# Is there a standard way to replace BIND with unbound?



## Chris_H (Jul 31, 2013)

Greetings,

Before anyone answers: sure. Just deinstall, or deactivate BIND/named, and install dns/unbound. What I'm really looking for, is a way to make dns/unbound the base resolver, as the BIND is now.

Thank you for all your time, and consideration.

--chris


----------



## kpa (Jul 31, 2013)

Just disable BIND by not having any named_ settings in rc.conf(5). Then install dns/unbound. Job done 

Having a good read trough the unbound documentation is highly recommended though. Especially the parts about access control. By default only localhost is allowed to do recursive queries and only localhost is listened for incoming connections.


----------



## Chris_H (Jul 31, 2013)

Greatly appreciated @kpa. I pretty much expected that. I have been reading about unbound for a couple of days now (have 3 tabs open, as I write this). But wasn't sure how the "ports" version laid things out, as compared to that which unbounds documentation lays it out.
Appreciate the "heads up" regarding localhost! 

Best wishes, and thanks again.

--chris


----------



## wblock@ (Jul 31, 2013)

A nice article: Unbound DNS Tutorial.  Don't know who is behind calomel.org, but they've done some very nice articles.

Can unbound interact with dhcpd like BIND for dynamic DNS updates?


----------



## kpa (Jul 31, 2013)

wblock@ said:
			
		

> Can unbound interact with dhcpd like BIND for dynamic DNS updates?



No it can not do that. I'm sure it could fake a SOA record and pretend to be authoritative for a domain and implement the missing pieces for DDNS but the authors have decided not to do that.


----------



## Chris_H (Aug 1, 2013)

wblock@ said:
			
		

> A nice article: Unbound DNS Tutorial.  Don't know who is behind calomel.org, but they've done some very nice articles.


Thanks for the pointer @wblock@. I had already caught that in investigation(s) as to whether unbound would be a suitable replacement. How 'bout that image (girl) at the top of the page! Suppose it's her? 


			
				wblock@ said:
			
		

> Can unbound interact with dhcpd like BIND for dynamic DNS updates?


NSD Looks like a possible candidate. I'll be experimenting with it, too. I'll post back, when I have some results.

Thanks again.

--chris


----------



## Chris_H (Aug 1, 2013)

kpa said:
			
		

> No it can not do that. I'm sure it could fake a SOA record and pretend to be authoritative for a domain and implement the missing pieces for DDNS but the authors have decided not to do that.



While I haven't yet finished installing/configuring unbound; I'm thinking pretty heavily that it would be fairly trivial to make unbound refuse recursion based on acl's, much like the BIND does now. I'll post back, if I have anything concrete to offer.

--chris


----------



## kpa (Aug 1, 2013)

Chris_H said:
			
		

> While I haven't yet finished installing/configuring unbound; I'm thinking pretty heavily that it would be fairly trivial to make unbound refuse recursion based on acl's, much like the BIND does now. I'll post back, if I have anything concrete to offer.
> 
> --chris



Refusing recursion is not the issue and unbound can actually pretend to be authoritative for a domain with the local-zone and local-data directives. What is missing is support for the DDNS update protocols that are found in BIND.


----------



## Chris_H (Aug 1, 2013)

kpa said:
			
		

> Refusing recursion is not the issue and unbound can actually pretend to be authoritative for a domain with the local-zone and local-data directives. What is missing is support for the DDNS update protocols that are found in BIND.



Understood. But regarding recursion; I wouldn't want to become an open/recursive DNS, either. But, then again, I haven't _yet_ installed it.  As to DDNS, I wonder if writing a "plugin" for that capability would be a reasonable option.

Best wishes.

--chris


----------



## Chris_H (Aug 2, 2013)

Maybe I should relocate this as another thread, but have you all heard of the DNS YADIFA? I just grabbed a copy. I was a bit uncomfortable with the fact that unbound was so recursive. Maybe it's my lack of experience with unbound -- only experience with unbound is by reading about it. 

So it seemed that the ideal situation, when the bulk of my zones are authoritative, would be the addition of a non-recursive/authoritative server, like NSD, or something. But that just seemed unnecessarily complex, not difficult, but seemingly just another possible point of failure. 

So I did some additional research, and found YADIFA. If things work as I think they will with YADIFA. I'll develop, and maintain it as a port. I'll have time to implement it tomorrow. I'll post back with my findings -- should anyone be interested.

--chris


----------



## phoenix (Aug 2, 2013)

Chris_H said:
			
		

> Greetings,
> 
> Before anyone answers: sure. Just deinstall, or deactivate BIND/named, and install dns/unbound. What I'm really looking for, is a way to make dns/unbound the base resolver, as the BIND is now.
> 
> ...



Install FreeBSD 10-CURRENT and you'll get unbound and ldns in the base OS.  A simple editing of /etc/src.conf to set 
	
	



```
WITHOUT_BIND=yes
```
 and recompile of the world will give you what you want.  

Note:  Running -CURRENT is not for the faint of heart.  But it's an option in this situation.


----------



## Chris_H (Aug 2, 2013)

Greetings @phoenix, and thanks for the reply. Indeed. That's good news -- 'bout time. 

Really, I loved BIND, back in the day (when it was still Bind). But times have changed, and, not unlike Apache; duct tape, chewing gum, and paper clips, became the norm, when it came to reconciling issues, or adding/"enhancing" it. Frankly IMNSHO, it should have been given a "from the ground up" overhaul, when  BIND got hit with the CACHE poisoning exploit -- it ain't the 80's anymore. 

Anyway. As noted in my post, just above yours; I'm looking at a copy of YADIFA. Looks promising. Carries a BSD 3-clause license, and configuration(s), and zone files look nearly like BIND. I'm going build/set up, and run a copy today. If things look good, I'm going to brand a copy for the DNS/ports.

Thanks again, for sharing the good news, @phoenix.

--chris


----------

