Maintained by: NLnet Labs

Configuration for local server

ludovic.macros at free.fr
Sun Sep 24 20:20:34 CEST 2017


Hi! 

Sorry if it has been already asked. 

My question is about the configuration of "unbound.conf" for a local server with a registered domain name. 

I am new to unbound. At home, I have an Ubiquiti EdgeRouter where I configured unbound from Debian repositories ("unbound.conf" at the end of the post).. 

It seems to work, and I run some tests with success. 

However, even when reading carefully the man page, I do not understand how to configure a server on my LAN which has a registered domain name. 

I read about : 
- private-domain and/or private-address ; 
- local-zone and/or local-data ; 
- stub-zone ; 
- forward-zone ; 
- etc. 

My server has a local IP address as 192.168.10.100 (example), and my LAN 192.168.10.0/24. 
The domain name of my server is secured by http over TLS (https). 

I think I have to use local-zone and local-data, but I am not sure. It will probably alert me my https redirect to a wrong address (local private address), and I also have domains like : 
- first.example.com ; 
- second.example.com ; 
- third.example.com. 
Assuming my domain name is example.com and all redirect to the same server (same IP address). 

How can I configure it on "unbound.conf"? 

Thanks. 

Ludo 

unbound.conf 
server: 
# The following line will configure unbound to perform cryptographic 
# DNSSEC validation using the root trust anchor. 
auto-trust-anchor-file: "/var/lib/unbound/root.key" 
# verbosity: 3 
# logfile: "/var/log/unbound.log" 
interface: 0.0.0.0 
port: 53 
do-ip4: yes 
do-ip6: no 
do-udp: yes 
do-tcp: yes 
access-control: 127.0.0.0/8 allow 
access-control: 192.168.10.0/24 allow 
access-control: 192.168.20.0/24 allow 
access-control: 0.0.0.0/0 refuse 
root-hints: "/var/lib/unbound/root.hints" 
hide-identity: yes 
hide-version: yes 
harden-glue: yes 
harden-dnssec-stripped: yes 
use-caps-for-id: yes 
cache-min-ttl: 3600 
cache-max-ttl: 86400 
prefetch: yes 
num-threads: 2 
msg-cache-slabs: 4 
rrset-cache-slabs: 4 
infra-cache-slabs: 4 
key-cache-slabs: 4 
rrset-cache-size: 48m 
msg-cache-size: 24m 
so-rcvbuf: 1m 
private-address: 192.168.10.0/24 
private-address: 192.168.20.0/24 
unwanted-reply-threshold: 10000 
do-not-query-localhost: no 
val-clean-additional: yes 
local-zone: "doubleclick.net" redirect 
local-data: "doubleclick.net A 127.0.0.1" 
local-zone: "googlesyndication.com" redirect 
local-data: "googlesyndication.com A 127.0.0.1" 
local-zone: "googleadservices.com" redirect 
local-data: "googleadservices.com A 127.0.0.1" 
local-zone: "google-analytics.com" redirect 
local-data: "google-analytics.com A 127.0.0.1" 
local-zone: "ads.youtube.com" redirect 
local-data: "ads.youtube.com A 127.0.0.1" 
local-zone: "adserver.yahoo.com" redirect 
local-data: "adserver.yahoo.com A 127.0.0.1" 
local-zone: "ask.com" redirect 
local-data: "ask.com A 127.0.0.1" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170924/dc6082c8/attachment.html>