On 2015-01-13, sven falempin <sven.falem...@gmail.com> wrote: > Dear OpenBSD users, > > Recently unbound made his way in base, pushing the complex bind/named > out for our own good. > > I would like to internally and externally solve some domain names > differently (so some service are accessible from inside and outside > without some fancy NAT or worse), I found out 'some' call this setup a > 'split-dns', often use for internal mail server. > > I also found out BIND got a feature for this and internet gossip > ><< > Unbound doesn't support split-horizon DNS. It's primarily meant as a > recursive and caching nameserver, and has only limited support for > serving authoritative answers. >>> > > Of course i imagine ran two unbound with two different IP address binding .... > > I feel like I am missing something. > > If I want to manage my domain , shall I use bind on the 'main' server ? > > Best regards. > >
The main confusion people have when moving from a BIND setup on a small installation is that BIND allows mixing resolver (client lookups for every domain) and authoritative (lookups from the world for your local domain) on the same IP address. This is not recommended even with BIND, and not supported at all by most other DNS software. For the simplest way to do split-horizon: run unbound listening on an internal address. Run NSD listening on an external address for the main DNS zone that you are publishing. Use local-data statements in unbound.conf to override lookup for internal addresses. You can alternatively use unbound and two copies of NSD, one for external, one to talk to unbound (using stub-zone in unbound.conf), but it's more complicated - in particular, the rc script system isn't setup to handle running multiple copies of a single daemon.
