# Unbound- resolver or server?



## garegin (Nov 21, 2014)

I'm a little confused. I'm bit of a DNS noob, since CCNA doesn't teach it. AFAIK, DNS resolvers are the clients, which could be servers themselves. Unbound is a DNS server, but their front page says that "Unbound is a validating, recursive, and caching DNS resolver."
Why would they call it a resolver, if it is a server?


----------



## rmoe (Nov 21, 2014)

Every server that serves DNS information is a server.

The decisive point is whether a DNS server is authoritative or not. Unbound is not. NSD (a very fine server from the same guys) is.

When to use which one?
Maybe the best way to explain that is from the "why is it used?" or "what is it used for?" perspective.

The driving interest behind an authoritative DNS server is to have _one's own domain(s) _working and reachable (by providing name resolution).
The driving interest behind a resolver is "how to provide my clients with DNS info for all the hosts they might want to connect to?".

Theoretically, clients ask resolvers for DNS info and those resolvers themselves get (and often cache) the info from the respective authoritative servers (practically, it's often handled more sloppily).

For your home or company network or if you're an ISP serving customers with connectivity what you want is a resolver, for instance Unbound (an excellent choice by the FreeBSD people).


----------



## kpa (Nov 21, 2014)

Unbound can do the resolving of DNS queries and cache the results for quicker retrieval. It can do the resolving in two different modes, in recursive mode where Unbound asks the authoritative servers for answers or in forwarding mode where it sends all the queries to an upstream resolver/resolvers for answers. In addition it supports the DNSSEC system for cryptographic trust validation of the DNS records. What it can not do is act as an authoritative DNS server, for that you need BIND or other DNS server designed for that purpose. In short, it is a server (it listens for service requests from clients) that fullfils the role of a caching, validating DNS resolver.


----------



## usdmatt (Nov 21, 2014)

"Stub" resolver
The sort of DNS "server" built into your OS. A stub resolver has to be configured with one or more upstream resolvers/servers and will just pass the query onto those, then cache and return the result.
Resolver
Takes a query from a client (either local or over network) and gets the answer, eith by going directly to root DNS servers and working through the DNS tree, or by using configured 'forwarders' to pass the query onto another resolver (similar to the way the stub resolver would).
DNS authoritative server
Contains the actual records for a domain and answers queries for that domain by directly returning the answer from its configuration.
DNS resolvers are commonly referred to as DNS servers, because they are a server. The difference between a resolver and an authoritative server is that an authoritative server has the actual records for a domain, whereas a resolver just gets the answer from other servers upstream.

Calling unbound a resolver makes it clear that its primary function is as a caching resolver (i.e a DNS server that gets its answers from authoritative servers and caches them), rather than an authoritative server.


----------



## obsigna (Nov 21, 2014)

One additional comment. unbound(8) can well be used to configure local zones. See the local-zone option in unbound.conf(5). You don't need nsd(8) for this.

I use this feature for DNS in my home network, mostly in the static mode. A very nice feature is the transparent mode, I use this for some externally hosted sub-domains of a domain which is otherwise designated to the local server. unbound also happily loads and serves to the clients in the local network a list of more than 25000 void zones in order to block ad-servers.


```
local-zone: "clk.cloudyisland.com" static
local-zone: "imagec18.247realmedia.com" static
local-zone: "www.trernitalia.it" static
local-zone: "click.silvercash.com" static
local-zone: "oascentral.pressdemocrat.com" static
...
25000 more entries
...
local-zone: "cialis.4.p2l.info" static
local-zone: "download.favorit-network.com" static
local-zone: "ww.facebook.com.813profile.tk" static
local-zone: "www.superstat.info" static
local-zone: "pagerage.com" static
```

named took 5 seconds to load the zones file, while unbound loads it immediately without a delay. Again nsd is not needed here.


----------



## kpa (Nov 21, 2014)

obsigna said:


> One additional comment. unbound(8) can well be used to configure local zones. See the local-zone option in unbound.conf(5). You don't need nsd(8) for this.



This is often used when your LAN is using RFC1918 private addresses. Your external DNS (often some DynDNS solution) resolves to addresses on your router's WAN interface but you would like your local clients to connect directly to the other hosts on the LAN using the same FQDNs as the external clients without first going trough the router. Local zones solve this problem nicely.


----------



## obsigna (Nov 21, 2014)

kpa said:


> This is often used when your LAN is using RF1918 private addresses. ...



Only because many people use it only for private addresses, does not mean that it is limited to those. unbound can be configured with the local-zone/local-data options to locally resolve any addresses, and besides A records it can also be setup for the other record types AAAA, CNAME, MX, NS, and PTR.


----------



## garegin (Nov 21, 2014)

So the "DNS client" in your Windows or Linux is a stub resolver or just a resolver?


----------



## Oko (Nov 21, 2014)

obsigna said:


> and besides A records it can also be setup for the other record types AAAA, CNAME, MX, NS, and PTR.


Really? I would be really curious to see an example of mixture of just A and CNAME records for example.


----------



## scottro (Nov 21, 2014)

https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records

It seems as if it can add CNAMEs, but isn't authoritative.   (I can't believe how many times I had to retype "authoritative" to type it correctly.

(Untested by me, I'm just going by that web page.)


----------



## kpa (Nov 21, 2014)

garegin said:


> So the "DNS client" in your Windows or Linux is a stub resolver or just a resolver?



Windows uses a DNS resolver service that does resolving and caching but isn't really configurable, the service can be turned off and then a stub resolver is used. On Linux the default is as far as I know to use just the stub resolver like in FreeBSD, this depends of course on the distro used since Linux has no concept of "base system" that implements a defined set of features and services.


----------



## Oko (Nov 21, 2014)

scottro said:


> https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records
> 
> It seems as if it can add CNAMEs, but isn't authoritative.   (I can't believe how many times I had to retype "authoritative" to type it correctly.
> 
> (Untested by me, I'm just going by that web page.)




I use exclusively Unbound for our local network. This is an example of A record.


```
local-data: "lock.int.mylab.org IN A 192.168.10.254"
  local-data-ptr: "192.168.10.254 lock.int.mylab.org"
```

I read very carefully the article. Please read again.



> You can add a CNAME entry in local-data, however as Unbound isn't an Authoritative resolver it won't expand it. If a client makes a query for an A record they won't receive the CNAME in response. More info on the Unbound mailing lists
> 
> The only time your entry will be returned is if the client queries for a CNAME, which in practice means it'll probably be returned quite rarely
> 
> ...



The guy claims that under certain circumstances *CNAMES might work*. Typically I need my things to work 100% of the time . In the very next sentence he goes about NSD and BIND. Well we call that cheating because NSD is authoritative DNS and BIND suffers from bipolar disorders so sometimes acts as authoritative some time as resolver/cashing.

This discussion is becoming absurd. If somebody needs A, MX, CNAME records they should run NSD or use manged DNS.


----------



## scottro (Nov 21, 2014)

I read it the first time, but really, do you want to nitpick this?   I mentioned how much trouble I was having typing authoritative, so that might have indicated I realized what it was saying.  
Anyway, just for the record, yeah, I read it, I understood it.

I'm not familiar with NSD myself, at work we use BIND and sometimes dns/djbdns.  Googling it after seeing your mention, it seems interesting.


----------

