Does anyone know of any code that will let one to run Unbound and NSD on the same IP address and still use port 53 for listening on both?
Something like a DNS multiplexer front end, so that the recursive server and the authoritative server are kept separate but the front-end directs queries to one or the other (either based on the RD bit, a locally configured list of zones, e.g. from NSD config, or some other way). Something that is lightweight but avoids having to burn additional IP addresses.
Can you not run NSD on the same IP address but different port, and then set unbound to forward queries for the zones NSD is authoritative for to localhost:<port>? I.e. unbound listen on 53.
I don't know of any existing multiplexer. However, you may want to look
at the libnetfilter_queue module for Linux, which allows one to pass
packets to a user-space application (perl with Net::DNS for example) for
inspection, and return a result to the kernel to let it decide what to
do with the packet.
Does anyone know of any code that will let one to run Unbound and NSD on
the same IP address and still use port 53 for listening on both?
Can you not run NSD on the same IP address but different port,
and then set unbound to forward queries for the zones NSD is
authoritative for to localhost:<port>? I.e. unbound listen on 53.
As far as I know, one can. See "Forward Zone Options" in man (5)
unbound.conf
I don't know of any existing multiplexer. However, you may want to look
at the libnetfilter_queue module for Linux, which allows one to pass
packets to a user-space application (perl with Net::DNS for example) for
inspection, and return a result to the kernel to let it decide what to
do with the packet.
There's a string matching module for netfilter, which could be used to
implement RD-based dispatch (at least for UDP). I'm not sure if this
is a good idea, though.
You could probably use the iptables u32 match to pick out the RD bit and
then REDIRECT to 127.0.0.1:53 where unbound is listening; whilst NSD is
on the public routable address. Remember to make sure your unbound
ACL's for who you are willing to do recursion for are in place.
The servers listed as forward-host: and forward-addr: have to handle further recursion for the query. Thus, those servers are not authority servers, but are (just like unbound is) recursive servers too;
which seemed to rule out NSD as the target for the forward.
I'm not aware of an stand-alone multiplexer. I was looking for a similar
solution in the past to be able to run unbound and BIND (authoritative
only, with dynamic DNS zones) on the same physical machine in my home
network. First I had a setup similar to what Patrik is suggesting
(unbound on port 53, forwarding local zones to a BIND DNS running on
port 15353).
However that did not work well with dynamic updates, because there is no
way (to my knowledge) to forward dynamic updates from unbound to a
different server/port.
In my current setup I have two IP Addresses on the same NIC on the
server machine, have unbound listen on the 1st (192.168.1.2) and BIND on
the 2nd (192.168.1.5). Unbound is forwarding all request for local
domains to the 2nd IP address on the same physical server box.
that uses 2 IP addresses though, so why not just give one to the authoritative server and the second one (or vice versa) to the resolver and let each do their thing?
I guess what I was looking for is a bit like a standalone implementation of whatever logic BIND uses to decide whether to answer queries from the authoritative data it has or the cache (and go recurse if necessary), except it would talk to two different processes (unbound and NSD) instead of being contained in a single binary (BIND)
stub-zone can have NSD as the target. It is just like a forward zone
but unbound handles recursion itself and expects to talk to an
authoritative server. (apart from hosting CNAMEs locally that point
out-of-zone you would not notice the difference, DNS misconfiguration at
its best)
Does anyone know of any code that will let one to run Unbound and NSD
on the same IP address and still use port 53 for listening on both?
Something like a DNS multiplexer front end, so that the recursive
server and the authoritative server are kept separate but the
front-end directs queries to one or the other (either based on the RD
bit, a locally configured list of zones, e.g. from NSD config, or some
other way). Something that is lightweight but avoids having to burn
additional IP addresses.
hi, joão:
i know of "dnsproxy":
Description: proxy for DNS queries
dnsproxy forwards DNS queries to two previously configured nameservers:
one for authoritative queries and another for recursive queries.
The received answers are sent back to the client unchanged.
No local caching is done.
.
Primary motivation for this project was the need to replace Bind servers with
djbdns in an ISP environment. These servers get recursive queries from
customers and authoritative queries from outside at the same IP address.
Now it is possible to run dnscache and tinydns on the same machine with
queries dispatched by dnsproxy.
.
Another possible scenario is a firewall where proxy queries should be
forwarded to the real server in a DMZ.
Homepage: http://wolfermann.org/dnsproxy.html