On 2/22/23 12:28 AM, Unbound via Unbound-users wrote:
On 2023-02-21 05:12, Tuomo Soini via Unbound-users wrote:
On Mon, 20 Feb 2023 11:20:56 -0800
David Newman via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:
Hi Yorgos,
Thanks very much. Logging and debugging was a very good idea. It
showed that the unbound config is fine, and that the issue is
something I neglected to mention: This system also runs NSD as an
authoritative-only name server, and NSD had already bound to UDP port
53.
This may be a question for the openbsd-misc list instead, but if
anyone here has examples of how to run an authoritative and recursive
server on the same box using unbound and NSD please let me know. I
previously used bind, which didn't have this issue because one server
handled both authoritative and recursive queries.
Simple answer: don't.
I must humbly, but strongly disagree. If this is setup appropriately
there should be no concern for accomplishing the OP's intended task.
Thanks - this is exactly the intended task. I am a recent convert from
bind looking to do two things:
- provide authoritative name service for a few domains (NSD does this now)
- provide recursive, caching, forwarding name service for a few
specified hosts (having trouble with Unbound doing this on the same host)
To the OP;
This is the blanket knee-jerk response to this question. Not unlike
stating "you should never log in/become root". It is not up to others
to determine your security policy; as they have no idea of your
working environment/practices/intentions.
That said; it should work just fine to run your recursor on
localhost/127.0.0.1/::1
or use whitelist policy for those you intend to permit recursion (an
"allow" list)
within an ACL stanza/config-block. This will allow you and your
"seconds" recusion
or transfer as needed. While protecting your recursor from abuse.
With unbound.conf configured to listen on 127.0.0.1/::1, recursion works
fine on the localhost. Where I'm stuck is providing recursion to other
hosts, even if they are on an "allow" list. NSD and Unbound cannot both
be bound to port 53 on the same interface. Do I really need two hosts here?
I appreciate Xavier Belanger's suggestion of running each service in a
different address family, one in IPv4 and the other in IPv6, but that's
not an option for me as some of my hosts are v4 only. And I like Uwe
Werler's suggestion about running nsd on a different port and forwarding
queries via unbound, but haven't found examples on how that would work,
and also wonder if the "aa" flag would be set for authoritative queries
since clients wouldn't talk directly to NSD.
The examples I have found run Unbound and NSD on different addresses. Is
there some other way of running them on the same machine? Thanks again.
dn
This is OpenBSD, which doesn't support jails AFAIK. I could run a
different interface with a private interface address, but am unclear how
that would work in practice.
HTH
If this is publicly available dns server which is visible to internet
you absolutely don't want to run authoritative and resolving dns
servers on same ip.
If this is home network, solution is to move nsd to other port and add
stub zone configs for unbound so it queries nsd.