newbie question: Allowing recursion
Unbound
unbound at tacomawireless.net
Wed Feb 22 08:28:41 UTC 2023
On 2023-02-21 05:12, Tuomo Soini via Unbound-users wrote:
> On Mon, 20 Feb 2023 11:20:56 -0800
> David Newman via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
>> Hi Yorgos,
>>
>> Thanks very much. Logging and debugging was a very good idea. It
>> showed that the unbound config is fine, and that the issue is
>> something I neglected to mention: This system also runs NSD as an
>> authoritative-only name server, and NSD had already bound to UDP port
>> 53.
>>
>> This may be a question for the openbsd-misc list instead, but if
>> anyone here has examples of how to run an authoritative and recursive
>> server on the same box using unbound and NSD please let me know. I
>> previously used bind, which didn't have this issue because one server
>> handled both authoritative and recursive queries.
>
> Simple answer: don't.
I must humbly, but strongly disagree. If this is setup appropriately
there should be no concern for accomplishing the OP's intended task.
To the OP;
This is the blanket knee-jerk response to this question. Not unlike
stating "you should never log in/become root". It is not up to others
to determine your security policy; as they have no idea of your
working environment/practices/intentions.
That said; it should work just fine to run your recursor on
localhost/127.0.0.1/::1
or use whitelist policy for those you intend to permit recursion (an "allow"
list)
within an ACL stanza/config-block. This will allow you and your "seconds"
recusion
or transfer as needed. While protecting your recursor from abuse.
HTH
>
> If this is publicly available dns server which is visible to internet
> you absolutely don't want to run authoritative and resolving dns
> servers on same ip.
>
> If this is home network, solution is to move nsd to other port and add
> stub zone configs for unbound so it queries nsd.
More information about the Unbound-users
mailing list