On 2023-02-21 05:12, Tuomo Soini via Unbound-users wrote:
On Mon, 20 Feb 2023 11:20:56 -0800
David Newman via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:
Hi Yorgos,
Thanks very much. Logging and debugging was a very good idea. It
showed that the unbound config is fine, and that the issue is
something I neglected to mention: This system also runs NSD as an
authoritative-only name server, and NSD had already bound to UDP port
53.
This may be a question for the openbsd-misc list instead, but if
anyone here has examples of how to run an authoritative and recursive
server on the same box using unbound and NSD please let me know. I
previously used bind, which didn't have this issue because one server
handled both authoritative and recursive queries.
Simple answer: don't.
I must humbly, but strongly disagree. If this is setup appropriately
there should be no concern for accomplishing the OP's intended task.
To the OP;
This is the blanket knee-jerk response to this question. Not unlike
stating "you should never log in/become root". It is not up to others
to determine your security policy; as they have no idea of your
working environment/practices/intentions.
That said; it should work just fine to run your recursor on
localhost/127.0.0.1/::1
or use whitelist policy for those you intend to permit recursion (an "allow"
list)
within an ACL stanza/config-block. This will allow you and your "seconds"
recusion
or transfer as needed. While protecting your recursor from abuse.
HTH
If this is publicly available dns server which is visible to internet
you absolutely don't want to run authoritative and resolving dns
servers on same ip.
If this is home network, solution is to move nsd to other port and add
stub zone configs for unbound so it queries nsd.
