Author: Rick Moen Date: To: dng Subject: Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all
your DNS requests - for your own good of course
Quoting wirelessduck@??? (wirelessduck@???):
> I want to switch from macOS Server to unbound for a local LAN DNS as
> its DNS features will be deprecated soon, but my reading tells me that
> unbound only acts as a recursive nameserver, not authoritative.
>
> What’s the general consensus on a good authoritative server to pair
> with unbound?
NSD, from the same authors. IMO.
If you can run those distinct functions (authoritative and recursive) on
different IPs, good, and that's recommended security practice in any event.
(The recursive server logically should be an inside machine and well
protected.)
If you cannot, then there are a couple of different ways of running both
daemons on the same IP. My favourite at the moment is to use dnsproxy.
But.... You said 'local LAN DNS'. This leaves me wondering whether you
really need a full-blown authoritative server for that use-case. In
case you were unaware, Unbound does do "stub-zones", which might be
enough for your local-LAN needs.
> I can see both knot and nsd are packaged in devuan, but have no
> experience with any outside BIND9 and macOS.
I respect Knot DNS, but have no direct experience with it.