Re: NSD/Unbound clarifications

[Stuart Henderson]

On 2015-11-25, Alessandro Baggi  wrote:
> Thanks for all clarification about NSD/Unbound usage.
> I've another question about dns dynamic update for dhcpd.
> With named, installing isc-dhcp using dynamic update for dns from dhcpd.
> It is possibile with unbound/NSD?

No, neither Unbound nor NSD support this.

If you wanted something other than BIND which supports this, you could
look at Knot (in packages).

Re: NSD/Unbound clarifications

[Nick Holland]

On 11/25/15 12:37, Stuart Henderson wrote:

On 2015-11-25, Alessandro Baggi  wrote:

Thanks for all clarification about NSD/Unbound usage.
I've another question about dns dynamic update for dhcpd.
With named, installing isc-dhcp using dynamic update for dns from dhcpd.
It is possibile with unbound/NSD?


No, neither Unbound nor NSD support this.


well...  with a little scripting, almost anything is possible. :)

Start with this...
  http://www.thismetalsky.org/projects/dhcp_dns

rework it to produce NSD zone files and reload NSD, and you are set.

Yes, I've done it, and I use it currently.  No, won't share it, as there 
are several things I don't like about the script at this point (runs as 
root, doesn't create the reverse lookup zone), but it was not hard.  And 
other than this script, no packages needed, everything else was base 
(i.e., upgrades are trivial)


I've got a wild dream of reworking it to presentable standards and maybe 
even getting it added to base OpenBSD (though, since the OpenBSD dhcp 
server is probably irreconcilably different from the ISC server it was 
once based on, maybe it should just be hacked to produce the body of a 
zone file directly?).


Nick.

Re: NSD/Unbound clarifications

[Alessandro Baggi]

Thanks for all clarification about NSD/Unbound usage.
I've another question about dns dynamic update for dhcpd.
With named, installing isc-dhcp using dynamic update for dns from dhcpd.
It is possibile with unbound/NSD?
From google I can't find a valid answer.

In my case, I've ridden unbound man pages but seems that this is not 
supported. The only useful command is on unbound-control that can help 
to add/remove zone and data for zone.


Thanks in advance.


Il 24/11/2015 20:00, Christopher Sean Hilton ha scritto:

On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote:

Hi list,
I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to
Obsd. I prefer it.



Great choice.

[snip]

Re: NSD/Unbound clarifications

[Christopher Sean Hilton]

On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote:
> Hi list,
> I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to
> Obsd. I prefer it.
>

Great choice.

[snip]

> Now today I've nsd and unbound that I can use on my firewall.
> I don't need authoritative server, and I should use unbound.
> nsd and unbound have similar syntax and I reading from web I can resolve
dns
> with each of them.
>
> Now I'm confused...who use? Correct me if I'm wrong:
>
> 1) I must use only nsd for authoritative server (internet exposed) for my
> ipotetic zone (I can use it in my lan for dns resolver?).
>
> 2) I can use only unbound for lan dns resolving/caching/validating with
> zones if not needed an authoritative domain.
>
> 3) I can use nsd for authoritative server (internet exposed) and for lan
use
> unbound as recursive/cache dns with the authoritative server.
>
> 4) I can use unbound as authoritative server and for recursing and other.
>
>
> 5) NSD is the best for authoritative and unbound for other things.

As others have said:

unbound is a recursive resolver that can forward dns queries
upstream. It can perform in a limited role as an authoritative server
using local-zone but the configuration there is cumbersome if you have
more than a handful of hosts.

nsd is an authoritative server that's flexible enough to easily
replace bind as your authoritative server if that what you need.

You can combine the forwarding capabilities of unbound with the
authoritative capabilities of nsd to do everything that bind did. I'm
assuming the advantage of this setup is that the combination of
unbound and nsd has a smaller footprint or is more secure or more than
likely not both. The configuration isn't that difficult but there are
some gotcha's.

In my example I needed to be authoritative for a domain so I
configured nsd to serve the domain. The man pages for nsd explained
this well and it's quite simple. The trick is to have nsd serve the
domain on localhost only and not on port 53.

Then I configured unbound to be a recursive resolver that forwarded
requests for "example.com" to the local nsd. Here's the configuration
snippet. In my example the network is running at 192.168.10.0 so I
forwarded two zones:

## 

server:
...

## This setting is critical. Without it unbound won't forward
## requests to nsd running on localhost.

do-not-query-localhost: no

...

forward-zone:
name: "example.com."
forward-addr: 127.0.0.1@5300

forward-zone:
name: "168.192.in-addr.arpa."
forward-addr: 127.0.0.1@5300

## forward-zone:
##  name: "."   # use for ALL queries
## forward-addr: 8.8.8.8
## forward-addr: 8.8.4.4

## 

If you can setup bind then you shouldn't have problems setting up and
testing nsd to serve forward and reverse for a domain. Configuring nsd
on a alternate port is pretty simple. The config snippet about
redirects unbound to the local nsd.

That's probably answers more than you wanted. But I could see this
combination of nsd and unbound being popular among people looking for
a lighter weight alternative to bind.

--
Chris

  __o  "All I was trying to do was get home from work."
_`\<,_   -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: NSD/Unbound clarifications

[Craig Skinner]

On 2015-11-23 Mon 12:24 PM |, Alessandro Baggi wrote:
> 
> In my last valid OBSD config, I used named for my lan (not exposed on
> internet) only for lan dns serving, not exposed, with recursion and
> forwarder.
> 

unbound can fill this role for you Alessandro.

Search for 'local-zone' in unbound.conf(5).

You probably want the _static_ .

For recursion, you can choose to forward to your ISP's resolvers (could
fail on a roaming laptop), public resolvers, or the root servers.

See 'Forward Zone Options' in the man page.

NSD/Unbound clarifications

[Alessandro Baggi]

Hi list,
I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back 
to Obsd. I prefer it.


Today, the last version is 5.8 and from 5.6 named was replaced from nsd 
and unbound.


The first is only authoritative and the other is 
recursive/forwarder/caching/validating/authoritative.


In my last valid OBSD config, I used named for my lan (not exposed on 
internet) only for lan dns serving, not exposed, with recursion and 
forwarder.


Now today I've nsd and unbound that I can use on my firewall.
I don't need authoritative server, and I should use unbound.
nsd and unbound have similar syntax and I reading from web I can resolve 
dns with each of them.


Now I'm confused...who use? Correct me if I'm wrong:

1) I must use only nsd for authoritative server (internet exposed) for 
my ipotetic zone (I can use it in my lan for dns resolver?).


2) I can use only unbound for lan dns resolving/caching/validating with 
zones if not needed an authoritative domain.


3) I can use nsd for authoritative server (internet exposed) and for lan 
use unbound as recursive/cache dns with the authoritative server.


4) I can use unbound as authoritative server and for recursing and other.


5) NSD is the best for authoritative and unbound for other things.

Re: NSD/Unbound clarifications

[Stuart Henderson]

On 2015-11-23, Alessandro Baggi  wrote:
> Hi list,
> I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back 
> to Obsd. I prefer it.
>
> Today, the last version is 5.8 and from 5.6 named was replaced from nsd 
> and unbound.
>
> The first is only authoritative and the other is 

Yes, NSD is authoritative only.

> recursive/forwarder/caching/validating/authoritative.

No, Unbound is *not* authoritative.

For simple use cases Unbound can serve local data - but only for answering
queries from standard clients, not from other nameservers.

> In my last valid OBSD config, I used named for my lan (not exposed on 
> internet) only for lan dns serving, not exposed, with recursion and 
> forwarder.

You can do this with just Unbound (local-zone / local-data).

You can also do this with a combination of NSD and Unbound if you prefer
(configuring Unbound to pass the local zone requests to NSD), but you
don't need to.

> Now today I've nsd and unbound that I can use on my firewall.
> I don't need authoritative server, and I should use unbound.
> nsd and unbound have similar syntax and I reading from web I can resolve 
> dns with each of them.
>
> Now I'm confused...who use? Correct me if I'm wrong:
>
> 1) I must use only nsd for authoritative server (internet exposed) for 
> my ipotetic zone (I can use it in my lan for dns resolver?).
>
> 2) I can use only unbound for lan dns resolving/caching/validating with 
> zones if not needed an authoritative domain.
>
> 3) I can use nsd for authoritative server (internet exposed) and for lan 
> use unbound as recursive/cache dns with the authoritative server.
>
> 4) I can use unbound as authoritative server and for recursing and other.
>
> 5) NSD is the best for authoritative and unbound for other things.

You must use an authoritative server (e.g. NSD) to answer external queries
(i.e. if your machine is listed as an NS), 

Re: NSD/Unbound clarifications

[Alessandro Baggi]

Thanks for clarification.
Unbound configured and works well.
Another question abount unbound "capacity".
I've configured unbound for a small network. What is "maximum capacity" 
of Unbound? Is suitable for big networks?


Il 23/11/2015 13:28, Dahlberg, David ha scritto:

Am Montag, den 23.11.2015, 12:24 +0100 schrieb Alessandro Baggi:


Today, the last version is 5.8 and from 5.6 named was replaced from
nsd
and unbound.

The first is only authoritative and the other is
recursive/forwarder/caching/validating/authoritative.


Right. Except that unbound is not really intended to work as an
authoritative server, except maybe for a tiny local stub zone.


Now today I've nsd and unbound that I can use on my firewall.
I don't need authoritative server, and I should use unbound.


Correct.


nsd and unbound have similar syntax and I reading from web I can
resolve
dns with each of them.


Wrong. You cannot use nsd as a resolver. It is authoritative only.


Now I'm confused...who use?


You want to announce your domain to the whole internet? Use NSD.
You want to resolve internet domain names for your clients? Use unbound.
You want to do both? Use both.


  Correct me if I'm wrong:

1) I must use only nsd for authoritative server (internet exposed) for
my ipotetic zone (I can use it in my lan for dns resolver?).


No. It is not a resolver. It won't answer to queries for domains that it
does not host.



2) I can use only unbound for lan dns resolving/caching/validating
with
zones if not needed an authoritative domain.


Correct.


3) I can use nsd for authoritative server (internet exposed) and for
lan
use unbound as recursive/cache dns with the authoritative server.


With the authoritative server being nsd, right.


4) I can use unbound as authoritative server and for recursing and
other.


You seem to confuse the concepts of authoritative and recursing. The
authoritative server is the Facebook DNS server that answers queries for
the facebook.com domain. Just for that domain. It won't answer queries
for other domains nor queries that have the "recurse" flag set.

A resolver is typically located at your provider. You query it for any
domain and it will happily resolve that query for you (by querying the
authoritative servers). See https://en.wikipedia.org/wiki/Domain_Name_Sy
stem image in chapter "Address resolution mechanism": The "DNS recurser"
in the image is the resolver, the "root/org/wikipedia.org nameservers"
are authoritative ones.

Unbound is a resolver. It may also have authoritative functions for a
small local zone (e.g. "mylaptop.local", "myfileshare.local" and
"mytv.local"). But if you really want to host a domain, you should use
NSD instead.



5) NSD is the best for authoritative and unbound for other things.


NSD is /only/ useful as an authoritative server (i.e. serving a zone).
It cannot resolve.

Unbound is most useful for resolving DNS names (i.e. you send it a
query, it will figure out the answer).

Here is how it works:
(1) Your clients (PC, Laptop, Playstation) will send queries to the
resolver (e.g. dnsmasq, unbound, bind9). Asking them for IP adresses for
openbsd.org, gmail.com and sony.com.
(2) The resolver will send queries to the authoritative nameservers
(e.g. bind9, nsd) of Root, Verisign (.com and .org), Google (gmail.com)
OpenBSD and Sony to find out the requested IP addresses.
(3) The resolver will return the result to your clients.

Bind9 of the Internet Systems Consortium just happens to be a software,
that can do both jobs: It can be a resolver, or an authoritative
nameserver, or even both at the same time.

NLnet Labs decided not to go that way. They created software just for
the authoritative nameserver task (NSD) and one for the resolver task
(unbound).


Cheers
David

Re: NSD/Unbound clarifications

[Florian Obser]

On Mon, Nov 23, 2015 at 04:27:08PM +0100, Alessandro Baggi wrote:
> I've configured unbound for a small network. What is "maximum
> capacity" of Unbound? Is suitable for big networks?

What was the maximum capacity of bind? Was it suitable for big
networks? How did you find out?

-- 
I'm not entirely sure you are real.