Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

Bry8 Star
Fri May 24 02:32:19 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi staticsafe,

THANK YOU. :)

Config is updated, and Unbound service is restarted.

IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
"TO:" FIELD/Text-Box:
unbound-users at unbound.net

Please do not send any email directly to me, Thanks.

- -- Bright Star.



Received from staticsafe, on 2013-05-23 4:27 PM:
> On Thu, May 23, 2013 at 03:21:13PM -0700, Bright Star wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hello, Unbound Mailing List users & experts,
>>
>> Please check this below configuration, and let me know, IF this is
>> fit and CORRECTLY CONFIGURED to work as a complete Validating
>> DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based
>> computer (which has 2GB RAM, 1 CPU Core), where it is currently
>> installed and will run, and it will also have to serve, as a
>> DNS-Server, for other computers and VMs (with different OSes) in
>> local LAN.
>>
>> (Amount of free RAM memory size is large, so not a factor).
>>
>> Windows DNS Client service is set onto "Manual Startup" mode, so it
>> is not running, and, local network adapter/interface is configured
>> to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer.
>>
>> And LAN network adapter/interface of this (Win7) computer is also
>> using fixed/static IP address 192.168.0.10.
>>
>> And other computer's in LAN, VMs are configured to use 192.168.0.10
>> as their's DNS-Server.
>>
>> Most websites/domains/zones are not yet signed with DNSSEC. I want
>> this DNS-Server, still be able to send DNS query results for such
>> unsigned websites to its users/clients. (DNS query answer will not
>> have "AD" flag).
>>
>> I do NOT want this DNS-Server to completely block (or stop sending)
>> DNS query results for ANY sites/zones which are not yet DNSSEC signed.
>>
>> Firefox will have DNSSEC Validation based addons which will be
>> configured to use this DNS-Server. Firefox addons will display
>> colored icon or message, when a website is visited, and icon will
>> indicate if a website is signed or secured with DNSSEC yet or not.
>> (DNS query answer will have "AD" flag and "NOERROR" status for
>> DNSSEC signed sites/zones).
>>
>> There are other software which we are using, they do not have
>> built-in support for doing any DNSSEC based query and cannot
>> understand DNSSEC based answer, those software still need to be able
>> to function (that is: sending regular DNS query, and receiving
>> regular response via this DNS-Server).
>>
>> So IF CORRECTION is NEEDED to be done on this config, please provide
>> correct + practical + real config line that can be used, please do
>> not give examples, or confusing comments/response. I'm looking for
>> practical configuration that will serve my purpose and work right
>> now.  PLEASE describe ACCURATELY for what reason why a specific real
>> config line is better or should be used what you are suggesting, and
>> PLEASE describe what else need to be changed, exactly.
>>
>> Please do not assume, i will do or i'm suppose to do something
>> automatically, so pls describe & explain.
>>
>> WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
>> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
>> "TO:" FIELD/Text-Box:
>> unbound-users at unbound.net
>>
>> Please do not send any email directly to me, Thanks.
>>
>> PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS.
>>
>> Thanks (again) in advance,
>> - -- Bright Star (Bry8Star).
>> <SNIP>
> 
> Only one thing stood out to me as an obvious error.
> 
> access-control: 192.168.0.10 allow
> 
> As you said, other computers in your LAN are supposed to use this DNS
> resolver.
> 
> The access-control statement should be as follows:
> 
> access-control: 192.168.0.0/24 allow
> 
> Assuming /24 as your LAN subnet mask.
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRnrUSAAoJEID2ikYfWSP69ZgQAIVCR73UJ93vr/AxMsRAryGl
H0L+m6k95wBt4KV6/s/TgExRVPBgy7CpdP4ozOvh/DxmqNYHSwZm0lpryd3ySrx8
/EPBWaVWIgBIDvoLohQaEYQR7iul3+iv73IHVAPfzv47mJo4+ul9DeWxJtqrh9Eo
cOw/YxWKH+F8ibv5uvXZoViz05E9y1u6MY0syzqAxNy2sVkBsO9ibsZ8pYfm5JLL
m9n4iLu6oenbYgiJPAsTpGne5zwrUtwH48Ur5dcuRbf22yYsPoZwYO80n/VAgS+2
I+WbXCA5rZspqVlIk3REGPyeh3Oc8a2z2whBZ3iYyPAYxMwBbk3MwzDCz9hUYgxK
gIeot4Bf72aGhMnx77fEBQIEJsqjgWGjJfGyoKwB43hybmqpFmJ3zd8qPqCGJBIs
UDX1+S1cW50tMH7WrXbThAbTt3S2+vNQ0Otk2V4S2qEDeWOzoA4fCFvwJ+fr1upg
Vf/v4h7yXedrabVRV8yi43Ud2jVLtq+twIvyd7FUVw/jv+FXtNZyudS+VoYYbfsL
i31R8sG7ncgdECscFy+pcF0Ofvnw1yD4vSvIh7jBTMBNVKLCA+Aj2RvAfceHd+cU
FqG+6HVusnc8vnYP9G07XapaYFeYcsgkDoGXYIXYjJK2d/bqTWc9sJTV5fVl/Ovj
F2otzO+vCD9V7QTVDCKg
=rCqD
-----END PGP SIGNATURE-----