BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] New document on Unbound caching DNS server
- Subject: [Discuss] New document on Unbound caching DNS server
- From: smallm at sdf.org (Mike Small)
- Date: Mon, 17 Sep 2018 15:47:44 +0000
- In-reply-to: <20180914195554.GB6956@bladeshadow.org> (Derek Martin's message of "Fri, 14 Sep 2018 14:55:54 -0500")
- References: <20180913193626.59bd405b@mydesk.domain.cxm> <20180914195554.GB6956@bladeshadow.org>
Derek Martin <invalid at pizzashack.org> writes: > On Thu, Sep 13, 2018 at 07:36:26PM -0400, Steve Litt wrote: >> Hi all, >> >> The Unbound DNS server is the new kid on the block. A lot of admins are >> replacing BIND9 with Unbound, perhaps plus an authoritative DNS server >> for their domain. > > Why? BIND9, for whatever flaws it may have, is robust, > well-understood software. What advantages does Unbound offer that > outweigh the benefit of running well established code? > My impression is that unbound and nsd are not new or experimental code. I'm not a system admin only a user but I'll take a shot at some justifications... BIND9's source code is no joy to read. Anyone who's tried to maintain a patch against it has my sympathy. I'd guess the number of people for whom this software is well understood at a source code level is actually quite small. I haven't looked at unbound's code, but I suspect if OpenBSD was willing to take it in (they commit to auditing what they include in base) that it's probably an improvement as far a readability goes at the very least. Second, I'll give the diversity argument. There will continue to be security holes in bind9 (and in unbound and nsd). Some people running other things may mitigate the global risk of one severe incident. Third, possibly someone has special requirements or perceptions of the different projects that make unbound and nsd more attractive to them. At least in 2012 (and apparently long before), OpenBSD felt unbound fit their needs better than Bind9: https://marc.info/?l=openbsd-misc&m=132921194328662&w=2 >> More interesting still, a lot of laptop owners are installing Unbound >> to replace their old 8.8.8.8 or per-accesspoint resolvers with a full >> caching DNS, which is more secure, faster, and makes for much faster >> browsing. > > FWIW, this is often a bad idea. On average, you will typically get > the best overall performance by using your ISP's DNS servers (unless > you know they're bad). If you care about why, the short answer is > CDNs, but here's a somewhat lengthy explanation: If you set your resolver to be both caching and forwarding (meaning when it doesn't have the record in cache it goes to your ISP's server or whatever substitute you use) this isn't an issue I think. Whether it's worth the bother to set it up on a home network is another question. It might be fun if you're into that sort of thing, or it might be good for practice. -- Mike Small smallm at sdf.org
- References:
- [Discuss] New document on Unbound caching DNS server
- From: slitt at troubleshooters.com (Steve Litt)
- [Discuss] New document on Unbound caching DNS server
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] New document on Unbound caching DNS server
- Prev by Date: [Discuss] [BLU/Officers] update instructions for key signing
- Next by Date: [Discuss] [BLU/Officers] update instructions for key signing
- Previous by thread: [Discuss] New document on Unbound caching DNS server
- Next by thread: [Discuss] Boston Linux Meeting Wednesday, September 19, 2018 - Crypto News, plus our annual PGP/GnuPG Key-Signing Party
- Index(es):