On 01/13/15 16:26, sven falempin wrote: > Dear OpenBSD users, > > Recently unbound made his way in base, pushing the complex bind/named > out for our own good. > > I would like to internally and externally solve some domain names > differently (so some service are accessible from inside and outside > without some fancy NAT or worse), I found out 'some' call this setup a > 'split-dns', often use for internal mail server. > > I also found out BIND got a feature for this and internet gossip > > << > Unbound doesn't support split-horizon DNS. It's primarily meant as a > recursive and caching nameserver, and has only limited support for > serving authoritative answers. >>> > > Of course i imagine ran two unbound with two different IP address binding .... > > I feel like I am missing something.
yes. you are stuck thinking like BIND. > If I want to manage my domain , shall I use bind on the 'main' server ? no. :) You are designing around a BIND "feature", then declaring other products unsuitable because they don't match the spec you designed around. Start with the basic rule: BIND's design is bad. Almost everything about it is wrong -- file formats, zone transfers, etc. Once you realize that, things get much easier. If you find an alternative "lacks" a "feature" of BIND, it's probably best you don't use that feature. Really. Read Dan Bernstein's writeups on DNS, in addition to the BIND fanboy stuff. Having managed a lot of DNS for a lot of domains for a few employers, I'm quite satisfied that Bernstein's much more right than wrong on DNS. There are two roles for DNS servers -- finding answers about a random domain, and providing answers about SPECIFIC domains. The first is sometimes called "Resolvers", the second is sometimes called an authoritative server. BIND mushed those two roles together stupidly, and people have been stuck thinking like that for decades now. Separate them in your head. unbound is the resolver, nsd is the authoritative server. Want to find answers for your user's DNS queries? That's unbound, the resolver. That's the only thing users talk to. Resolution is pretty complicated, not the kind of code you want to trust too blindly. Want to answer authoritatively about a domain? That's the authoritative server...but you should never ask an authoritative server about anything other than what they are authoritative for. Authoritative servers are relatively simple -- you ask a question, they either have the answer right there ready to give you, or they don't, but it all boils down to question, a single lookup, respond. No need to talk elsewhere for info. Keep in mind, one computer can have LOTS of separate IP addresses to connect server processes to (don't forget you got all of 127.0.0.0/8!). You also have lots of ports you can connect services to, and on an OpenBSD box, you have PF which can direct traffic from exposed ports and IP addresses to internal ones. You seem to be uncomfortable with the idea of running multiple servers...why? Your box is quite capable of multi-tasking! You can also have one BIG cache on a resolving server, and a bunch of minimal resolvers that act as message routers to either the big caching resolver or authoritative servers. So...assuming you really want to put internal and external DNS on the same box (not a really good idea), you can put NSD with your internal info on 127.0.0.2, NSD with external info on 127.0.0.1, and unbound on your internal facing NIC, configured to refer your internally hosted domains to 127.0.0.2. External queries for your authoritative server get redirected to 127.0.0.1...and the outside world never touches your resolver. Why would you want the outside world touching your internal DNS servers anyway? Talk about an unneeded hole in the firewall. If you are doing enough with DNS that you need to host your own external authoritative server, you can justify a couple old computers for that. Otherwise, I'd suggest letting your registrar handle your dns for you. Design your network properly, it gets really easy -- all my internal systems are in the zone "in.nickh.org", my local DNS resolver knows to pass *.in.nickh.org to my local authoritative server, the rest is resolved as "normal". Nick.
