Maintained by: NLnet Labs

[Unbound-users] Unbound vs MS Resolver

Carsten Strotmann
Tue Jun 3 14:49:54 CEST 2014


Hello Dave,

Dave Warren writes:

> On 2014-05-30 00:22, unbound at strotmann.de wrote:
>> Is the query about comparing Unbound on Windows with MS DNS, or
>> comparing Unbound on Unix/Linux with Win DNS?
>
> I'd be interested in the results comparing the two on a 
> similar/identical platform. In other words, should I uninstall Microsoft 
> DNS and install unbound on the same system (where unbound is otherwise a 
> reasonable fit)

That is what I will test next week, I will post the results here (and
the test setup).

>
> Obviously it's not a suitable replacement for Active Directory driven 
> DNS. 

why not? It is best practice to separate DNS resolver (caching DNS
server like Unbound) and authoritative Server. While WinDNS can be used
in both functions, it makes a good resilient and manageable DNS design
to separate the DNS server functions on dedicated machines. 

Unbound will nicely work as an secure DNSSEC validating resolver,
resolving Internet names and also (possible) local Active Directory
names that are stored on WinDNS AD integrated servers.

> However, even here, there's an interesting performance question: Is 
> it worth installing unbound and forwarding Microsoft DNS to unbound, or 
> is it better to let Microsoft DNS perform it's own resolution?

Forwarding is (today) probably almost always slower than direct name
resolution (and more complicated and brittle), unless you are connected
to the Internet with a slow link. I recommend to not use forwarding
unless there are very special conditions.

Unbound as a direct resolver might be faster than having WinDNS as a
direct resolver. 

-- 
Carsten Strotmann
Email: cas at strotmann.de
Blog: strotmann.de