[nsd-users] NSD + unbound on production nameserver (not internal nameserver)

Gwyneth Llewelyn gwyneth.llewelyn at gwynethllewelyn.net
Fri Feb 6 17:19:36 CET 2015


Hi Wouter,

> On 6 Feb 2015, at 16:03 , W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> 
> Yes, the unbound set-up is fine.  What you do is put NSD on port 53
> and make it the server for external requests. Internal requests go to
> unbound (on another ip-address, for example an internal ip-address,
> for example a 127.0.0.x freebsd-jail with unbound in it), and set
> unbound to send queries to NSD with stub configuration (better than
> forwards in case the customer's zones have delegations or indirection
> to the outside internet).

John Peacock already explained why my proposed setup is technically impossible, and, therefore, why your solution is the only one that makes sense for our particular setup.

I wonder what is more resource-efficient: having a *single* jail with unbound, acting as caching DNS server for all other jails, or each jail running its own unbound? FreeBSD seems to have a new resolver in place, so my feeling is that running unbound on every jail is really overkill. Also, a single unbound (or maybe a pair of unbounds — for redundancy) ought to provide a more 'fuller' cache overall for all jails, and I have plenty of cores available to make sure that unbound is not starved for resources when handling all internal requests from all the jails. But this is just my impression. What would you recommend?

Note that some jails in our scenario make a lot of DNS requests, mostly to deal with sendmail.

Cheers,

	- Gwyn


More information about the nsd-users mailing list