Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

staticsafe
Fri May 24 01:27:20 CEST 2013


On Thu, May 23, 2013 at 03:21:13PM -0700, Bright Star wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hello, Unbound Mailing List users & experts,
> 
> Please check this below configuration, and let me know, IF this is
> fit and CORRECTLY CONFIGURED to work as a complete Validating
> DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based
> computer (which has 2GB RAM, 1 CPU Core), where it is currently
> installed and will run, and it will also have to serve, as a
> DNS-Server, for other computers and VMs (with different OSes) in
> local LAN.
> 
> (Amount of free RAM memory size is large, so not a factor).
> 
> Windows DNS Client service is set onto "Manual Startup" mode, so it
> is not running, and, local network adapter/interface is configured
> to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer.
> 
> And LAN network adapter/interface of this (Win7) computer is also
> using fixed/static IP address 192.168.0.10.
> 
> And other computer's in LAN, VMs are configured to use 192.168.0.10
> as their's DNS-Server.
> 
> Most websites/domains/zones are not yet signed with DNSSEC. I want
> this DNS-Server, still be able to send DNS query results for such
> unsigned websites to its users/clients. (DNS query answer will not
> have "AD" flag).
> 
> I do NOT want this DNS-Server to completely block (or stop sending)
> DNS query results for ANY sites/zones which are not yet DNSSEC signed.
> 
> Firefox will have DNSSEC Validation based addons which will be
> configured to use this DNS-Server. Firefox addons will display
> colored icon or message, when a website is visited, and icon will
> indicate if a website is signed or secured with DNSSEC yet or not.
> (DNS query answer will have "AD" flag and "NOERROR" status for
> DNSSEC signed sites/zones).
> 
> There are other software which we are using, they do not have
> built-in support for doing any DNSSEC based query and cannot
> understand DNSSEC based answer, those software still need to be able
> to function (that is: sending regular DNS query, and receiving
> regular response via this DNS-Server).
> 
> So IF CORRECTION is NEEDED to be done on this config, please provide
> correct + practical + real config line that can be used, please do
> not give examples, or confusing comments/response. I'm looking for
> practical configuration that will serve my purpose and work right
> now.  PLEASE describe ACCURATELY for what reason why a specific real
> config line is better or should be used what you are suggesting, and
> PLEASE describe what else need to be changed, exactly.
> 
> Please do not assume, i will do or i'm suppose to do something
> automatically, so pls describe & explain.
> 
> WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
> "TO:" FIELD/Text-Box:
> unbound-users at unbound.net
> 
> Please do not send any email directly to me, Thanks.
> 
> PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS.
> 
> Thanks (again) in advance,
> - -- Bright Star (Bry8Star).
> <SNIP>

Only one thing stood out to me as an obvious error.

access-control: 192.168.0.10 allow

As you said, other computers in your LAN are supposed to use this DNS
resolver.

The access-control statement should be as follows:

access-control: 192.168.0.0/24 allow

Assuming /24 as your LAN subnet mask.
-- 
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post - http://goo.gl/YrmAb
Don't CC me! I'm subscribed to whatever list I just posted on.