Maintained by: NLnet Labs

unbound forwarding local and dnssec proxy

A. Cutright
Mon Nov 13 06:02:25 CET 2017


I am uncertain as to how to configure unbound to do the following:
    - forward local domains to a local authoritative server and not cache.
    - forward all other non-local requests to a dnssec proxy and cache the results.

I am having difficulty getting this to work the way I understand the configuration options.

Setup:
OpenBSD 6.2
unbound 1.6.6
nsd 4.1.10
dnscrypt-proxy 1.9.5

unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
interface: 127.0.0.1
interface: 192.168.5.20
do-ip6: no

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: 192.168.5.0/24 allow

hide-identity: yes
hide-version: yes

verbosity: 2
log-queries: yes

auto-trust-anchor-file: "/var/unbound/db/root.key"

do-not-query-localhost: no

# private networks:
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 172.16.0.0/12
private-address: 192.0.0.0/29
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
# example source code & documentation:
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
# subnet, autoconfiguration between two hosts on a single link:
private-address: 169.254.0.0/16
# reserved for multicast assignments:
private-address: 224.0.0.0/4
# reserved for future use:
private-address: 240.0.0.0/4

local-zone: "example.net" transparent
local-zone: "168.192.in-addr.arpa." transparent

local-zone: "localhost." static
local-data: "localhost. 10800 IN NS localhost."
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
local-data: "127.in-addr.arpa. 10800 IN NS localhost."
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock

# Local domains
# Forwarded to NSD authoritative server
forward-zone:
name: "example.net."
forward-addr: 127.0.0.1 at 8053
forward-zone:
name: "168.192.in-addr.arpa."
forward-addr: 127.0.0.1 at 8053

# dnscrypt proxy
#forward-zone:
# name: "."
# forward-addr: 127.0.0.1 at 40

Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20171113/cc9c2c86/attachment.html>