Re: DNS Google ?
On Wed, 23 Nov 2011 21:18:29 + (UTC) Stuart Henderson s...@spacehopper.org wrote: On 2011-11-23, Gregory Edigarov g...@bestnet.kharkov.ua wrote: so when unbound is going to hit the base? when someone who is capable of and interested in integrating it has the time to do the work. well, if i understand it correctly, steps would be like these: 1. write Makefile.bsd-wrapper 2. give it somebody with a commit bit to test and approve 3. test builds on all platforms 4. commit changes into tree 5. connect unbound to main build. correct?
Re: DNS Google ?
On 2011-11-24, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Wed, 23 Nov 2011 21:18:29 + (UTC) Stuart Henderson s...@spacehopper.org wrote: On 2011-11-23, Gregory Edigarov g...@bestnet.kharkov.ua wrote: so when unbound is going to hit the base? when someone who is capable of and interested in integrating it has the time to do the work. well, if i understand it correctly, steps would be like these: 1. write Makefile.bsd-wrapper 2. give it somebody with a commit bit to test and approve 3. test builds on all platforms 4. commit changes into tree 5. connect unbound to main build. correct? You're missing some parts about how to handle the libraries (which we don't want to install as shared libs), and what to do with the BIND tools which people pretty much expect to have (dig/host/nslookup). Also there are some questions about how to handle it in the startup scripts, like: do we run unbound-anchor automatically? if so, how do we handle possibly not having working DNS at that time to resolve data.iana.org? do we automatically generate unbound-control keys? if so, where should that be done? ...
Re: DNS Google ?
On 2011-11-22, Chris Cappuccio ch...@nmedia.net wrote: i haven't tried dnscache for at leat 5 years, i'm sure things have improved there. ha, ha ha. The last release was 10 years ago. I see some uses for the other components of djbdns (although there are better alternatives in most cases) but dnscache has always been the worst of the bunch. Don't make your users suffer that much... i was really impressed with unbound yep.
Re: DNS Google ?
BIND lumps these two functions together, with the effect of confusing people, but they are really two separate tasks... It allows you to lump these two functions together (not sure if this is still true about BIND 10), but it is still recommended to split them. Unless I'm misreading you, what you say doesn't make much sense. It has its use-case, fine; when you just need the resolver. e.g., typical home user where s/he doesn't host domains. But at this point you might as well use your ISP's DNS service -- it's not reliable? that's a different issue and not one you and should set out to solve for every one out there. But for a small business where they have their own domain, running an authoritative DNS server, and local users using the intertubes, that service needs to also do the recursive lookups. The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. For anything other than hosting your *own* domains on, it really is better to split. Otherwise what happens is domains get transferred away, NS changes made, etc, and you end up with out-of-date zone data. Lots of ISPs used to do this and it was a really big problem. Separating authoritative + resolving nameserver instances has long been the recommended practice. For serving just a few records (like local servers on a home or small business network), then unbound is perfectly useful on its own, you can add these with local-zone and local-data lines in the configuration. This is a good compromise; it's actually easier to setup in the simple case, but a bit unwieldy in the case with large amounts of data which encourages you to configure a separate daemon (which is a good thing).
Re: DNS Google ?
On Wed, 23 Nov 2011 10:44:38 + (UTC) Stuart Henderson s...@spacehopper.org wrote: BIND lumps these two functions together, with the effect of confusing people, but they are really two separate tasks... It allows you to lump these two functions together (not sure if this is still true about BIND 10), but it is still recommended to split them. Unless I'm misreading you, what you say doesn't make much sense. It has its use-case, fine; when you just need the resolver. e.g., typical home user where s/he doesn't host domains. But at this point you might as well use your ISP's DNS service -- it's not reliable? that's a different issue and not one you and should set out to solve for every one out there. But for a small business where they have their own domain, running an authoritative DNS server, and local users using the intertubes, that service needs to also do the recursive lookups. The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. For anything other than hosting your *own* domains on, it really is better to split. Otherwise what happens is domains get transferred away, NS changes made, etc, and you end up with out-of-date zone data. Lots of ISPs used to do this and it was a really big problem. Separating authoritative + resolving nameserver instances has long been the recommended practice. For serving just a few records (like local servers on a home or small business network), then unbound is perfectly useful on its own, you can add these with local-zone and local-data lines in the configuration. This is a good compromise; it's actually easier to setup in the simple case, but a bit unwieldy in the case with large amounts of data which encourages you to configure a separate daemon (which is a good thing). so when unbound is going to hit the base? -- With best regards, Gregory Edigarov
Re: DNS Google ?
On 2011-11-23, Gregory Edigarov g...@bestnet.kharkov.ua wrote: so when unbound is going to hit the base? when someone who is capable of and interested in integrating it has the time to do the work.
Re: DNS Google ?
On 11/22/11 02:50, Manuel Ravasio wrote: Chris, why would you suggest unbound instead of bind? Which advantages do you see? Thanks, Manuel My answer, Chris's may vary... Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. BIND is pre-configured to be a resolver in OpenBSD, it's chrooted properly...using it is as simple as adding a line in rc.conf.local and pointing /etc/resolv.conf at localhost (this is not true in most other OSs!). Routine OpenBSD upgrades will update named, too. Very minimal effort, and if you aren't a master of DNS, it's a fairly safe config (there are two kinds of Internet service which I really think people should need a license to run -- e-mail and DNS, as when done poorly, both have the ability to hurt others, not just yourself. Assuming any ol' OS's default BIND config is safe is not a good idea). My assumption is, if you are ready to punch in someone else's DNS resolver because it is easy, you want the easy way... so I'm recommending OpenBSD's BIND. If you want a good DNS solution...anything BUT BIND, and unbound/nsd would be a good call. Nick.
Re: DNS Google ?
On Mon, Nov 21, 2011 at 7:02 PM, Chris Cappuccio ch...@nmedia.net wrote: Good alternative: OpenBSD + unbound Hi, what about unbound vs dnscache?! Any document related? Thanks, -f
Re: DNS Google ?
On Nov 22 08:16:21, Nick Holland wrote: Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. Nick, would you please clarify: nsd(8) is in base, unbound is a package; yet it is unbound who's gonna be the default resolver? What is the status of nsd then? (I am just about to try it on one of my resolvers). Thank you Jan
Re: DNS Google ?
On Tue, Nov 22 2011 at 13:16, Jan Stary wrote: On Nov 22 08:16:21, Nick Holland wrote: Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. Nick, would you please clarify: nsd(8) is in base, unbound is a package; yet it is unbound who's gonna be the default resolver? What is the status of nsd then? (I am just about to try it on one of my resolvers). NSD is just an autoritative name server that doesn't do cache and does not answer recursive queries. nsd and unbound are complementary. Claer
Re: DNS Google ?
Lest I'm mistaken, both serve DNS data, but in different roles. nsd is for serving authoritative zones, not for resolver work. unbound is a resolver. Regards, Rogier
Re: DNS Google ?
Manuel Ravasio [manuelrava...@yahoo.com] wrote: Chris, why would you suggest unbound instead of bind? Which advantages do you see? unbound is very fast, will automatically relookup expired entries and has less weird/odd issues like keeping a negative cache entry for hours or even days. its damn near the most perfect cache ive ever used. throw a lot of ram at it and itll use it to be fast and accurate.
Re: DNS Google ?
On 11/22/11 10:31, Claer wrote: On Tue, Nov 22 2011 at 13:16, Jan Stary wrote: On Nov 22 08:16:21, Nick Holland wrote: Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. Nick, would you please clarify: nsd(8) is in base, unbound is a package; yet it is unbound who's gonna be the default resolver? What is the status of nsd then? (I am just about to try it on one of my resolvers). NSD is just an autoritative name server that doesn't do cache and does not answer recursive queries. nsd and unbound are complementary. Claer right... BIND lumps these two functions together, with the effect of confusing people, but they are really two separate tasks... BE the authoritative source for DNS information about certain zones (nsd, tinydns, etc.) OR find the correct resolution information by checking with other DNS servers, which ARE authoritative (a resolver, like unbound, dnscache, etc.). In the case where you think you want both (i.e., you want resolution of internal names AND external names), it's still easy -- run your authoritative on localhost and your resolver on the external IP, and tell your resolver to consult with your authoritative server for the appropriate subdomains. Really, it works better this way. Nick.
Re: DNS Google ?
On Tue, Nov 22, 2011 at 9:16 AM, Nick Holland n...@holland-consulting.net wrote: On 11/22/11 10:31, Claer wrote: On Tue, Nov 22 2011 at 13:16, Jan Stary wrote: On Nov 22 08:16:21, Nick Holland wrote: Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. Nick, would you please clarify: nsd(8) is in base, unbound is a package; yet it is unbound who's gonna be the default resolver? What is the status of nsd then? (I am just about to try it on one of my resolvers). NSD is just an autoritative name server that doesn't do cache and does not answer recursive queries. nsd and unbound are complementary. Claer right... BIND lumps these two functions together, with the effect of confusing people, but they are really two separate tasks... BE the authoritative source for DNS information about certain zones (nsd, tinydns, etc.) OR find the correct resolution information by checking with other DNS servers, which ARE authoritative (a resolver, like unbound, dnscache, etc.). Unless I'm misreading you, what you say doesn't make much sense. It has its use-case, fine; when you just need the resolver. e.g., typical home user where s/he doesn't host domains. But at this point you might as well use your ISP's DNS service -- it's not reliable? that's a different issue and not one you and should set out to solve for every one out there. But for a small business where they have their own domain, running an authoritative DNS server, and local users using the intertubes, that service needs to also do the recursive lookups. The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. --patrick In the case where you think you want both (i.e., you want resolution of internal names AND external names), it's still easy -- run your authoritative on localhost and your resolver on the external IP, and tell your resolver to consult with your authoritative server for the appropriate subdomains. Really, it works better this way. Nick.
Re: DNS Google ?
El 22/11/11 15:16, Nick Holland escribis: On 11/22/11 10:31, Claer wrote: On Tue, Nov 22 2011 at 13:16, Jan Stary wrote: On Nov 22 08:16:21, Nick Holland wrote: Long term, BIND is done. Long term, unbound will probably be replacing it in OpenBSD. IF you are doing anything beyond a simple resolver, I'd agree completely...take the time to learn unbound/nsd (or djbdns or ...) However, right now, unbound is a package requiring separate install and maintenance. Nick, would you please clarify: nsd(8) is in base, unbound is a package; yet it is unbound who's gonna be the default resolver? What is the status of nsd then? (I am just about to try it on one of my resolvers). NSD is just an autoritative name server that doesn't do cache and does not answer recursive queries. nsd and unbound are complementary. I've changed several DNS's from bind to unbound without problems and with a few great improvements, lower RAM usage, improved Query Speed, between others. Configuration is really easy as unbound.conf is nicely documented. unbound-control(8) it's quite helpful allows you tu run the server and do administrative tasks such as remove a recursed zone from memory so you can update it again by making a query, reload configuration, etc. Another good thing is that DNSSEC configuration is relatively simple using unbound-anchor(8). nsd and unbound are complementary. Well... Unbound allows you to resolve and to be authoritative, so it does both functions, and it works well. I've tryed before unbound(8), MaraDNS, and in a small enviroment it behaves properly, you can do both tasks too, but on boxes with high traffic it didn't run well (a lot of Didn't spawn thread messages), maybe my fault, but I didn't want to modify any OpenBSD default configuration, and unbound worked fine out-of-the-box without tunning. Some people even recommended djbdns, but again, unbound is in packages/ports, secured by chroot(), good security record, removed root privileges, I really didn't feel the need to re-invent the wheel. If you are worried about performance, I can tell you that it runs at 400 ~ 500 queries/second smoothly on 5.0 amd64 GENERIC.MP with num-threads: 2 configured on unbound.conf(5). thanks to jakob@ for porting !
Re: DNS Google ?
fRANz [andrea.francesc...@gmail.com] wrote: Hi, what about unbound vs dnscache?! Any document related? unbound is very fast and plays well with misbehaving servers and poorly implemented zone data dnscache (the last time i tried it using it on a large scale) could not resolve certain things for various reasons, at times some sort of anal retentive RFC compliance or just plain bugs in the software i haven't tried dnscache for at leat 5 years, i'm sure things have improved there. but then you have the general bernstein software weirdness, set environment variables in a shell script as your config file, whatever. it was actually worse than bind last time i used it. bind 4 even. i was really impressed with unbound and so were thousands of users, even if they didn't know it. at least they weren't complaining.
Re: DNS Google ?
On Wed, Nov 23, 2011 at 3:14 AM, patrick keshishian pkesh...@gmail.com wrote: Unless I'm misreading you, what you say doesn't make much sense. It makes perfect sense and is in fact also the recommended way to run BIND. The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. They don't have to be two different servers, just two different processes on the same server. --- Lars
Re: DNS Google ?
On Tue, Nov 22, 2011 at 2:56 PM, Lars Hansson romaby...@gmail.com wrote: On Wed, Nov 23, 2011 at 3:14 AM, patrick keshishian pkesh...@gmail.com wrote: Unless I'm misreading you, what you say doesn't make much sense. It makes perfect sense and is in fact also the recommended way to run BIND. not only recommended by bind books -- djbdns/cache forces a minimum of two processes bind tries to do everything at once... The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. They don't have to be two different servers, just two different processes on the same server. --- Lars
DNS Google ?
Hi DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 Good alternative or Bad alternative ? Best regards
Re: DNS Google ?
Good alternative: OpenBSD + unbound hvom .org [hvom@gmail.com] wrote: Hi DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 Good alternative or Bad alternative ? Best regards -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: DNS Google ?
On 11/21/2011 12:35 PM, hvom .org wrote: Hi DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 Good alternative or Bad alternative ? Best regards It's a Good Thing to remember when setting up a system, as they are easy-to-remember emergency DNS resolvers, though I wouldn't recommend that for production. If you set up 500 machines with Google for DNS resolution...what do you do if Google decides to get out of that business? or finds it not profitable so doesn't maintain it well (other than get a heck of a lot of phone calls, that is). Better to simply run your own DNS resolver. OpenBSD makes that trivial in the basic system. For small offices where I set up an OpenBSD firewall, I always set up a local DNS resolver, too, usually on the firewall. It Just Works. If the firewall goes down, no point in worrying about (external) DNS resolution, so no need for additional redunancy. My DNS local resolvers never seems to go down and are never overloaded; I can't say the same about most ISPs. If putting the DNS resolver on the firewall is not appropriate, you need redundancy, though a pair of machines serving DNS via CARP may be better than the standard two separate IP addresses for many/most machines needing DNS services. Really, the only place where OpenBSD enters this question is OpenBSD does make it really easy and relatively safe to run a DNS Resolver, so one (or several) less reason not to. Nick.
Re: DNS Google ?
Chris, why would you suggest unbound instead of bind? Which advantages do you see? Thanks, Manuel -- Hana wa sakuragi, hito wa bushi From: Chris Cappuccio ch...@nmedia.net To: hvom .org hvom@gmail.com Cc: misc@openbsd.org Sent: Monday, November 21, 2011 7:02 PM Subject: Re: DNS Google ? Good alternative: OpenBSD + unbound
