unbound and nsd
After reading about upcoming bind10 changes and never really being all that happy with named, I decided to look around at other solutions for DNS serving. I’ve been running unbound (along with dnssec-trigger) on my laptop for a while, so I was pretty sure it could meet my needs for a recursive/caching solution, but I hadn’t found anything to replace authoritative servers until nsd was pointed out to me.
Replacing my authoritative server with nsd was pretty easy overall. I could reuse the same zone files, I just had to add a bit of nsd config to load them. My main firewall/gateway machine at home was also functioning as a caching server for machines here, so I had to replace named with nsd only listening on the external interface, and unbound only listening on all the internal interfaces. Worked like a charm. nsd now answers external queries for my domains and unbound does caching for other internal machines.
My main internal webserver/mail server machine also was running named and serving some internal only zones. nsd doesn’t have any kind of ‘views’ setup like named has so I had to ponder on this for a bit until I noticed that unbound can also optionally have local data. I just setup my zones there in unbound as local-data and it then was able to do what I needed (basically I need my domains to resolve to the internal ip’s on that machine so apache is happy, etc). It can also easily resolve *.example.com to whatever single ip you like. Very handy. The only downside of this is that dnssec doesn’t work right with local-data. Perhaps if I signed the zones with the same keys at the external site it could, but not sure it’s worth the trouble.
Unbound also has a nifty control program (non surprisingly called unbound-control) that can let you do things like flush cache for just a single specifc zone or host, setup a forward over a vpn or other link for just _some_ domains, etc. It’s really nice and flexable.
Both unbound and nsd as very dnssec aware and will try and validate as much as possible. Also, nsd has rate limiting built in so it’s resistant to DOS or DDOS amplification attacks.
So, if you are looking to replace bind, nsd seems to work nicely for authoritative and unbound does great for recursive.