Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound or dns-server(PFSense TinyDNS Ver)

    Scheduled Pinned Locked Moved DHCP and DNS
    22 Posts 4 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ghostshellG
      ghostshell
      last edited by

      Trying to decide which pfsense DNS package I should install as a backup to my internal DNS server. I am looking for a non resource intensive DNS server that runs well and efficiently. I have been using BIND for years. Resource usage is my deal breaker. Wanted to get the input of the community on this one.

      Modified: Changed to TinyDNS vs Unbound

      1 Reply Last reply Reply Quote 0
      • K
        koulee
        last edited by

        I've ran Unbound, but have found out that its unstable so reverted back to dnsmasq, the default. In 2.2, Unbound will be the default though, so hopefully it will be more stable.

        1 Reply Last reply Reply Quote 0
        • ghostshellG
          ghostshell
          last edited by

          I narrowed down my options to TinyDNS or BIND, just trying to see which is less resource intensive.

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by

            Unstable? My log is full of "service stopped and started", but if I look at the uptime, it's at 87 days, and my box only has 100 days of  uptime. I'm not sure what I was doing that far back to cause it to restart.

            total.num.queries=906849
            total.num.cachehits=121591
            total.num.cachemiss=785258
            time.up=7536560.236799

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              @ghostshell:

              I narrowed down my options to TinyDNS or BIND, just trying to see which is less resource intensive.

              BIND is responsible for 30% of all FreeBSD security vulnerabilities. It's a nasty little devil.

              1 Reply Last reply Reply Quote 0
              • ghostshellG
                ghostshell
                last edited by

                So one vote for Unbound, well since it will be public facing def not BIND now. Anyone for TinyDNS?

                1 Reply Last reply Reply Quote 0
                • H
                  Harvy66
                  last edited by

                  Based on what I can find, Unbound is 2-3x faster than BIND , latency wise, about 80% faster throughput wise, has a more intelligent cache, giving it about a 20% better cache hit rate, uses less memory, is more stable, and has many fewer security flaws. Past 3 years, bind had 15 security flaws, Unbound had 3. Many of BIND 's security flaws were always ranked worse.

                  BIND does have a lot more high end features, but if all you want is a simple caching server, Unbound can do everything a home network needs.

                  1 Reply Last reply Reply Quote 0
                  • ghostshellG
                    ghostshell
                    last edited by

                    Unbound it is! I will backup my config and install it tonight and give it a whirl. Thanks Harvy!!

                    1 Reply Last reply Reply Quote 0
                    • ghostshellG
                      ghostshell
                      last edited by

                      Where can I add internal DNS records? I have some internal servers that I need to access if the internal DNS is offline for maintenance and I believe I will run into the DNS Rebind security if I try them using Unbound. I have never used Unbound before so sorry for the stupid questions!

                      EDIT: I meant i would run into the rebind sec if I dont have the records setup

                      UPDATE: poked around and found the conf, found other info on creating and adding internal records. Just need to test.

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis
                        last edited by

                        I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
                        Unbound is working OK for me on 2.2, using both host overrides and domain overrides.

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • ghostshellG
                          ghostshell
                          last edited by

                          @phil.davis:

                          I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
                          Unbound is working OK for me on 2.2, using both host overrides and domain overrides.

                          My only issue was where to add them which I figured out and the format for the entries which I also figured out, I have no issues with Unbound at this time.

                          1 Reply Last reply Reply Quote 0
                          • ghostshellG
                            ghostshell
                            last edited by

                            @phil.davis:

                            I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
                            Unbound is working OK for me on 2.2, using both host overrides and domain overrides.

                            Are you saying that with Unbound installed from the package repo, when I upgrade to 2.X something will break?

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              There is upgrade code to convert from the package in 2.1.n to the system-provided unbound in 2.2:
                              https://github.com/pfsense/pfsense/blob/master/etc/inc/upgrade_config.inc
                              function upgrade_110_to_111()

                              So it should all work the same after upgrading to 2.2

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • ghostshellG
                                ghostshell
                                last edited by

                                OK! Thanks! Just wanted to make sure. Can you edit the config through the web gui in 2.X?

                                1 Reply Last reply Reply Quote 0
                                • P
                                  phil.davis
                                  last edited by

                                  The config is defined/written from the settings made in the webGUI. There is an "Advanced" box to enter extra things into the config that are not already settings in the GUI.

                                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                  1 Reply Last reply Reply Quote 0
                                  • ghostshellG
                                    ghostshell
                                    last edited by

                                    @phil.davis:

                                    The config is defined/written from the settings made in the webGUI. There is an "Advanced" box to enter extra things into the config that are not already settings in the GUI.

                                    Saw that, but until I read/confirmed what I could put in there I didn't try entering my host/domain overrides. I cant seem to find any good clear info with examples of what domain overrides are. I found plenty on host overrides which I manually entered due to not knowing what would happen if I entered them in the advanced box.

                                    1 Reply Last reply Reply Quote 0
                                    • ghostshellG
                                      ghostshell
                                      last edited by

                                      After setting up Unbound, which seems great so far, my primary domain shows

                                      local-zone: "domain.com" transparent

                                      I ran across nothing on how to point domain.com to an IP

                                      I know i can specify with local-data domain.mainsite.com IN A IP, but the mainsite.com is an actual site to an internal web server, if I switch it to static how do i tell mainsite.com to point to the internal servers IP? Sorry for the n00b ?'s, I have never used Unbound before. I have been reading all I can off Google, but I cant seem to find what I am trying to figure out. I have used BIND for years, TinyDNS, and DNSMASQ. This is my first with Unbound.

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        phil.davis
                                        last edited by

                                        I will give a few general principles, and then ask others for detail if you need it.

                                        1. Use the provided fields in the DNS Resolver webGUI as much as possible. The idea is that 95% of users should be able to configure everything they need in the webGUI.
                                        2. Put your pfSense in the same domain as the servers/devices on your intranet (local internal LAN). (System->General Setup, Domain). Then pfSense and Unbound are by default doing names for stuff in the domain that your internal devices are using.
                                        3. Host Overrides - add names here in the webGUI for devices that are;
                                          a) Not known elsewhere (e.g. a print server on your LAN or… that is not in some other DNS); or
                                          b) You want to purposely send somewhere else, often to "blackhole" access to some internet name (facebook.com to some IP on your internal LAN to stop FaceBook working)
                                        4. Domain overrides - if you have a "proper" DNS server/s for your internal domain/s then put those here. Domain name and the IP address of the DNS server for that domain. Then queries for those domain/s will be sent to those IPs, rather than out/up to the internet.

                                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                        1 Reply Last reply Reply Quote 0
                                        • ghostshellG
                                          ghostshell
                                          last edited by

                                          I got it.

                                          One last stupid question, using DNSMASQ my list of DNS server on the main PFSense page started with 127.0.0.1, I assume since DNSMASQ is off and I am using Unbound I will need to go to General and add 127.0.0.1 back into that list, correct?

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            phil.davis
                                            last edited by

                                            I didn't do anything special when putting in settings for Unbound on my home 2.2 system and the 127.0.0.1 entry appears all by itself. The underlying pfSense code should be taking care of that sort of stuff, in the same way that DNSmasq did. (Of course, I am doing this on 2.2 - I am not familiar with exactly what the Unbound package actually does on 2.1.5)

                                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.