Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[DEFUNCT] DNS with Unbound and BIND
« previous
next »
Print
Pages: [
1
]
Author
Topic: [DEFUNCT] DNS with Unbound and BIND (Read 1188 times)
passeri
Full Member
Posts: 100
Karma: 4
[DEFUNCT] DNS with Unbound and BIND
«
on:
September 27, 2023, 10:07:01 am »
I want to confirm or otherwise that Unbound and BIND will work together as I think they should. I have read documentation, some threads here, and an external discussion of split DNS servers.
Context
I have an old server running BIND providing authoritative DNS for my domain to internal and external requests, and a mail service. Needing to migrate this to newer hardware/OS I thought it may simplify and improve things if rather than running the current split-brain configuration on BIND, I split the DNS servers. This may offer a security advantage also.
Config and operation
Assume we have LAN and Opt2 as distinct networks below Opnsense. I assume Unbound on Opnsense, and BIND (no split brain) on SVR in Opt2.
Unbound would listen only on LAN network, not on Opt2 or WAN.
Opnsense would NAT all external (WAN) DNS queries directly to SVR in Opt2.
SVR would send all its queries to WAN via Opnsense, Unbound not being involved.
Unbound would use Host Override to send all internal queries from LAN to SVR. For LAN-to-external queries Unbound preferably would speak directly with the internet servers for name resolution rather than sending those to SVR too.
Thus, the two DNS servers would have nothing to do with each other except for LAN local enquiries being passed on to SVR by Unbound. LAN devices would never go directly to WAN or SVR. WAN to SVR or SVR to WAN would not involve Unbound. SVR remains authoritative to external clients for the domain.
Is anyone running this configuration? Is it expected to work, before I start experimenting?
«
Last Edit: September 30, 2023, 12:27:42 am by passeri
»
Logged
passeri
Full Member
Posts: 100
Karma: 4
Re: DNS with Unbound and BIND
«
Reply #1 on:
September 28, 2023, 07:40:00 am »
I did not expect that this might not have been done before, among those happening to read my post. No matter; I shall try some (inexpert) exploration and report back if I seem to be able to get it to work as desired.
Meantime, any comment on related experience or expectations from knowledge of Unbound and BIND will still be most welcome. I have attached a diagram which may clarify the expected DNS request paths.
Erratum: I neglected to note on the diagram that BIND is on SVR, although that should be clear enough.
«
Last Edit: September 28, 2023, 07:41:53 am by passeri
»
Logged
passeri
Full Member
Posts: 100
Karma: 4
Re: DNS with Unbound and BIND
«
Reply #2 on:
September 30, 2023, 12:26:52 am »
After looking further into the options I have abandoned Unbound in favour of one of the two normal BIND splits, so for me this fascinating discussion is currently closed.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[DEFUNCT] DNS with Unbound and BIND