Maintained by: NLnet Labs

unbound forwarding local and dnssec proxy

Ralph Dolmans
Fri Nov 17 11:09:42 CET 2017


Hi,

On 13-11-17 06:02, A. Cutright via Unbound-users wrote:
> I am uncertain as to how to configure unbound to do the following:
>     - forward local domains to a local authoritative server and not cache.

Can you elaborate on the issue you are facing? You might want to change
the forward-zone and forward-addr to stub-zone and stub-addr, since you
are sending the queries to an authoritative nameserver.

There is no need to have these two transparent local-zones, there is no
local-data for them.

>     - forward all other non-local requests to a dnssec proxy and cache
> the results.

Configuration looks fine. Try querying the proxy directly if you are
facing problems, to be sure that part is working.

-- Ralph

> 
> I am having difficulty getting this to work the way I understand the
> configuration options.
> 
> Setup:
> OpenBSD 6.2
> unbound 1.6.6
> nsd 4.1.10
> dnscrypt-proxy 1.9.5
> 
> unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
> 
> server:
> interface: 127.0.0.1
> interface: 192.168.5.20
> do-ip6: no
> 
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: ::0/0 refuse
> access-control: 192.168.5.0/24 allow
> 
> hide-identity: yes
> hide-version: yes
> 
> verbosity: 2
> log-queries: yes
> 
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> 
> do-not-query-localhost: no
> 
> # private networks:
> private-address: 10.0.0.0/8
> private-address: 100.64.0.0/10
> private-address: 172.16.0.0/12
> private-address: 192.0.0.0/29
> private-address: 192.168.0.0/16
> private-address: 198.18.0.0/15
> # example source code & documentation:
> private-address: 192.0.2.0/24
> private-address: 198.51.100.0/24
> private-address: 203.0.113.0/24
> # subnet, autoconfiguration between two hosts on a single link:
> private-address: 169.254.0.0/16
> # reserved for multicast assignments:
> private-address: 224.0.0.0/4
> # reserved for future use:
> private-address: 240.0.0.0/4
> 
> 
> local-zone: "example.net" transparent
> local-zone: "168.192.in-addr.arpa." transparent
> 
> local-zone: "localhost." static
> local-data: "localhost. 10800 IN NS localhost."
> local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600
> 1200 604800 10800"
> local-data: "localhost. 10800 IN A 127.0.0.1"
> local-zone: "127.in-addr.arpa." static
> local-data: "127.in-addr.arpa. 10800 IN NS localhost."
> local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2
> 3600 1200 604800 10800"
> local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
> 
> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
> 
> # Local domains
> # Forwarded to NSD authoritative server
> forward-zone:
> name: "example.net."
> forward-addr: 127.0.0.1 at 8053
> forward-zone:
> name: "168.192.in-addr.arpa."
> forward-addr: 127.0.0.1 at 8053
> 
> # dnscrypt proxy
> #forward-zone:
> # name: "."
> # forward-addr: 127.0.0.1 at 40
> 
> 
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>