[nsd-users] NSD + unbound on production nameserver (not internal nameserver)
wouter at nlnetlabs.nl
Fri Feb 6 17:03:42 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 06/02/15 16:44, Gwyneth Llewelyn wrote:
> For the past week I've been unsuccessfully trying to replicate on a
> FreeBSD nameserver our old BIND configuration, replacing it with
> with NSD + unbound instead.
> Apparently, this is not possible, since it looks like unbound
> doesn't work as an 'proxy/cache' front-end. But... let me tell you
> about our configuration first.
> This is a pair of FreeBSD servers, running several jails. Each
> server runs a jail with a real, public IP address on a nameserver
> for external (not internal) nameservices. Several other jails, each
> with a private address space, run the customers' websites. So we
> host both DNS name service as well as hosting services on behalf of
> our customers.
> With BIND, the configuration was as following:
> - Be authoratitative for external requests. Deny recursion for
> those. - Act as a caching nameserver for internal requests (from
> the many jails). Allow recursion only for them. - Internal requests
> for the domains we're authoritative for would also go to BIND as
> well, since, from BIND's perspective, it matters little where the
> request comes from (e.g. public/private addressing is irrelevant
> for authoritative requests)
> Now for unbound + NSD.
> When I first started to read about unbound + NSD, I thought it
> would be simple — like a Varnish/Apache configuration. NSD would
> remain on a non-accessible port (say 53530) on the nameserver jail,
> while unbound would forward requests to it. For internal requests
> from the other jails, unbound would act as a recursive caching
> server — easy to setup. To avoid unnecessary requests to external
> nameservers when requesting information from domain names we are
> authoritative for, unbound would simply forward requests to NSD.
> Easy-peasy. That works quite well for *internal* requests. Now the
> final and crucial step: how to allow the general public to retrieve
> domain information that we're authoritative for by contacting
> Apparently, this is impossible to do.
Yes, the unbound set-up is fine. What you do is put NSD on port 53
and make it the server for external requests. Internal requests go to
unbound (on another ip-address, for example an internal ip-address,
for example a 127.0.0.x freebsd-jail with unbound in it), and set
unbound to send queries to NSD with stub configuration (better than
forwards in case the customer's zones have delegations or indirection
to the outside internet).
> Jan-Piet asked this same question in 2008:
And Oliver Peter did the same, five years later:
> None ever received a single answer.
> Indeed, by carefully reading the principles behind the unbound +
> NSD configuration, it seems that it has been designed to deal only
> with the scenario of a corporate network that requires both some
> DNS caching (provided by unbound) and a few internal, private
> domains being served by NSD, which, however, are never accessible
> by the public at large.
> In contrast, on its own, NSD can be (and definitely is) used as an
> authorative nameserver for publicly available domain records — but
> without the added 'protection' of having unbound in front of it.
> Thus, although it *seems* that unbound + NSD is *similar* to
> Varnish + Apache for the web, in fact it's a *different* solution.
> If I'm completely wrong about this, then how can unbound + NSD be
> configured so that unbound is able to act as a 'proxy/caching'
> nameserver as a frontend to NSD for public domains for which it is
> Thanks in advance for any insights!
> - Gwyn
> -- "I'm not building a game. I'm building a new country." -- Philip
> "Linden" Rosedale, interview to Wired, 2004-05-08
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the nsd-users