[conspire] DNS software (was: corrected to HP LaserJet4M Plus Re: HP LaserJet4 - CUPS lists printer twice)

Rick Moen rick at linuxmafia.com
Sun Aug 30 11:52:36 PDT 2009

Quoting Don Marti (dmarti at zgp.org):

> Here are mine, on the machine running dhcpd:


I'm curious about your running lwresd, the ISC lightweight recursive daemon
(http://linuxmafia.com/faq/Network_Other/dns-servers.html#lwresd).  Is
that providing your recursive service, behind BIND9?  E.g., ISC docs say:

   To use the lightweight resolver interface, the system must run the
   resolver daemon lwresd or a local name server configured with a lwres

   By default, applications using the lightweight resolver library will
   make UDP requests to the IPv4 loopback address ( on port 921.
   The address can be overridden by lwserver lines in /etc/resolv.conf.

   The daemon currently only looks in the DNS, but in the future it may
   use other sources such as /etc/hosts, NIS, etc.

   The lwresd daemon is essentially a caching-only name server that
   responds to requests using the lightweight resolver protocol rather than
   the DNS protocol. Because it needs to run on each host, it is designed
   to require no or minimal configuration. Unless configured otherwise, it
   uses the name servers listed on nameserver lines in /etc/resolv.conf as
   forwarders, but is also capable of doing the resolution autonomously if
   none are specified.

   The lwresd daemon may also be configured with a named.conf style
   configuration file, in /etc/lwresd.conf by default. A name server may
   also be configured to act as a lightweight resolver daemon using the
   lwres statement in named.conf.


As you'll see in my notes, lwresd's unmaintained code since circa 2002.
I recommend against it.  Which is a pity, because BIND9 + lwresd is one
solution to a thorny problem:

One of these days, I have to figure out how best to combine a
best-of-breed authoritative nameserver with a best-of-breed recursive
nameserver on a _single IP_ (with both offering service to others, but
recursive service to only my own IPs).  For the software I'd like to run
for those roles, I'm thinking of NSD[1] and then either Unbound[2] or
PowerDNS Recursor[3].

The DJBware guys have tricks for doing that
(http://www.fefe.de/djbdns/#sameip), but not to my taste.  Most same-IP 
solutions I've seen, including the DJB ones, involve having the
recursive server accept _all_ public DNS queries, have the authoritative
running reachable on the localhost interface only, and somehow pass just
the local domains' queries, via loopback, to the authoritative server.
That's a bad idea because, as we know from the Dan Kaminsky attack,
recursive servers should be protected against cache poisoning, and
therefore should accept queries only from trustworthy machines, not from
anyone and everyone.

Ultimately, the only real solution may be to IP-alias a second IP onto
one's machine, so you can have a nameserver of each type able to listen
to port 53, each on its respective IP.

For now, what I have instead is BIND9.  Ugh.

[1] http://linuxmafia.com/faq/Network_Other/dns-servers.html#nsd
NSD is what we run as an authoritative-only server on NS1.SVLUG.ORG.
It has excellent security, and is extremely fast and small in RAM
footprint compared to BIND9.  Like the two recursive servers mentioned
in the next two footnotes, I recommend it highly.

[2] http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound
Unbound is the recursive-only counterpart to NSD, likewise written and
used by the .NL domain authorities.  Likewise markedly superior to BIND9
on security, performance, RAM footprint.

[3] http://linuxmafia.com/faq/Network_Other/dns-servers.html#pdns-recursor
PowerDNS Recursor is PowerDNS's recursive module, unbundled.  Likewise
markedly superior to BIND9 on security, performance, RAM footprint.

More information about the conspire mailing list