Re: NSD/Unbound clarifications
On 2015-11-25, Alessandro Baggiwrote: > Thanks for all clarification about NSD/Unbound usage. > I've another question about dns dynamic update for dhcpd. > With named, installing isc-dhcp using dynamic update for dns from dhcpd. > It is possibile with unbound/NSD? No, neither Unbound nor NSD support this. If you wanted something other than BIND which supports this, you could look at Knot (in packages).
Re: NSD/Unbound clarifications
On 11/25/15 12:37, Stuart Henderson wrote: On 2015-11-25, Alessandro Baggiwrote: Thanks for all clarification about NSD/Unbound usage. I've another question about dns dynamic update for dhcpd. With named, installing isc-dhcp using dynamic update for dns from dhcpd. It is possibile with unbound/NSD? No, neither Unbound nor NSD support this. well... with a little scripting, almost anything is possible. :) Start with this... http://www.thismetalsky.org/projects/dhcp_dns rework it to produce NSD zone files and reload NSD, and you are set. Yes, I've done it, and I use it currently. No, won't share it, as there are several things I don't like about the script at this point (runs as root, doesn't create the reverse lookup zone), but it was not hard. And other than this script, no packages needed, everything else was base (i.e., upgrades are trivial) I've got a wild dream of reworking it to presentable standards and maybe even getting it added to base OpenBSD (though, since the OpenBSD dhcp server is probably irreconcilably different from the ISC server it was once based on, maybe it should just be hacked to produce the body of a zone file directly?). Nick.
Re: NSD/Unbound clarifications
Thanks for all clarification about NSD/Unbound usage. I've another question about dns dynamic update for dhcpd. With named, installing isc-dhcp using dynamic update for dns from dhcpd. It is possibile with unbound/NSD? From google I can't find a valid answer. In my case, I've ridden unbound man pages but seems that this is not supported. The only useful command is on unbound-control that can help to add/remove zone and data for zone. Thanks in advance. Il 24/11/2015 20:00, Christopher Sean Hilton ha scritto: On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: Hi list, I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to Obsd. I prefer it. Great choice. [snip]
Re: NSD/Unbound clarifications
On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: > Hi list, > I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to > Obsd. I prefer it. > Great choice. [snip] > Now today I've nsd and unbound that I can use on my firewall. > I don't need authoritative server, and I should use unbound. > nsd and unbound have similar syntax and I reading from web I can resolve dns > with each of them. > > Now I'm confused...who use? Correct me if I'm wrong: > > 1) I must use only nsd for authoritative server (internet exposed) for my > ipotetic zone (I can use it in my lan for dns resolver?). > > 2) I can use only unbound for lan dns resolving/caching/validating with > zones if not needed an authoritative domain. > > 3) I can use nsd for authoritative server (internet exposed) and for lan use > unbound as recursive/cache dns with the authoritative server. > > 4) I can use unbound as authoritative server and for recursing and other. > > > 5) NSD is the best for authoritative and unbound for other things. As others have said: unbound is a recursive resolver that can forward dns queries upstream. It can perform in a limited role as an authoritative server using local-zone but the configuration there is cumbersome if you have more than a handful of hosts. nsd is an authoritative server that's flexible enough to easily replace bind as your authoritative server if that what you need. You can combine the forwarding capabilities of unbound with the authoritative capabilities of nsd to do everything that bind did. I'm assuming the advantage of this setup is that the combination of unbound and nsd has a smaller footprint or is more secure or more than likely not both. The configuration isn't that difficult but there are some gotcha's. In my example I needed to be authoritative for a domain so I configured nsd to serve the domain. The man pages for nsd explained this well and it's quite simple. The trick is to have nsd serve the domain on localhost only and not on port 53. Then I configured unbound to be a recursive resolver that forwarded requests for "example.com" to the local nsd. Here's the configuration snippet. In my example the network is running at 192.168.10.0 so I forwarded two zones: ## server: ... ## This setting is critical. Without it unbound won't forward ## requests to nsd running on localhost. do-not-query-localhost: no ... forward-zone: name: "example.com." forward-addr: 127.0.0.1@5300 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5300 ## forward-zone: ## name: "." # use for ALL queries ## forward-addr: 8.8.8.8 ## forward-addr: 8.8.4.4 ## If you can setup bind then you shouldn't have problems setting up and testing nsd to serve forward and reverse for a domain. Configuring nsd on a alternate port is pretty simple. The config snippet about redirects unbound to the local nsd. That's probably answers more than you wanted. But I could see this combination of nsd and unbound being popular among people looking for a lighter weight alternative to bind. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: NSD/Unbound clarifications
On 2015-11-23 Mon 12:24 PM |, Alessandro Baggi wrote: > > In my last valid OBSD config, I used named for my lan (not exposed on > internet) only for lan dns serving, not exposed, with recursion and > forwarder. > unbound can fill this role for you Alessandro. Search for 'local-zone' in unbound.conf(5). You probably want the _static_ . For recursion, you can choose to forward to your ISP's resolvers (could fail on a roaming laptop), public resolvers, or the root servers. See 'Forward Zone Options' in the man page.
NSD/Unbound clarifications
Hi list, I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to Obsd. I prefer it. Today, the last version is 5.8 and from 5.6 named was replaced from nsd and unbound. The first is only authoritative and the other is recursive/forwarder/caching/validating/authoritative. In my last valid OBSD config, I used named for my lan (not exposed on internet) only for lan dns serving, not exposed, with recursion and forwarder. Now today I've nsd and unbound that I can use on my firewall. I don't need authoritative server, and I should use unbound. nsd and unbound have similar syntax and I reading from web I can resolve dns with each of them. Now I'm confused...who use? Correct me if I'm wrong: 1) I must use only nsd for authoritative server (internet exposed) for my ipotetic zone (I can use it in my lan for dns resolver?). 2) I can use only unbound for lan dns resolving/caching/validating with zones if not needed an authoritative domain. 3) I can use nsd for authoritative server (internet exposed) and for lan use unbound as recursive/cache dns with the authoritative server. 4) I can use unbound as authoritative server and for recursing and other. 5) NSD is the best for authoritative and unbound for other things.
Re: NSD/Unbound clarifications
On 2015-11-23, Alessandro Baggiwrote: > Hi list, > I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back > to Obsd. I prefer it. > > Today, the last version is 5.8 and from 5.6 named was replaced from nsd > and unbound. > > The first is only authoritative and the other is Yes, NSD is authoritative only. > recursive/forwarder/caching/validating/authoritative. No, Unbound is *not* authoritative. For simple use cases Unbound can serve local data - but only for answering queries from standard clients, not from other nameservers. > In my last valid OBSD config, I used named for my lan (not exposed on > internet) only for lan dns serving, not exposed, with recursion and > forwarder. You can do this with just Unbound (local-zone / local-data). You can also do this with a combination of NSD and Unbound if you prefer (configuring Unbound to pass the local zone requests to NSD), but you don't need to. > Now today I've nsd and unbound that I can use on my firewall. > I don't need authoritative server, and I should use unbound. > nsd and unbound have similar syntax and I reading from web I can resolve > dns with each of them. > > Now I'm confused...who use? Correct me if I'm wrong: > > 1) I must use only nsd for authoritative server (internet exposed) for > my ipotetic zone (I can use it in my lan for dns resolver?). > > 2) I can use only unbound for lan dns resolving/caching/validating with > zones if not needed an authoritative domain. > > 3) I can use nsd for authoritative server (internet exposed) and for lan > use unbound as recursive/cache dns with the authoritative server. > > 4) I can use unbound as authoritative server and for recursing and other. > > 5) NSD is the best for authoritative and unbound for other things. You must use an authoritative server (e.g. NSD) to answer external queries (i.e. if your machine is listed as an NS),
Re: NSD/Unbound clarifications
Thanks for clarification. Unbound configured and works well. Another question abount unbound "capacity". I've configured unbound for a small network. What is "maximum capacity" of Unbound? Is suitable for big networks? Il 23/11/2015 13:28, Dahlberg, David ha scritto: Am Montag, den 23.11.2015, 12:24 +0100 schrieb Alessandro Baggi: Today, the last version is 5.8 and from 5.6 named was replaced from nsd and unbound. The first is only authoritative and the other is recursive/forwarder/caching/validating/authoritative. Right. Except that unbound is not really intended to work as an authoritative server, except maybe for a tiny local stub zone. Now today I've nsd and unbound that I can use on my firewall. I don't need authoritative server, and I should use unbound. Correct. nsd and unbound have similar syntax and I reading from web I can resolve dns with each of them. Wrong. You cannot use nsd as a resolver. It is authoritative only. Now I'm confused...who use? You want to announce your domain to the whole internet? Use NSD. You want to resolve internet domain names for your clients? Use unbound. You want to do both? Use both. Correct me if I'm wrong: 1) I must use only nsd for authoritative server (internet exposed) for my ipotetic zone (I can use it in my lan for dns resolver?). No. It is not a resolver. It won't answer to queries for domains that it does not host. 2) I can use only unbound for lan dns resolving/caching/validating with zones if not needed an authoritative domain. Correct. 3) I can use nsd for authoritative server (internet exposed) and for lan use unbound as recursive/cache dns with the authoritative server. With the authoritative server being nsd, right. 4) I can use unbound as authoritative server and for recursing and other. You seem to confuse the concepts of authoritative and recursing. The authoritative server is the Facebook DNS server that answers queries for the facebook.com domain. Just for that domain. It won't answer queries for other domains nor queries that have the "recurse" flag set. A resolver is typically located at your provider. You query it for any domain and it will happily resolve that query for you (by querying the authoritative servers). See https://en.wikipedia.org/wiki/Domain_Name_Sy stem image in chapter "Address resolution mechanism": The "DNS recurser" in the image is the resolver, the "root/org/wikipedia.org nameservers" are authoritative ones. Unbound is a resolver. It may also have authoritative functions for a small local zone (e.g. "mylaptop.local", "myfileshare.local" and "mytv.local"). But if you really want to host a domain, you should use NSD instead. 5) NSD is the best for authoritative and unbound for other things. NSD is /only/ useful as an authoritative server (i.e. serving a zone). It cannot resolve. Unbound is most useful for resolving DNS names (i.e. you send it a query, it will figure out the answer). Here is how it works: (1) Your clients (PC, Laptop, Playstation) will send queries to the resolver (e.g. dnsmasq, unbound, bind9). Asking them for IP adresses for openbsd.org, gmail.com and sony.com. (2) The resolver will send queries to the authoritative nameservers (e.g. bind9, nsd) of Root, Verisign (.com and .org), Google (gmail.com) OpenBSD and Sony to find out the requested IP addresses. (3) The resolver will return the result to your clients. Bind9 of the Internet Systems Consortium just happens to be a software, that can do both jobs: It can be a resolver, or an authoritative nameserver, or even both at the same time. NLnet Labs decided not to go that way. They created software just for the authoritative nameserver task (NSD) and one for the resolver task (unbound). Cheers David
Re: NSD/Unbound clarifications
On Mon, Nov 23, 2015 at 04:27:08PM +0100, Alessandro Baggi wrote: > I've configured unbound for a small network. What is "maximum > capacity" of Unbound? Is suitable for big networks? What was the maximum capacity of bind? Was it suitable for big networks? How did you find out? -- I'm not entirely sure you are real.