Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] New document on Unbound caching DNS server



Derek Martin <invalid at pizzashack.org> writes:

> On Thu, Sep 13, 2018 at 07:36:26PM -0400, Steve Litt wrote:
>> Hi all,
>> 
>> The Unbound DNS server is the new kid on the block. A lot of admins are
>> replacing BIND9 with Unbound, perhaps plus an authoritative DNS server
>> for their domain. 
>
> Why?  BIND9, for whatever flaws it may have, is robust,
> well-understood software.  What advantages does Unbound offer that
> outweigh the benefit of running well established code?
>

My impression is that unbound and nsd are not new or experimental code.

I'm not a system admin only a user but I'll take a shot at some
justifications...

BIND9's source code is no joy to read. Anyone who's tried to maintain a
patch against it has my sympathy.  I'd guess the number of people for
whom this software is well understood at a source code level is actually
quite small. I haven't looked at unbound's code, but I suspect if OpenBSD
was willing to take it in (they commit to auditing what they include in
base) that it's probably an improvement as far a readability goes at the
very least.

Second, I'll give the diversity argument. There will continue to be
security holes in bind9 (and in unbound and nsd). Some people running
other things may mitigate the global risk of one severe incident.

Third, possibly someone has special requirements or perceptions of the
different projects that make unbound and nsd more attractive to them. At
least in 2012 (and apparently long before), OpenBSD felt unbound fit
their needs better than Bind9:
https://marc.info/?l=openbsd-misc&m=132921194328662&w=2

>> More interesting still, a lot of laptop owners are installing Unbound
>> to replace their old 8.8.8.8 or per-accesspoint resolvers with a full
>> caching DNS, which is more secure, faster, and makes for much faster
>> browsing.
>
> FWIW, this is often a bad idea.  On average, you will typically get
> the best overall performance by using your ISP's DNS servers (unless
> you know they're bad).  If you care about why, the short answer is
> CDNs, but here's a somewhat lengthy explanation:

If you set your resolver to be both caching and forwarding (meaning when
it doesn't have the record in cache it goes to your ISP's server or
whatever substitute you use) this isn't an issue I think.  Whether it's
worth the bother to set it up on a home network is another question. It
might be fun if you're into that sort of thing, or it might be good for
practice.

-- 
Mike Small
smallm at sdf.org



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org