Maintained by: NLnet Labs

[Unbound-users] return refused for any query except for explicitly configured local, stub or forwarded zones

Paul Wouters
Tue Jun 16 14:21:02 CEST 2015


A hack is to use the dnssec-trigger trick

Inbound-control forward_add . 127.0.0.127



Sent from my iPhone

> On Jun 16, 2015, at 04:58, Mikolaj Kucharski <mikolaj at kucharski.name> wrote:
> 
> Hi,
> 
> I'm wondering is it possible to configure Unbound in such a way that
> it will return REFUSED for any query, except zones which are explicitly
> configured in the config file.
> 
> For example, here is config which allows to resolve "home.lan." and
> "example.com." zones but for anything else returns SERVFAIL. Below
> behaviour is expected, but I would like for root zone (catch all in this
> case) REFUSED to be returned by Unbound. Is that possible?
> 
> I did try config with `local-zone: "." refuse' but that results with
> queries for stub-zone or forward-zone giving REFUSED.
> 
> Sample unbound.conf (tests done on version 1.5.2):
> 
> server:
>  interface: 127.0.0.1
>  interface: ::1
>  port: 53
>  access-control: 0.0.0.0/0 refuse
>  access-control: 127.0.0.0/8 allow
>  access-control: ::0/0 refuse
>  access-control: ::1 allow
>  hide-identity: no
>  hide-version: no
>  use-syslog: no
> 
> # XXX stub and forward zone queries result with REFUSED
> #local-zone: "." refuse
> 
> local-zone: "home.lan." static
> local-data: "box1.home.lan. 60 A 172.16.0.52"
> local-zone: "0.16.172.in-addr.arpa." static
> local-data-ptr: "172.16.0.52 60 box1.home.lan."
> 
> stub-zone:
>  name: "example.com."
>  stub-addr: 199.43.132.53
>  stub-addr: 199.43.133.53
> 
> # XXX SERVFAILs
> forward-zone:
>        name: "."
> 
> 
> Queries and their statuses:
> 
> 
> # good, proper answer
> $ dig +noall +comments @127.0.0.1 example.com. 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> 
> 
> # good, proper answer
> $ dig +noall +comments @127.0.0.1 box1.home.lan.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> 
> # bad, SERVFAIL, but I would like REFUSED
> $ dig +noall +comments @127.0.0.1 google.com.  
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> 
> -- 
> best regards
> q#
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users