Maintained by: NLnet Labs

disable forwardig for specific zones

Hajo Locke
Wed Mar 30 14:59:46 CEST 2016


Hello,

thanks for your help.

Am 30.03.2016 um 14:02 schrieb W.C.A. Wijngaards via Unbound-users:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Hajo,
>
> On 30/03/16 13:25, Hajo Locke via Unbound-users wrote:
>> Hello List,
>>
>> i use unbound 1.4.22 as forwarder to my global dns-cache:
>>
>> forward-zone: name: "." forward-addr: ip.ip.ip.ip
>>
>>
>> now i want to exclude some zones from forwarding and do
>> nameresolution on same machine. i do not find an option to disable
>> forwarding. Is there a possibility for me?
> Unbound uses the closest match for what forward and stub clause to
> use.  So you can config more specific forward and stub clauses for the
> zones and send their queries elsewhere.
>
> With stub-zone you can make unbound ask authority servers.
>
> # For example;
> stub-zone:
> 	name: "nlnetlabs.nl"
> 	stub-host: ns-ext1.sidn.nl.
> 	stub-host: sec2.authdns.ripe.net.
> 	stub-host: anyns.pch.net.
> 	stub-addr: 185.49.140.60   # for ns.nlnetlabs.nl
> 	stub-addr: 2a04:b900::8:0:0:60  # for ns.nlnetlabs.nl

so a wildcardforwarding is only overwriteable by specific forwarding? a 
possibility to stop forwarding for some zones and do lookup on localhost 
would be nice.

> (For the nameservers in the zone itself I used IP addresses, to avoid
> a circular dependency).
>
> stub-prime: yes will make it fetch the NS set using this list of
> servers and use that NS set for further queries.  Note that it will
> use your global forwarder to lookup sec2.authdns.ripe.net.  If you do
> not desire such lookups to the global forwarder, give IP addresses.
>
> Best regards, Wouter
>
>
>> As fallback i could forward to 127.0.0.1:54 and create a new, not
>> forwarding unbound on port 54.
>>
>> Thanks, Hajo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJW+8BVAAoJEJ9vHC1+BF+NHngQAKN1MwmVa25RIUlzjz2mF6Yh
> vKCbpuDX4Bim2M1D85WYQpBPlpgDpMSo5yaP7Pk3lvKVgaB3ewQEQ+a6hEtnv3Ri
> WMUeOVp+tNNPpLYID4zytXwuL4NV31dhn7oy6E2OVf0T0YwxSk52qUY2w396aBw3
> qULMqXGMMc5snIjF+idOuv3AYWgahx+U+XaYGnuSCyTMoXqGzMt0KHRrVhDS4SBd
> T6i8WvdUz8vo8ILv0U9/yeMwBBMak0rFS8XVEGQ2B45QCDEJUwSgX8iKP6rCP1S5
> OijAaMliSmnVxxJ7to8hdqnaGes3zxO7H/W8Ie9qTueFIfW+OJPBUft8EhvA5Kg8
> PrSc1R/DDAQPQ6mTvRrw8WPw45YpSqPd/dJ7sppMk2a8ENkjOnGE4bIkx75s+T2v
> eGOCku8mNmYCiNKAyekOfa14FTQHSHXxNQVbMDkbeu9pxk9i5eXvboOQgPnaJ6sG
> g+4kB6grQSaUTwxHM68TvteCmbd4pdnfhzeRAxwuItC1HSDci8fhLoemrrYAumml
> 9+ZIYeR3+rtwcElaCb86aLhtoqkqYhtd5w2oOYKaKvlz7O+uatq7wJikycIn8GVn
> /au+BLrJjj0ococvXaQTq9a39hJbYArwjHiOuaISFfp3DNywGFp5lEBNOLGW15lw
> pWYGXRkohoWeWMUc5sW9
> =u70b
> -----END PGP SIGNATURE-----
>

Thanks, Hajo