On 2020-07-07 15:28, ken.hendrick...@l3harris.com wrote: ... > Unbound is still not working. > > I have a hunch, but cannot find it in the man pages, > that somehow they have to talk to each other. Is this true?
depends on what you want them to do. A DNS resolver and an authoritative DNS server are two different things. You may want your resolver to talk to your server for some applications, other times, no. I.e., exactly like two people in a room. Maybe they have NEED to talk, maybe they shouldn't talk to each other. Getting the job done properly depends on picking the right model. :) > I tried a very simple unbound.conf file, and it didn't work. > The very simple config file was from [snip] The unbound config file that ships with OpenBSD Just Works as a stand-alone resolver listening on localhost. Start there. THEN make your changes you need. > Any ideas? Any help? What should I be reading?? Unfortunately, the classic texts on DNS usually are based on ISC BIND, which horribly munges the roles of authoritative DNS and DNS resolver into one unified application, so going from there to separated functions is difficult. I learned the separated model from Dan Bernstein's website, but in looking it over, unfortunately, it is very much based on his DJBDNS package, which is brilliant, but unmaintained for the last 15+ years and no longer compatible with many modern Internet "features" everyone expects today, and uses its own file formats, which were great, but not a standard way to communicate DNS info. http://cr.yp.to/djbdns/separation.html Still...most of his points are valid, and he's worth a read. Everyone's favorite error: Your DNS resolver has to bind to an IP address. Your authoritative DNS server has to bind to an IP address. They both listen on port 53 (UDP and TCP). You can't connect both your server and your resolver to the same IP address. Won't work. First gets it, second gets a port in use error. But remember -- extra external IP addresses on your server are easily added, and your machine has a huge number of potential localhost addresses (127.0.0.0/8) for internal use. Between those and PF, you can pretty well make any kind of magic I've ever thought of. Nick.
