Have a FreeBSD 10 machine. Have two outside IPs bound to it. First IP has NSD running as an authoritative server. This is specified specifically in the interface entry of nsd.conf.
Trying to run caching/recursive nameserver with unbound on the second IP. I specified the following entries in unbound.conf:
interface: 127.0.0.1
interface: <Second IP>
I followed the tutorial at https://calomel.org/unbound_dns.html. I added lines for unbound-control. But other than that, and the extra interface lines, its as specified in the tutorial... Oh, also the locations are modified from /var/unbound/etc/ to /var/unbound/.
I can get it to resolve when I run nslookup and set the server to 127.0.0.1, but not when I set it to the second IP.
BTW, I have this in IPFW:
allow udp from any to any dst-port 53 in
Any ideas why I can't get answers on the second IP?
Have a FreeBSD 10 machine. Have two outside IPs bound to it. First IP
has NSD running as an authoritative server. This is specified
specifically in the interface entry of nsd.conf.
Trying to run caching/recursive nameserver with unbound on the second
IP. I specified the following entries in unbound.conf:
interface: 127.0.0.1
interface: <Second IP>
...
Any ideas why I can't get answers on the second IP?
I suspect it might have to do with the default access-control options
(which limit to localhost only and refuse everyone else).
You can also see if unbound listens to the IP correctly:
`netstat -tulpnW | grep unbound`
Can you paste your entire unbound.conf please (including any included
files)?
Just added access-control allow x.x.x.x/x and life is good now.
Which makes sense because I could see it listening on sockstat, and I could even telnet into port 53 on the 2nd IP (since it is configured to answer TCP requests in addition to UDP) and get a handshake. So the daemon was running, bound on that IP and answering. It just was refusing to give any useful answers until I told it it was cool to talk to my originating IP.
Making assumptions, correct me if I'm wrong, it appears you want
Unbound to be a cache for your internal lan and not for the outside
world, therefore you would want Unbound to answer queries from your
inside IP address and not the outside IP addess which would result in
a change to:
interface: 127.0.0.1
interface: 10.0.0.1
If you really want Unbound to be a cache for the rest of the world
instead you'll need to change the access control to something more
like:
access-control: 0.0.0.0/0 allow
(not recommending you do this)