Maintained by: NLnet Labs

[Unbound-users] return refused for any query except for explicitly configured local, stub or forwarded zones

Mikolaj Kucharski
Tue Jun 16 10:58:07 CEST 2015


Hi,

I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.

For example, here is config which allows to resolve "home.lan." and
"example.com." zones but for anything else returns SERVFAIL. Below
behaviour is expected, but I would like for root zone (catch all in this
case) REFUSED to be returned by Unbound. Is that possible?

I did try config with `local-zone: "." refuse' but that results with
queries for stub-zone or forward-zone giving REFUSED.

Sample unbound.conf (tests done on version 1.5.2):

server:
  interface: 127.0.0.1
  interface: ::1
  port: 53
  access-control: 0.0.0.0/0 refuse
  access-control: 127.0.0.0/8 allow
  access-control: ::0/0 refuse
  access-control: ::1 allow
  hide-identity: no
  hide-version: no
  use-syslog: no

# XXX stub and forward zone queries result with REFUSED
#local-zone: "." refuse

local-zone: "home.lan." static
local-data: "box1.home.lan. 60 A 172.16.0.52"
local-zone: "0.16.172.in-addr.arpa." static
local-data-ptr: "172.16.0.52 60 box1.home.lan."

stub-zone:
  name: "example.com."
  stub-addr: 199.43.132.53
  stub-addr: 199.43.133.53

# XXX SERVFAILs
forward-zone:
        name: "."


Queries and their statuses:


# good, proper answer
$ dig +noall +comments @127.0.0.1 example.com. 
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


# good, proper answer
$ dig +noall +comments @127.0.0.1 box1.home.lan.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


# bad, SERVFAIL, but I would like REFUSED
$ dig +noall +comments @127.0.0.1 google.com.  
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


-- 
best regards
q#