# UNBOUND vs BIND99



## captcurrent (Nov 6, 2015)

I am building a new FreeBSD 10.2 server.  The eventual purpose for this is to serve as an email and web host for a number (10 or so).  I am curious about any recommendations as to what iI should be running for DNS  I just blinding started install BIND because I had always done that.   Suggestions?


----------



## usdmatt (Nov 6, 2015)

Hello Again 

Some people may disagree slightly (as I think Unbound can actually run "real" DNS zones to a certain extent);
However, I tend to stick to the following -

Unbound - DNS resolver - use in most normal cases
Bind - DNS server - use if you actually need to run authoritative DNS zones (i.e. this server is listed in NS records for some domains)

If you're not actually running any forward or reverse DNS zones on the server, I see no point in putting Bind on it.

Yes, Bind can be used as just a resolver but is a bit of an overkill, especially compared to the much more lightweight and efficient Unbound.
Yes, Unbound can be used to run DNS zones, but I think that's a bit of an "it's easy enough to add and might come in useful" afterthought.

This is exactly why Bind is gone from FreeBSD 10 and Unbound is in. 99.9% of the time people are not running DNS zones on their server, and don't need honking great Bind running. For a caching resolver Unbound is a better choice. (And even for people who want Bind, they are actually better off using a standalone package that will be newer, and easier to update, than have it built in)


----------



## Jeckt (Nov 6, 2015)

Because Unbound isn't an authoritative server, you're not supposed to use it to host DNS, which could theoretically cause problems if something requires an authoritative reply (because unbound won't give one). I doubt it would cause issues, but something to consider. Otherwise I agree with usdmatt and would go unbound for sure. As I'm not a fan of Bind, Power DNS and djbdns (clunky but works and is fairly secure) are alternatives.

Something I never considered before, was having the company I purchased my domain from (EasyDNS) do the dns for me. When I switched to a VPS that doesn't do it for me and needed another solution.  Easydns offers a better infrastructure which is redundant (2 NS servers are supposed to be a minimum). It also allowed me to do DNSSEC signatures easily. Not to mention it lowers the attack surface on my own server. That might also be something to consider.


----------



## usdmatt (Nov 6, 2015)

> Something I never considered before, was having the company I purchased my domain from (EasyDNS) do the dns for me.When I switched to a VPS that doesn't do it for me and needed another solution. Easydns offers a better infrastructure which is redundant (2 NS servers are supposed to be a minimum). It also allowed me to do DNSSEC signatures easily. Not to mention it lowers the attack surface on my own server. That might also be something to consider.


Definitely a good point. It amazes me how many times I see people on here spending days & weeks struggling to get DNS working for their one domain, with both NS records pointing at their single server. I can understand people wanting to run their own web or email servers, but I really don't get the obsession with wanting to run your own DNS.

Most of the time they've purposefully changed the NS records away from their original domain/dns provider, where it was already working perfectly across redundant servers, had a control panel to easily make as many changes as needed without having to resort to editing zone files, and was managed by a team of experts who've been doing it for years.


----------



## kpa (Nov 6, 2015)

Unbound won't do zone transfers so using it to set up two nameservers if required in a master-slave setup won't work. That's where you need a real authoritative DNS server software.


----------



## xtaz (Nov 6, 2015)

I use dns/unbound with several zones configured as "stub zones" which point to a different IP address on the server on which I run dns/nsd which is written by the same people that wrote unbound and is a good authorititive server. Works a treat. Though if you only have a single IP address and want both recursive and authoratitive DNS on port 53 then this won't work and you'll need to run BIND.


----------



## wblock@ (Nov 6, 2015)

Unbound does not coordinate with DHCP to provide DHCP hostnames.


----------



## captcurrent (Nov 7, 2015)

usdmatt said:


> Definitely a good point. It amazes me how many times I see people on here spending days & weeks struggling to get DNS working for their one domain, with both NS records pointing at their single server. I can understand people wanting to run their own web or email servers, but I really don't get the obsession with wanting to run your own DNS.
> 
> Most of the time they've purposefully changed the NS records away from their original domain/dns provider, where it was already working perfectly across redundant servers, had a control panel to easily make as many changes as needed without having to resort to editing zone files, and was managed by a team of experts who've been doing it for years.


Hmmm, slight eye glazing again. OK I have 10 domains hosted on my server which has two IPs. I have no need for DHCP.   My host provided PTR but not full DNS although my register apparently does.

For this quote it would appear that I may be one of this struggling people for no good reason?


----------



## kpa (Nov 7, 2015)

Definitely leave DNS to people who know it well. If you make a big mistake with your self hosted DNS server you might be shutting down your site for days or even weeks depending on how long TTL values were set for the incorrect records.


----------



## captcurrent (Nov 7, 2015)

Well looked at my register's  options and it does' provide the detail I need in my master zone. I have muddled by for a 5 or so years in my old server with BIND. Looking at the manuals and tutorials for Unbound looks like its going to take me a while to get to the same level of understand that I have had with BIND... strange new world.


----------



## Oko (Nov 7, 2015)

OP is comparing apples and oranges. Unbound is validating, recursive, and caching _DNS_ server only which could be abused (I am guilty of that) to serve local zone files. BIND consists of two servers in one. It is on one hand validating, recursive, and caching _DNS _but it is also authoritative sever as well. 

For e-mail and web hosting you need authoritative DNS so Unbound is not an option. An alternative to the authoritative part of BIND would be something like dns/nsd. Personally I would use managed DNS and not even bother with my own authoritative DNS server. This is exactly what we do in our Lab and we use EasyDNS and are very happy with it.


----------



## gkontos (Nov 8, 2015)

If you want to learn DNS and eventually manage production DNS servers, then bind is your best solution. I am running DNS servers for many years now. My biggest setup consists of 3 servers, (1 master, 2 slaves), serving ~1K zones. I have never had a problem, the capacity requirements are not that high. You just need to make sure that you have enough memory, depending on how many zones you handle. You also need to perform regular housecleaning, ie if a zone is moved you need to also delete it.


----------

