Unbound or dns-server(PFSense TinyDNS Ver)
-
Trying to decide which pfsense DNS package I should install as a backup to my internal DNS server. I am looking for a non resource intensive DNS server that runs well and efficiently. I have been using BIND for years. Resource usage is my deal breaker. Wanted to get the input of the community on this one.
Modified: Changed to TinyDNS vs Unbound
-
I've ran Unbound, but have found out that its unstable so reverted back to dnsmasq, the default. In 2.2, Unbound will be the default though, so hopefully it will be more stable.
-
I narrowed down my options to TinyDNS or BIND, just trying to see which is less resource intensive.
-
Unstable? My log is full of "service stopped and started", but if I look at the uptime, it's at 87 days, and my box only has 100 days of uptime. I'm not sure what I was doing that far back to cause it to restart.
total.num.queries=906849
total.num.cachehits=121591
total.num.cachemiss=785258
time.up=7536560.236799 -
I narrowed down my options to TinyDNS or BIND, just trying to see which is less resource intensive.
BIND is responsible for 30% of all FreeBSD security vulnerabilities. It's a nasty little devil.
-
So one vote for Unbound, well since it will be public facing def not BIND now. Anyone for TinyDNS?
-
Based on what I can find, Unbound is 2-3x faster than BIND , latency wise, about 80% faster throughput wise, has a more intelligent cache, giving it about a 20% better cache hit rate, uses less memory, is more stable, and has many fewer security flaws. Past 3 years, bind had 15 security flaws, Unbound had 3. Many of BIND 's security flaws were always ranked worse.
BIND does have a lot more high end features, but if all you want is a simple caching server, Unbound can do everything a home network needs.
-
Unbound it is! I will backup my config and install it tonight and give it a whirl. Thanks Harvy!!
-
Where can I add internal DNS records? I have some internal servers that I need to access if the internal DNS is offline for maintenance and I believe I will run into the DNS Rebind security if I try them using Unbound. I have never used Unbound before so sorry for the stupid questions!
EDIT: I meant i would run into the rebind sec if I dont have the records setup
UPDATE: poked around and found the conf, found other info on creating and adding internal records. Just need to test.
-
I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
Unbound is working OK for me on 2.2, using both host overrides and domain overrides. -
I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
Unbound is working OK for me on 2.2, using both host overrides and domain overrides.My only issue was where to add them which I figured out and the format for the entries which I also figured out, I have no issues with Unbound at this time.
-
I don't know which pfSense version you are starting off with, but since you are setting up and using Unbound I suggest you might as well start on 2.2, rather than using the package on 2.1.5 and then upgrading.
Unbound is working OK for me on 2.2, using both host overrides and domain overrides.Are you saying that with Unbound installed from the package repo, when I upgrade to 2.X something will break?
-
There is upgrade code to convert from the package in 2.1.n to the system-provided unbound in 2.2:
https://github.com/pfsense/pfsense/blob/master/etc/inc/upgrade_config.inc
function upgrade_110_to_111()So it should all work the same after upgrading to 2.2
-
OK! Thanks! Just wanted to make sure. Can you edit the config through the web gui in 2.X?
-
The config is defined/written from the settings made in the webGUI. There is an "Advanced" box to enter extra things into the config that are not already settings in the GUI.
-
The config is defined/written from the settings made in the webGUI. There is an "Advanced" box to enter extra things into the config that are not already settings in the GUI.
Saw that, but until I read/confirmed what I could put in there I didn't try entering my host/domain overrides. I cant seem to find any good clear info with examples of what domain overrides are. I found plenty on host overrides which I manually entered due to not knowing what would happen if I entered them in the advanced box.
-
After setting up Unbound, which seems great so far, my primary domain shows
local-zone: "domain.com" transparent
I ran across nothing on how to point domain.com to an IP
I know i can specify with local-data domain.mainsite.com IN A IP, but the mainsite.com is an actual site to an internal web server, if I switch it to static how do i tell mainsite.com to point to the internal servers IP? Sorry for the n00b ?'s, I have never used Unbound before. I have been reading all I can off Google, but I cant seem to find what I am trying to figure out. I have used BIND for years, TinyDNS, and DNSMASQ. This is my first with Unbound.
-
I will give a few general principles, and then ask others for detail if you need it.
- Use the provided fields in the DNS Resolver webGUI as much as possible. The idea is that 95% of users should be able to configure everything they need in the webGUI.
- Put your pfSense in the same domain as the servers/devices on your intranet (local internal LAN). (System->General Setup, Domain). Then pfSense and Unbound are by default doing names for stuff in the domain that your internal devices are using.
- Host Overrides - add names here in the webGUI for devices that are;
a) Not known elsewhere (e.g. a print server on your LAN or… that is not in some other DNS); or
b) You want to purposely send somewhere else, often to "blackhole" access to some internet name (facebook.com to some IP on your internal LAN to stop FaceBook working) - Domain overrides - if you have a "proper" DNS server/s for your internal domain/s then put those here. Domain name and the IP address of the DNS server for that domain. Then queries for those domain/s will be sent to those IPs, rather than out/up to the internet.
-
I got it.
One last stupid question, using DNSMASQ my list of DNS server on the main PFSense page started with 127.0.0.1, I assume since DNSMASQ is off and I am using Unbound I will need to go to General and add 127.0.0.1 back into that list, correct?
-
I didn't do anything special when putting in settings for Unbound on my home 2.2 system and the 127.0.0.1 entry appears all by itself. The underlying pfSense code should be taking care of that sort of stuff, in the same way that DNSmasq did. (Of course, I am doing this on 2.2 - I am not familiar with exactly what the Unbound package actually does on 2.1.5)
