# Unbound Guide needed (migrating from BIND)



## darin (Nov 2, 2017)

I have been using BIND for decades now and somewhat stuck in my ways.
Want to make transition to unbound for a web server with multiple domains and don't even know where to start. The doc's on unbound haven't really helped.

So, if I can show what I have traditionally done, maybe someone can point out best practices going forward, I am certain this will be valuable to many people in the same old habits like mine.

I would like to thank anyone in advance that contributes to my learning via this thread.

This is my traditional BIND setup

1. add to named.conf


```
include "/usr/local/etc/namedb/zone.xyz.conf";
include "/usr/local/etc/namedb/zone.abc.conf";
```

Although this isn't necessary it has helped me create groupings relevant to list of domains hosted

2. sample zone.conf


```
zone "domain1.comt" in {
type master;
file "master/primary.domian1.com";
allow-query { any; };
allow-transfer { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy; };
};

zone "domain2.com" in {
type master;
file "master/primary.domain2.com";
allow-query { any; };
allow-transfer { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy };
};
```


where xxx.xxx.xxx.xxx is IP address of upstream providers DNS server when upstream provider supplies secondary DNS services
and yyy.yyy.yyy.yyy is IP address of own secondary BIND server

3. Setup Zone Files eg. primary.domain1.com


```
$TTL 3600
domain1.com. IN SOA ns1.primarydnsdomain.com. hostmaster.domain1.com. (
2017022013 ; serial yyyymmddxx
3600 ; Refresh 1 hour
900 ; Retry 10 mins
604800 ; Expire 7 days
3600 ) ; Minimum TTL of 1 day

;Name Servers
IN NS ns1.primarydnsdomain.com.
IN NS ns2.primarydnsdomain.com.

;Main addresses
domain1.com. IN A 123.123.123.123 

;Aliases
www IN CNAME domain1.com.


;TXT
domain1.com. IN TXT "v=spf1 include:_spf.mailserver.com ~all"

;Mail Exchanger
domain1.com. IN MX 10 primary.mailserver.com.
domain1.com. IN MX 20 backup.mailserver.com.
```


----------



## ShelLuser (Nov 2, 2017)

I think you're a bit confused here or never bothered to read its manualpage. Unbound isn't a DNS server, it isn't designed to host domains and such. Taken directly from unbound(8): unbound is a _DNS validating resolver_. Ergo nothing more but a caching nameserver, call it a DNS proxy if you will.

So this isn't going to work, and I'd _seriously_ advice you to look a little deeper into a product before deciding that this is what you're going to be using next. At the risk of sounding a little harsh here, but you could have known this by merely checking the unbound manual page.

Which is a well meant tip here: do not treat FreeBSD manualpages as the crappy stuff (often, but not always!) which is used on Linux. On Linux a manualpage is often nothing more but a reference to an info page, stored documentation and/or online documentation. On FreeBSD this works "a little bit" differently. Manual pages are just what their name implies: manuals. So read them 

Also take good note of their SEE ALSO sections because those can point to usable pointers. I mean... going back to the Unbound example: even if the main unbound manualpage confuses you you'll find a reference to unbound.conf(5) in the SEE ALSO section. And that will clearly show you that there is no room for DNS entries such as MX, CNAME and A records. Ergo: myth debunked 

Try this page of DNS server software comparisons on Wikipedia. You'll notice that your choices are limited. However.. most alternatives from that list are also available in the DNS section of the Ports collection.

But a well meant advice, however solely based on your post here: stick to Bind for now. Bind is the de-facto choice for DNS servers and although there are alternatives it might be better to stick to Bind for now until you gain more experience within this field. Because one way or the other: running a (public) DNS server can be a tricky task. Bind will at least have your back and fill in for the stuff you might miss.

Still..  I don't think you can do that bad with Bind myself. Been using it for several public domains and so far it never failed me.

Hope this can help!


----------



## obsigna (Nov 2, 2017)

Bind cannot be completely replaced by Unbound. Unbound is a resolver (caching, recursive or forwarding) only, it does no authoritative name servicing. In case you really need a local authoritative name server, you would need to accompany Unbound with dns/nsd,

With the advent of FreeBSD 10, I switched from Bind to Unbound, and I figured that in my scenario duplicating the authoritative name service of the primaries to my servers didn't add any benefits to the local clients. On my sites, unbound.conf(5) is configured as a recursive-caching resolver, with a few transparent local-zone directives, for special local services.

So, my suggestion is, that you decide first, whether you need an authoritative name server or not. If yes, honestly, I would stay with Bind.


----------



## obsigna (Nov 2, 2017)

ShelLuser said:


> ... . And that will clearly show you that there is no room for DNS entries such as MX, CNAME and A records ...


This is not completely true. We can setup local-zones with Unbound, and A and MX records are possible while CNAME records are not, example from my setup:

```
...
local-zone: "projectworld.net" transparent
local-data: "projectworld.net           NS projectworld.net"
local-data: "projectworld.net           MX 5 smtp.mailserver.ex"
local-data: "projectworld.net           IN A 192.168.0.1"
local-data: "rolf.projectworld.net      IN A 192.168.0.115"
...
local-data: "serv6.projectworld.net     IN AAAA fd7d:7b49:40ea:4a0b::1"
local-data: "rolf6.projectworld.net     IN AAAA fd7d:7b49:40ea:4a0b::115"
...
local-zone: "0.168.192.in-addr.arpa" static
local-data: "1.0.168.192.in-addr.arpa   IN PTR projectworld.net"
local-data: "115.0.168.192.in-addr.arpa IN PTR rolf.projectworld.net"
...
```
In case you got your zones hosted on a primary name server elsewhere, then you may want to think about Unbound as a local resolver that does resolve your zones for your local clients as it would do for all other domain names as well. By the way of the local-zone and local-data directives you would configure local site specific names and addresses.


----------



## darin (Nov 2, 2017)

Thanks for the quick responses obsigna and ShelLuser installing to good ole BIND as we speak!
You're right I have been completely confused about unbound and still struggling to see its use in a webserver.


----------



## Oko (Nov 3, 2017)

ShelLuser said:


> I think you're a bit confused here or never bothered to read its manualpage. Unbound isn't a DNS server, it isn't designed to host domains and such. Taken directly from unbound(8): unbound is a _DNS validating resolver_. Ergo nothing more but a caching nameserver, call it a DNS proxy if you will.


I honestly can't believe what I am reading on this forum. While the BIND is indeed the first and the reference implementation of DNS server it always suffered from bi-polar disorder as it thinks of itself as caching and authoritative DNS server at the same time. Namely properly speaking there are two separate DNS servers (note plural) for a proper DNS installation. The first one is  *Unbound. Unbound* is a validating, recursive, and caching DNS resolver. Unbound can be abused in serving local "zone" files like I do at work and at home. The second component to any DNS installation is authoritative name server. The same lab which came up with Unbound also created dns/nsd.  While most people are better off paying for a managed DNS service (I use EasyDNS at work and no need for authoritative DNS at home) people who must run their own secure DNS authoritative server should install NSD. There are very, very few exceptional situations where one should run BIND and most definitely not BIND 10 (requires Python).  The first person who refuse to go along with BIND bi-polar disease was fellow mathematician Daniel J. Bernstein who created djbdns. In Daniel's implementation dnscache (resolver and cache) and tinydns (DNS server) can't even run on the same machine. While due to very anti-UNIX design decisions, strange license, and lack of centralized patching Daniel Bernstein's tools never gained wide popularity they definitely commanded respected following by a small but very competent group of users.


----------



## ShelLuser (Nov 3, 2017)

Oko said:


> I honestly can't believe what I am reading on this forum.


Welcome to the real world then   Congrats for choosing the red pill by the way.



Oko said:


> While the BIND is indeed the first and the reference implementation of DNS server it always suffered from bi-polar disorder as it thinks of itself as caching and authoritative DNS server at the same time. Namely properly speaking there are two separate DNS servers (note plural) for a proper DNS installation. The first one is  *Unbound.*


Remind me not to hire you as a DNS operator


----------

