newbie question: Allowing recursion

David Newman dnewman at
Sat Feb 25 19:51:25 UTC 2023

On 2/22/23 12:28 AM, Unbound via Unbound-users wrote:

> On 2023-02-21 05:12, Tuomo Soini via Unbound-users wrote:
>> On Mon, 20 Feb 2023 11:20:56 -0800
>> David Newman via Unbound-users <unbound-users at> wrote:
>>> Hi Yorgos,
>>> Thanks very much. Logging and debugging was a very good idea. It
>>> showed that the unbound config is fine, and that the issue is
>>> something I neglected to mention: This system also runs NSD as an
>>> authoritative-only name server, and NSD had already bound to UDP port
>>> 53.
>>> This may be a question for the openbsd-misc list instead, but if
>>> anyone here has examples of how to run an authoritative and recursive
>>> server on the same box using unbound and NSD please let me know. I
>>> previously used bind, which didn't have this issue because one server
>>> handled both authoritative and recursive queries.
>> Simple answer: don't.
> I must humbly, but strongly disagree. If this is setup appropriately
> there should be no concern for accomplishing the OP's intended task.

Thanks - this is exactly the intended task. I am a recent convert from 
bind looking to do two things:

- provide authoritative name service for a few domains (NSD does this now)

- provide recursive, caching, forwarding name service for a few 
specified hosts (having trouble with Unbound doing this on the same host)

> To the OP;
> This is the blanket knee-jerk response to this question. Not unlike
> stating "you should never log in/become root". It is not up to others
> to determine your security policy; as they have no idea of your
> working environment/practices/intentions.
> That said; it should work just fine to run your recursor on 
> localhost/
> or use whitelist policy for those you intend to permit recursion (an 
> "allow" list)
> within an ACL stanza/config-block. This will allow you and your 
> "seconds" recusion
> or transfer as needed. While protecting your recursor from abuse.

With unbound.conf configured to listen on, recursion works 
fine on the localhost. Where I'm stuck is providing recursion to other 
hosts, even if they are on an "allow" list. NSD and Unbound cannot both 
be bound to port 53 on the same interface. Do I really need two hosts here?

I appreciate Xavier Belanger's suggestion of running each service in a 
different address family, one in IPv4 and the other in IPv6, but that's 
not an option for me as some of my hosts are v4 only. And I like Uwe 
Werler's suggestion about running nsd on a different port and forwarding 
queries via unbound, but haven't found examples on how that would work, 
and also wonder if the "aa" flag would be set for authoritative queries 
since clients wouldn't talk directly to NSD.

The examples I have found run Unbound and NSD on different addresses. Is 
there some other way of running them on the same machine? Thanks again.


This is OpenBSD, which doesn't support jails AFAIK. I could run a 
different interface with a private interface address, but am unclear how 
that would work in practice.

>> If this is publicly available dns server which is visible to internet
>> you absolutely don't want to run authoritative and resolving dns
>> servers on same ip.
>> If this is home network, solution is to move nsd to other port and add
>> stub zone configs for unbound so it queries nsd.

More information about the Unbound-users mailing list