[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?
wouter at nlnetlabs.nl
Tue Feb 11 08:37:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 02/10/2014 10:41 PM, Joe Abley wrote:
> On 2014-02-10, at 16:17, Jiri Bohac <jiri at boha.cz> wrote:
>> I'm trying to replace my bind server with unbound + nsd. My DNS
>> server works both as authoritative for a few zones and also as a
>> recursive resolver for a few subnets.
> How about planning to run unbound and NSD independently, each bound
> to different addresses? You'll need to renumber your nameserver in
> the appropriate registries, but if there are only a few zones
> involved, that seems unlikely to be difficult.
> Your life will get easier in the long run if you treat recursive
> and authoritative DNS as separate, independent services.
The options are called deny_non_local and refuse_non_local. They
differ in what you want them to do with the disallowed
non-authoritative queries (drop or refuse, refuse is nicer and is more
like a regular authority server).
The version with this patch has not yet been released, you'll have to
wait for the next release or get the source from the svn (trunk).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users