Maintained by: NLnet Labs

[Unbound-users] Replacing /etc/hosts aliases with local-data: directive

Steve Jenkins
Fri Mar 25 15:37:08 CET 2011

On Fri, Mar 25, 2011 at 12:51 AM, Carsten Strotmann
<unbound at> wrote:
> A much 'standard compliant' way would be to use a full DNS name in
> Unbound. If your official DNS domain is '', your can use in
> the Unbound configuration:
> local-zone: "" static
> local-data: " IN A 123.456.78.910"
> local-data: " IN A 234.567.89.012"
> local-data: " IN A 345.678.90.123"

Hi, Carsten. Thanks for the well-thought out and detailed reply. I
agree this would be ideal, however, the systems in question don't all
share the same domain name, and can't share the same local-zone. So I
was looking to avoid having to list all the domains as search targets
in /etc/resolve.conf and manage a dozen+ /etc/hosts.

Also, using multiple domains in the resolve.conf search line and
multiple local-zones entries won't work in our case, either, because
we use wildcard DNS on the authoritative nameservers to direct typo
traffic on our domains to our websites (we run a number of very
popular network of video game websites and visitors often mis-type our
subdomains). So even if we set it up as:

local-zone: "" static
local-data: " IN A 123.456.78.910"

local-zone: "" static
local-data: " IN A 234.567.89.012"

local-zone: "" static
local-data: " IN A 345.678.90.123"


# cat /etc/resolv.conf

A "ping doug" doesn't hit the right server (, because's wildcard DNS matches first.

> If you down own your own domain, it is better to get one (domains are
> not expensive) and not to 'hijack' one (as you do not own '.local',
> using that TLD withour permission is kind of hijacking it).

I can see the wisdom in that. However, since our unbound server is not
authoritative for our systems (all of which have FQDNS names managed
by a separate nameserver cluster) it's possible that the public IP
address for the might get changed in the authoritative nameserver, and
that one of us would forget to update it in unbound, and we'd be
broadcasting the incorrect IPs to our local network. Of course, we'd
probably notice that issue quickly, but I'm looking to avoid that
potential altogether.

All this said, while I agree with you that there is technically a risk
of typo traffic going to the root servers, the practical risk of that
happening in this situation is very minimal. These machines have only
two admins that access them, and no standard user accounts.  And the
two of us who access these boxes ar booth greet tiepers. :) These
"shortcuts" would only be used a few times per week at most by two