From owner-freebsd-questions@FreeBSD.ORG  Sun Sep 29 19:11:23 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id BDC04F31
 for <freebsd-questions@freebsd.org>; Sun, 29 Sep 2013 19:11:23 +0000 (UTC)
 (envelope-from salin.laurent@laposte.net)
Received: from smtpout.laposte.net (smtpout6.laposte.net [193.253.67.231])
 by mx1.freebsd.org (Postfix) with ESMTP id 5E98023DD
 for <freebsd-questions@freebsd.org>; Sun, 29 Sep 2013 19:11:22 +0000 (UTC)
Received: from [192.168.76.1] ([62.147.142.218]) by mwinf8512-out with ME
 id X7BB1m0094ivp8E037BEph; Sun, 29 Sep 2013 21:11:15 +0200
Message-ID: <52487B4F.9060806@laposte.net>
Date: Sun, 29 Sep 2013 21:11:11 +0200
From: Laurent SALIN <salin.laurent@laposte.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130824 Thunderbird/17.0.8
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: How to ask a DNS resolver listening on a different port than
 the tcp/udp 53
References: <5245CC59.5060204@laposte.net>
In-Reply-To: <5245CC59.5060204@laposte.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2013 19:11:23 -0000

Hi,
for the list archive, here's how I solved my "problem".
Some on the thread tell me to run BIND on the 1rst VPS, as DNS
autoritative server and as caching resolver who let only hosts from my
network send him queries.

Well I'm quite happy my setup with NSD as DNS autoritative and UNBOUND
as caching resolver so I don't really want to change them for BIND, but
i'd do it if this is the only way.

I descide to focus on the 2nd VPS, the one who can't send queries
directly to tcp/udp 5353, I configure UNBOUND to forward all queries to
my 1rst VPS with few dedicated lines in the
/usr/local/etc/unbound/unbound.conf:

<file>
...snip...

forward-zone:
       name: "."
       forward-addr: "public_ip_v4"@5353  # forward to port 5353.
       forward-first: yes
</file>

and modify my /etc/resolv.conf to only have localhost as nameserver.

The system footprint of UNBOUND is very small so it's just fine to me.

Thanks all for the help.

Laurent SALIN