Maintained by: NLnet Labs

[Unbound-users] Unbound + NSD

Stuart Henderson
Thu Aug 7 12:59:29 CEST 2014


On 2014-08-07, Stuart Henderson <stu at spacehopper.org> wrote:
> On 2014-08-05, JC PAROLA <contact at sels-ingenierie.com> wrote:
>> I configured NSD as authoritative named server. it works fine.
>>
>> I configured on the same serveur unbound abd use "stub-zone" directive 
>> to query name server.
>>
>> how configure unbound to allow ALL IP to query all zone in name server 
>> NSD (like an authoritative name serveur) but limit recursion (ex query A 
>> for google.fr) for a subnet only.
>>
>> I tried tu configure "access-control" but not result.
>>
>> Could you help me ?
>
> It seems like you are trying to use unbound to provide access to
> authoritative DNS as well as DNS resolver on the same IP address.
>
> This won't work because the AA flag won't be set correctly.
> (for proof that this is a problem, see the analysis of Microsoft's
> recent attempt at "cleaning" the no-ip DNS zones..)

Sorry wrong explanation about the AA flag, I was mistaken, if it
was just that it would be likely logged as lame delegation but
should still query. It is the RD flag that will cause problems.

To prove it to yourself, use "dig +norecurse" and point it at
1. unbound with the stub-zone configuration and 2. nsd directly.

More explanation at 
http://www.unchartedbackwaters.co.uk/pyblosxom/microsoft_noip_dos