Maintained by: NLnet Labs

disable forwardig for specific zones

Hajo Locke
Wed Mar 30 16:39:05 CEST 2016


Hello,

Am 30.03.2016 um 15:06 schrieb W.C.A. Wijngaards via Unbound-users:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Hajo,
>
> On 30/03/16 14:59, Hajo Locke via Unbound-users wrote:
>> Hello,
>>
>> thanks for your help.
>>
>> Am 30.03.2016 um 14:02 schrieb W.C.A. Wijngaards via
>> Unbound-users: Hi Hajo,
>>
>> On 30/03/16 13:25, Hajo Locke via Unbound-users wrote:
>>>>> Hello List,
>>>>>
>>>>> i use unbound 1.4.22 as forwarder to my global dns-cache:
>>>>>
>>>>> forward-zone: name: "." forward-addr: ip.ip.ip.ip
>>>>>
>>>>>
>>>>> now i want to exclude some zones from forwarding and do
>>>>> nameresolution on same machine. i do not find an option to
>>>>> disable forwarding. Is there a possibility for me?
>> Unbound uses the closest match for what forward and stub clause to
>> use.  So you can config more specific forward and stub clauses for
>> the zones and send their queries elsewhere.
>>
>> With stub-zone you can make unbound ask authority servers.
>>
>> # For example; stub-zone: name: "nlnetlabs.nl" stub-host:
>> ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
>> anyns.pch.net. stub-addr: 185.49.140.60   # for ns.nlnetlabs.nl
>> stub-addr: 2a04:b900::8:0:0:60  # for ns.nlnetlabs.nl
>>
>>> so a wildcardforwarding is only overwriteable by specific
>>> forwarding? a possibility to stop forwarding for some zones and
>>> do lookup on localhost would be nice.
> Yes.  Do you mean specific, with specific authority servers for a
> zone?  Or do you mean that a name: "nl" stub-zone and forward-zone
> would catch all zones ending in '.nl' (this is the way unbound works
> now, all queries ending in that name are forwarded)?
yes, i mean a specific name.
currently i have the wildcardforward. i just want to exclude some 
domainnames from this forwarding and use unbound as local resolver for 
this domains.
to clarify i use the imaginary directive "exclude" as example to show.

forward-zone:
         name: "."
         exclude: "example.com"
         forward-addr: ip.ip.ip.ip

As reverse solution i could only forwarding zones which i already know, 
which is not possible/useful, when running as dns-cache.

I could achive the same on indirect way by using a further forward to 
another unbound on localhost on different port, wich is not configured 
as forwarder.

forward-zone:
         name: "example.com"
         forward-addr: 127.0.0.1 at 54
         forward-first: yes

But this seems to be not that easy to realise as i thought.  It seems by 
default unbound is not ready to start in multiple instances on different 
ports with different settings. I could not create multipe servers. I 
think the only way is to start a 2nd unbound deamon with complete 
different startscript, pids, confs etc.
hmm, to big effort for my puposes.
>
> But you can definitely forward some zones and do a lookup on localhost
> by entering more specific overrides.
> forward-zone:
> 	name: "example.com"
> 	stub-addr: 127.0.0.1 at 54
> And then add entries for all the zones for which you want to query the
> other unbound on port 54.  (set do-not-query-localhost: no to allow
> queries to go to 127.0.0.1).
>
> Best regards, Wouter
>
>> (For the nameservers in the zone itself I used IP addresses, to
>> avoid a circular dependency).
>>
>> stub-prime: yes will make it fetch the NS set using this list of
>> servers and use that NS set for further queries.  Note that it
>> will use your global forwarder to lookup sec2.authdns.ripe.net.  If
>> you do not desire such lookups to the global forwarder, give IP
>> addresses.
>>
>> Best regards, Wouter
>>
>>
>>>>> As fallback i could forward to 127.0.0.1:54 and create a new,
>>>>> not forwarding unbound on port 54.
>>>>>
>>>>> Thanks, Hajo
>> Thanks, Hajo
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJW+89AAAoJEJ9vHC1+BF+N3LcP/1sfa6G+FOh4GZ2ZuK0aMKK6
> NQeQz/T0MF2yMdvONyP9X5Q0Fiimy3CSDkZxU+SgXFL4BTk1T9GJzc0Z5Mw1/xc7
> kmUBEJN4ppn4zhz7JmnZEdtvPUefaogCO8us+NTbnm2ZyGTZOlDanoaick1Fp1MV
> FIciBtjt4vNkGWr6xUlq/rZaBhHas+FFJnf7f4sSEWpW6s93/hZpYmj7rA7Vt+H8
> tjHhBKmwKHG2gTopJ+9VoeyI2Cn4MHyhRhz0sWLH7Ced+VVcICXdysk0ZDFSF5O2
> lVnsLnY+VibtBYiS+Rwi5A+edOSdiEM9RqlZx/M5yeCMswOSNYK02SdFz4WU+5Yb
> AK2OR/CVJgBmFEuWdhdEnlggddmPj9IJqyeejjTbDq2IDiDc+1J6ddc0E8HD6NXQ
> C9DnHf0OyWkyg08uJ0hXcvxTudsTUqGtdfjuk2gz5AkyzkZYfVWTRvnBq0G50zQ+
> CsL1dZaLINAghYuw3Zs4oKu/NrvFwkzVkb7VOY14CbEjXLAoggnIJQNIWIswiZT4
> PbskjWS6urAy/T78lvmAt4IQjVqLOJ2jbCKeJbS82Ocjm4lgn5nM49AHiF51+LtE
> KFopuQubueJpWn5G16n3VjwmBfqpN65hRpWIHP1pYlIyc0wmbV5SglP+119J6sQb
> OHo9NhzVmWys0O6zvEgZ
> =Atc0
> -----END PGP SIGNATURE-----
>
Thanks,
Hajo