newbie question: Allowing recursion

[Unbound]

On 2023-02-21 05:12, Tuomo Soini via Unbound-users wrote:
> On Mon, 20 Feb 2023 11:20:56 -0800
> David Newman via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
>> Hi Yorgos,
>> 
>> Thanks very much. Logging and debugging was a very good idea. It
>> showed that the unbound config is fine, and that the issue is
>> something I neglected to mention: This system also runs NSD as an
>> authoritative-only name server, and NSD had already bound to UDP port
>> 53.
>> 
>> This may be a question for the openbsd-misc list instead, but if
>> anyone here has examples of how to run an authoritative and recursive
>> server on the same box using unbound and NSD please let me know. I
>> previously used bind, which didn't have this issue because one server
>> handled both authoritative and recursive queries.
> 
> Simple answer: don't.
I must humbly, but strongly disagree. If this is setup appropriately
there should be no concern for accomplishing the OP's intended task.

To the OP;
This is the blanket knee-jerk response to this question. Not unlike
stating "you should never log in/become root". It is not up to others
to determine your security policy; as they have no idea of your
working environment/practices/intentions.

That said; it should work just fine to run your recursor on 
localhost/127.0.0.1/::1
or use whitelist policy for those you intend to permit recursion (an "allow" 
list)
within an ACL stanza/config-block. This will allow you and your "seconds" 
recusion
or transfer as needed. While protecting your recursor from abuse.

HTH
> 
> If this is publicly available dns server which is visible to internet
> you absolutely don't want to run authoritative and resolving dns
> servers on same ip.
> 
> If this is home network, solution is to move nsd to other port and add
> stub zone configs for unbound so it queries nsd.