unbound fetches DNS record from nsd but does not return it to client
wouter at nlnetlabs.nl
Mon Aug 3 12:42:00 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 01/08/15 10:33, Patrik Lundin via Unbound-users wrote:
> On Fri, Jul 31, 2015 at 10:36:34PM -0400, Sonic via Unbound-users
>> I doubt that local-zone: "1.168.192.in-addr.arpa" nodefault is
>> necessary since you're defining it as a stub-zone.
> This is actually necessary. I just tested on my firewall at home,
> and if I remove "local-zone: "168.192.in-addr.arpa." nodefault" I
> will get the unbound default NXDOMAIN even if I still have my
> stub-zone declaration: === stub-zone: name:
> "1.168.192.in-addr.arpa" stub-addr: 127.0.0.1 ===
> However, the configuration is still wrong since "nodefault" only
> works on the specific RFC1918 boundaries, and not anything below.
> If I change this: --- local-zone: "168.192.in-addr.arpa."
> nodefault --- ... to this: --- local-zone:
> "1.168.192.in-addr.arpa." nodefault ---
> I again get the unbound default NXDOMAIN even if it looks like it
> matches what I want better. As you have pointed out to me on
> openbsd-misc in the past, the correct configuration to use in the
> latter case is this: --- local-zone: "1.168.192.in-addr.arpa."
> transparent ---
> This is only mentioned in passing in the man page for unbound.conf
> and I had missed it completely before you pointed it out to me
> here: http://marc.info/?l=openbsd-misc&m=140647222022445&w=2 This
> is probably my biggest pet peeve in the unbound configuration :).
> This of course does not relate to the main question in the thread,
> but I am pretty sure reverse lookups does not currently work either
> for the above reasons.
I've fixed up the manual page and the example config file, and they
now discuss configuring domain-insecure or local-zone nodefault for
locally served zones.
The configuration is like this because the access-control filter
happens first (it is by IP address netblock). Then the local-zone
filter is applied (it is by domain name). Then the DNS cache is used,
the items are fed in there with the stub-zone clause. The cache
entries are also 'filtered' by DNSSEC validation and private-address
removal. And all of these components are separately configurable...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Unbound-users