Maintained by: NLnet Labs

disable forwardig for specific zones

W.C.A. Wijngaards
Wed Mar 30 15:06:13 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Hajo,

On 30/03/16 14:59, Hajo Locke via Unbound-users wrote:
> Hello,
> 
> thanks for your help.
> 
> Am 30.03.2016 um 14:02 schrieb W.C.A. Wijngaards via
> Unbound-users: Hi Hajo,
> 
> On 30/03/16 13:25, Hajo Locke via Unbound-users wrote:
>>>> Hello List,
>>>> 
>>>> i use unbound 1.4.22 as forwarder to my global dns-cache:
>>>> 
>>>> forward-zone: name: "." forward-addr: ip.ip.ip.ip
>>>> 
>>>> 
>>>> now i want to exclude some zones from forwarding and do 
>>>> nameresolution on same machine. i do not find an option to
>>>> disable forwarding. Is there a possibility for me?
> Unbound uses the closest match for what forward and stub clause to 
> use.  So you can config more specific forward and stub clauses for
> the zones and send their queries elsewhere.
> 
> With stub-zone you can make unbound ask authority servers.
> 
> # For example; stub-zone: name: "nlnetlabs.nl" stub-host:
> ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
> anyns.pch.net. stub-addr: 185.49.140.60   # for ns.nlnetlabs.nl 
> stub-addr: 2a04:b900::8:0:0:60  # for ns.nlnetlabs.nl
> 
>> so a wildcardforwarding is only overwriteable by specific
>> forwarding? a possibility to stop forwarding for some zones and
>> do lookup on localhost would be nice.

Yes.  Do you mean specific, with specific authority servers for a
zone?  Or do you mean that a name: "nl" stub-zone and forward-zone
would catch all zones ending in '.nl' (this is the way unbound works
now, all queries ending in that name are forwarded)?

But you can definitely forward some zones and do a lookup on localhost
by entering more specific overrides.
forward-zone:
	name: "example.com"
	stub-addr: 127.0.0.1 at 54
And then add entries for all the zones for which you want to query the
other unbound on port 54.  (set do-not-query-localhost: no to allow
queries to go to 127.0.0.1).

Best regards, Wouter

> 
> (For the nameservers in the zone itself I used IP addresses, to
> avoid a circular dependency).
> 
> stub-prime: yes will make it fetch the NS set using this list of 
> servers and use that NS set for further queries.  Note that it
> will use your global forwarder to lookup sec2.authdns.ripe.net.  If
> you do not desire such lookups to the global forwarder, give IP
> addresses.
> 
> Best regards, Wouter
> 
> 
>>>> As fallback i could forward to 127.0.0.1:54 and create a new,
>>>> not forwarding unbound on port 54.
>>>> 
>>>> Thanks, Hajo
>> 
> 
> Thanks, Hajo
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW+89AAAoJEJ9vHC1+BF+N3LcP/1sfa6G+FOh4GZ2ZuK0aMKK6
NQeQz/T0MF2yMdvONyP9X5Q0Fiimy3CSDkZxU+SgXFL4BTk1T9GJzc0Z5Mw1/xc7
kmUBEJN4ppn4zhz7JmnZEdtvPUefaogCO8us+NTbnm2ZyGTZOlDanoaick1Fp1MV
FIciBtjt4vNkGWr6xUlq/rZaBhHas+FFJnf7f4sSEWpW6s93/hZpYmj7rA7Vt+H8
tjHhBKmwKHG2gTopJ+9VoeyI2Cn4MHyhRhz0sWLH7Ced+VVcICXdysk0ZDFSF5O2
lVnsLnY+VibtBYiS+Rwi5A+edOSdiEM9RqlZx/M5yeCMswOSNYK02SdFz4WU+5Yb
AK2OR/CVJgBmFEuWdhdEnlggddmPj9IJqyeejjTbDq2IDiDc+1J6ddc0E8HD6NXQ
C9DnHf0OyWkyg08uJ0hXcvxTudsTUqGtdfjuk2gz5AkyzkZYfVWTRvnBq0G50zQ+
CsL1dZaLINAghYuw3Zs4oKu/NrvFwkzVkb7VOY14CbEjXLAoggnIJQNIWIswiZT4
PbskjWS6urAy/T78lvmAt4IQjVqLOJ2jbCKeJbS82Ocjm4lgn5nM49AHiF51+LtE
KFopuQubueJpWn5G16n3VjwmBfqpN65hRpWIHP1pYlIyc0wmbV5SglP+119J6sQb
OHo9NhzVmWys0O6zvEgZ
=Atc0
-----END PGP SIGNATURE-----