You are not logged in.
- Topics: Active | Unanswered
#1 2013-03-16 15:00:52
- mcloaked
- Member
- From: Yorkshire, UK
- Registered: 2012-02-02
- Posts: 1,238
Migrating to nsd/unbound from bind for local dns queries
As it was recently announced that the maintainer of the bind package intends to withdraw support for bind10 in arch when it is released, I decided to move my own systems from running bind to running unbound as the recursive caching dns server in my laptops, and this package in combination with nsd as an authoritative-only dns server on one of the local network machines to provide local dns. Having done a little research on these two packages before starting out, I found that nsd is in fact used on three of the root dns servers, and has an excellent security pedigree if the CVE statistics are monitored. For example:
http://www.cvedetails.com/product/17420 … or_id=9613
http://www.cvedetails.com/product/18208 … r_id=10197
both look good compared the stats for bind at
http://www.cvedetails.com/product/144/I … ndor_id=64
Having got the packages working on all my machines now, and having had them running very well and stable for some days I thought I would put some information on the arch wiki to help anyone else doing the same migration. Once the migration is complete then the bind package is no longer needed on any of the machines and can be removed. I understand that anyone already running bind will continue to be able to run that package but it will then become unmaintained and it is therefore worth migrating to supported packages that achieve the same functionality but with added security since separating the authoritative dns functions from those of caching and recursive dns allows one to tighten security on the authoritative server in a way that is not possible when running all dns functions within a single package such as bind. In addition package updates including security fixes will then enable the supported packages to provide a cutting edge dns service.
https://wiki.archlinux.org/index.php/Unbound
https://wiki.archlinux.org/index.php/Nsd
There are also a lot of useful hints on the web page at
https://calomel.org/nsd_dns.html
https://calomel.org/unbound_dns.html
and links from those pages.
Of course the same packages can also provide dns queries for wan facing web and mail servers and allow queries from outside of the local network as well in the same way that bind as been providing such services on many web and mail servers for many years by changing the configuration files accordingly.
I hope that this may help other users who want to set up dns servers on their systems.
Last edited by mcloaked (2013-03-16 15:06:04)
Mike C
Offline