list on grounds of redundancy, because the suite's current recursive module _is_ Deadwood by default, and used for recursive service unless you go out of your way to substitute/enable the prior MaraDNS recursive code (not recommended). I commend you for trying to optimise Unbound's configuration. For whatever reason, I've not felt a need to, to date. (It's always Just Worked[tm], and the RAM/CPU load has been so low that performance tuning has seemed pointless.) [1] The best tool for figuring out DNS problems tends IMO to be 'dig'. Please note its '-4' and '-6' switches to force IPv4 and IPv6 query modes. The +tcp flag is sometimes also useful for diagnosis by overcoming the UDP default for most operations, thereby exposing firewalling blunders. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
wirelessd...@gmail.com wrote: >> Most of the services are disappearing from the macOS Server app, >> making it almost useless for a home server environment. >> https://support.apple.com/en-au/HT208312 Ouch - like I said, the message is clear that they don't want to support and promote it. Given that one of the main reasons for people to run OS X Server is for the "easy to use GUI", I'd say that it pretty well removes most of the reasons for using it rather than the "harder to use"* Linux/BSD/Whatever alternatives. * I'm sure msot of us don't consider it "hard", but with OS X Server that is (or was) a level of integration that makes it "point and click" easy for a non-technical user to (for example) add a new user, give them an email account, give them permissions to use the VPN "dial in", and so on. >> Since it's running on an ancient Mac Mini, I'm considering ditching >> that server and switching to something more power-conservative (RPi?) >> running Devuan. I don't think I'd want to use a RPi for a server - given that it doesn't have any "proper" disk or network interface. There are alternatives that include things like gigabit ethernet and SATA that don't run over USB. https://www.techrepublic.com/pictures/raspberry-pi-style-computers-the-newest-boards-you-can-buy/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Forgetting to hit reply-all :D On Tue, 21 Aug 2018 at 13:20, wrote: > > > I haven't been following OSX Server, so they are dropping DNS now ? It's > > always seemed like the unwanted stepchild, not really promoted or > > developed, and with no proper server hardware to run it on (I used to > > manage two of the original XServes with 10.3 in the past). > > Is BIND in OSX Ports or Fink ? > > Most of the services are disappearing from the macOS Server app, > making it almost useless for a home server environment. > https://support.apple.com/en-au/HT208312 > > Since it's running on an ancient Mac Mini, I'm considering ditching > that server and switching to something more power-conservative (RPi?) > running Devuan. > > --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Forgetting to hit reply-all :D On Tue, 21 Aug 2018 at 13:24, wrote: > > On Tue, 21 Aug 2018 at 08:15, Steve Litt wrote: > > > There are disadvantages to having the same software do both auth and > > cache, and BIND is a big honkin complexity. See the djbdns > > documentation for details. I think that's why the OP wanted unbound in > > the first place. > > > > The unbound man page mentions nsd as an auth server companion to > > unbound. > > > > I couldn't exactly understand the docs, but it sounds to me like you > > set up nsd on the machine's IP address and unbound either on 127.0.0.1 > > or on an alias of your machine's IP address. Then, to unbound.conf, you > > add a stub zone that points to your nsd server's address. > > > > SteveT > > Thanks Steve, > > I'm not much of a BIND9 expert, so I'll happily try out something else > if it's considered to be more secure. > > I've found some potentially useful docs on the Arch linux wiki which I > will go through to try and configure a nsd/unbound setup. > > https://wiki.archlinux.org/index.php/Nsd > https://wiki.archlinux.org/index.php/Unbound > > --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
On Mon, 20 Aug 2018 11:15:49 +0100 Simon Hobson wrote: > wirelessd...@gmail.com wrote: > > > What’s the general consensus on a good authoritative server to pair > > with unbound? > > > > I can see both knot and nsd are packaged in devuan, but have no > > experience with any outside BIND9 and macOS. > > Well as you already have experience with BIND9 (and presumably, a > working config) then it would be logical to stick with that. I would > suggest just using the one package for both authoritative and > recursive queries rather than running two packages which would mean > binding them to different IPs so they don't fight over port 53 on the > same IP. There are disadvantages to having the same software do both auth and cache, and BIND is a big honkin complexity. See the djbdns documentation for details. I think that's why the OP wanted unbound in the first place. The unbound man page mentions nsd as an auth server companion to unbound. I couldn't exactly understand the docs, but it sounds to me like you set up nsd on the machine's IP address and unbound either on 127.0.0.1 or on an alias of your machine's IP address. Then, to unbound.conf, you add a stub zone that points to your nsd server's address. SteveT Steve Litt September 2018 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
wirelessd...@gmail.com wrote: > I want to switch from macOS Server to unbound for a local LAN DNS as its DNS > features will be deprecated soon, but my reading tells me that unbound only > acts as a recursive nameserver, not authoritative. > > What’s the general consensus on a good authoritative server to pair with > unbound? > > I can see both knot and nsd are packaged in devuan, but have no experience > with any outside BIND9 and macOS. Well as you already have experience with BIND9 (and presumably, a working config) then it would be logical to stick with that. I would suggest just using the one package for both authoritative and recursive queries rather than running two packages which would mean binding them to different IPs so they don't fight over port 53 on the same IP. I haven't been following OSX Server, so they are dropping DNS now ? It's always seemed like the unwanted stepchild, not really promoted or developed, and with no proper server hardware to run it on (I used to manage two of the original XServes with 10.3 in the past). Is BIND in OSX Ports or Fink ? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
> On Tue, 7 Aug 2018 13:27:25 -0700 > Rick Moen wrote: > > >> Most highly rated comment: >> >> I run my own local recursive nameservers even on my portable >> devices. Totally not interested in using anyone's resolvers but my >> own. >> >> Ding! >> >> 1. apt-get install unbound >> 2. sed -i '1s;^;nameserver 127.0.0.1\n;' /etc/resolv.conf I want to switch from macOS Server to unbound for a local LAN DNS as its DNS features will be deprecated soon, but my reading tells me that unbound only acts as a recursive nameserver, not authoritative. What’s the general consensus on a good authoritative server to pair with unbound? I can see both knot and nsd are packaged in devuan, but have no experience with any outside BIND9 and macOS. —Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng