quick question about unbound&nsd

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

quick question about unbound&nsd

Gregory Edigarov-5
Hello,

Trying to make unbound and nsd co-exist on one server, the goal is to
have unbound listen for all requests redirecting requests for local
zones to nsd:
nsd.conf

server:
         server-count: 1
         database: "/var/lib/nsd3/nsd.db"
         username: nsd
         ip-address:  127.0.0.1@9053
         logfile: "/var/log/nsd.log"
         pidfile: "/var/run/nsd.pid"
         xfrdfile: "/var/lib/nsd3/xfrd.state"

zone:
         name:   somezone.org
         zonefile: /etc/nsd/zones/somezone.org

dig -p9053 somezone.org soa @127.0.0.1 works as expected.

now unbound's turn:

server:
         auto-trust-anchor-file: "/var/lib/unbound/root.key"
         interface: 0.0.0.0
         logfile: /var/log/unbound.log

stub-zone:
         name:  somezone.org. # also tried without point with the same
result...
         stub-addr: 127.0.0.1@9053

dig somezone.org soa @127.0.0.1 yields SERVFAIL.
also tried with forward-zone: - with the same result.

is that at all possible? Where am I wrong?

Reply | Threaded
Open this post in threaded view
|

Re: quick question about unbound&nsd

Toyam Cox
The default setting for "do-not-query-localhost" is "yes".
You may want to add "do-not-query-localhost: no" to your config in the
"server" section.

On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov <[hidden email]> wrote:

> Hello,
>
> Trying to make unbound and nsd co-exist on one server, the goal is to have
> unbound listen for all requests redirecting requests for local zones to nsd:
> nsd.conf
>
> server:
>         server-count: 1
>         database: "/var/lib/nsd3/nsd.db"
>         username: nsd
>         ip-address:  127.0.0.1@9053
>         logfile: "/var/log/nsd.log"
>         pidfile: "/var/run/nsd.pid"
>         xfrdfile: "/var/lib/nsd3/xfrd.state"
>
> zone:
>         name:   somezone.org
>         zonefile: /etc/nsd/zones/somezone.org
>
> dig -p9053 somezone.org soa @127.0.0.1 works as expected.
>
> now unbound's turn:
>
> server:
>         auto-trust-anchor-file: "/var/lib/unbound/root.key"
>         interface: 0.0.0.0
>         logfile: /var/log/unbound.log
>
> stub-zone:
>         name:  somezone.org. # also tried without point with the same
> result...
>         stub-addr: 127.0.0.1@9053
>
> dig somezone.org soa @127.0.0.1 yields SERVFAIL.
> also tried with forward-zone: - with the same result.
>
> is that at all possible? Where am I wrong?

Reply | Threaded
Open this post in threaded view
|

Re: quick question about unbound&nsd

Stuart Henderson
On 2015-11-04, Toyam Cox <[hidden email]> wrote:
> The default setting for "do-not-query-localhost" is "yes".
> You may want to add "do-not-query-localhost: no" to your config in the
> "server" section.

Right.

> On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov <[hidden email]> wrote:
>> Hello,
>>
>> Trying to make unbound and nsd co-exist on one server, the goal is to have
>> unbound listen for all requests redirecting requests for local zones to nsd:
>> nsd.conf

Just to make sure, this is just a local-only zone? (this approach won't work
correctly for zones that receive queries from other resolvers).

>> server:
>>         server-count: 1
>>         database: "/var/lib/nsd3/nsd.db"

Don't use 'database', just let it run in memory. I've had problems with this
before, I think it may assume UBC.

Reply | Threaded
Open this post in threaded view
|

Re: quick question about unbound&nsd

Stuart Henderson
On 2015-11-05, Stuart Henderson <[hidden email]> wrote:

> On 2015-11-04, Toyam Cox <[hidden email]> wrote:
>> The default setting for "do-not-query-localhost" is "yes".
>> You may want to add "do-not-query-localhost: no" to your config in the
>> "server" section.
>
> Right.
>
>> On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov <[hidden email]> wrote:
>>> Hello,
>>>
>>> Trying to make unbound and nsd co-exist on one server, the goal is to have
>>> unbound listen for all requests redirecting requests for local zones to nsd:
>>> nsd.conf
>
> Just to make sure, this is just a local-only zone? (this approach won't work
> correctly for zones that receive queries from other resolvers).

Expanding on this:

For people who do need this, set unbound to listen on an internal IP
address (or an alias), and nsd to listen on the external address.

Incoming queries from many resolvers will have the RD ("recursion desired")
bit cleared so Unbound (or another resolver) won't answer them. See for
yourself with 'dig +norecurse' (this is what Microsoft got wrong when
they tried to filter no-ip domains and broke them).

Reply | Threaded
Open this post in threaded view
|

Re: quick question about unbound&nsd

Gregory Edigarov-5
On 11/06/2015 02:33 AM, Stuart Henderson wrote:

> On 2015-11-05, Stuart Henderson <[hidden email]> wrote:
>> On 2015-11-04, Toyam Cox <[hidden email]> wrote:
>>> The default setting for "do-not-query-localhost" is "yes".
>>> You may want to add "do-not-query-localhost: no" to your config in the
>>> "server" section.
>> Right.
>>
>>> On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov <[hidden email]> wrote:
>>>> Hello,
>>>>
>>>> Trying to make unbound and nsd co-exist on one server, the goal is to have
>>>> unbound listen for all requests redirecting requests for local zones to nsd:
>>>> nsd.conf
>> Just to make sure, this is just a local-only zone? (this approach won't work
>> correctly for zones that receive queries from other resolvers).
> Expanding on this:
>
> For people who do need this, set unbound to listen on an internal IP
> address (or an alias), and nsd to listen on the external address.
>
> Incoming queries from many resolvers will have the RD ("recursion desired")
> bit cleared so Unbound (or another resolver) won't answer them. See for
> yourself with 'dig +norecurse' (this is what Microsoft got wrong when
> they tried to filter no-ip domains and broke them).

thanks for your explanations.