2

I am currently in the process of developing a VPN service. One of the necessary things for a proper VPN node is a DNS server that will prevent DNS leaks, and whilst working on this project I stumbled upon two well-known DNS servers: Bind9 and Unbound. Bind9 is an authoritative DNS server, Unbound is a caching recursive DNS server. I've looked through some differences between them, but I still can't decide which one will be better for the purpose of preventing DNS leaks. Can you help me with that decision, please?

Also at some forum I saw that Bind9 has got some reliability and security issues, is it true? How safe would it be to use Bind9 in a big public project?

hancack
  • 31
  • 2
  • 1
    DNS leak is a *client-side* problem. Whatever server you have, if *client* makes a request around it, that's a leak. The prevention is to set up a *client* in such a way it always queries secure server, no matter which software that server use. – Nikita Kipriyanov Mar 20 '21 at 09:20
  • 1
    It's difficult to assess unspecified "reliability and security issues" from "some forum". Have you asked for clarification at "some forum"? ANY DNS service's (or ANY publicly facing service, for that matter) "safety" is (IMHO) highly dependent on how well it's managed i.e. are best practices followed? is it regularly patched and maintained?, etc. (Or do you install it once and never look at it again until there's a problem?) – Brandon Xavier Mar 20 '21 at 13:57
  • Both Bind9 and Unbound are good DNS servers for both authoritative and resolvers. Bind9 is the standard by which everything else is built, measured, or compared except for the TLDs. It does not matter which one you chose; both will do the job. Bind9 possibly wins if you consider available experts, training materials, and documentation. – John Hanley Mar 20 '21 at 22:31
  • @BrandonXavier yeah, I asked to specify what are those issues they are talking about, still waiting for an answer. The thing is, me and my team are starting a (possibly) big project, and that would be quite bad to find out that bind is full of issues, considering that there will be other clients connected to our nodes. Do you thing it is safe enough to use for an OpenVPN node? – hancack Apr 01 '21 at 13:36
  • @JohnHanley Okay, thanks for your answer, I might choose bind9 after all. – hancack Apr 01 '21 at 13:38
  • I have zero worries about Bind's security and reliability. In regards to the latter, my volume is a little higher than average - each of my 3 servers processes about 11K qps most of the day (qps dips to around 3k each during the early morning hours). Of course, don't depend on me -- keep doing your due diligence until you feel confident with your choice. – Brandon Xavier Apr 01 '21 at 17:56

0 Answers0