Maintained by: NLnet Labs

Configuration for local server

Ludo
Mon Sep 25 17:57:31 CEST 2017


Hi Ernie, 

Thanks for your answer, but I is not my problem here. 

My question is about the unbound configuration to access a server on the same LAN. 


Example: 

- router with unbound configured as DNS: 192.168.10.1 

- web server on another system: 192.168.10.100 
It has a registered domain name "example.com" and sub-domains "first.exemple.com", "second.example.com, etc. 
Each pointing to a different path of the same web server, so with the same IP address. 
The web server is reachable from Internet with the public IP address from my router (WAN), with ports forwarded to my web server. 
The domain name "example.com" and sub-domains points to my router public IP address. 

- computer: 192.168.10.2 

Reachable: 
- web server from Internet (with either the domain name or the public IP address from the router); 
- web server from LAN (only with the LAN IP address of my web server). 

Unreachable: 
- web server from LAN with it's domain name. 
Normal, without telling unbound it is a local server. 

But I don't understand the documentation for this configuration. What is the proper way to write that in unbound.conf. 

Thanks. ;) 

Ludo 

----- Mail original -----

De: "Ernie Luzar" <luzar722 at gmail.com> 
À: "ludovic macros" <ludovic.macros at free.fr> 
Cc: unbound-users at unbound.net 
Envoyé: Lundi 25 Septembre 2017 17:47:08 
Objet: Re: Configuration for local server 

Ludo via Unbound-users wrote: 

snip 

This is what I use on my Freebsd system. 

# 
# FreeBSD 11.0 & newer, unbound quick start instructions. 
# 
# 1. In the /etc/rc.conf file 
# Comment out this if it's there local_unbound_enable="YES" 
# add unbound_enable="YES" 
# Freebsd OS built-in local_unbound can not co-exist with port 
# version. 
# 
# 2. unbound comes with a built-in "root zone" which negates the need 
# for a "forward-zone: section" all together. This built-in 
# "root zone" sends DNS requests to the up-stream public DSN 
# servers. Verify that your host firewall doesn't have rules 
# restricting port 53 to using only your ISP's DNS IP addresses. 
# 
# 3. Delete the contents of the /etc/resolv.conf and add this line 
# nameserver 127.0.0.1 
# Then make it immutable using "chflags -R schg /etc/resolv.conf" 
# This makes it un-writable by anyone, Contents will never change. 
# Use "ls -lo /etc/resolv.conf" to see its flags. 
# Use "chflags -R noschg /etc/resolv.conf" to return to normal. 
# This stops /etc/resolv.conf being refreshed at boot time with DNS 
# information from your ISP over riding the nameserver 127.0.0.1 
# statement needed to drive host dns requests to unbound. 
# 
# 4. If you have a LAN behind this host and want those LAN device's 
# DNS requests to also go through the hosts unbound server. 
# Change the hosts DHCP server config file DNS ip address to the 
# LAN ip address assigned to the host network adapter the LAN is on. 
# 
# 5. Use service unbound restart command after making changes to the 
# content of your unbound.conf file. Note: Any unbound.conf content 
# errors causes the unbound server to not start. This means ALL DNS 
# requests go un-serviced, basically your host system and LAN users 
# are dead in the water until you fix things. 
# The service unbound stop command results in the same thing. 
# 
# 6. Take note: The unbound man pages are not FreeBSD specific. 
# Unbound is open source software that runs on many different 
# platforms. Some statements and ideas expressed are incorrect based 
# on the FreeBSD way of doing things. 
# 
# 7. The /usr/local/etc/unbound/unbound.conf.sample file shows all the 
# possible options available in the unbound.conf file. The defaults 
# are designed to create a running unbound server. In most all cases 
# the following working unbound.conf file contains the default over 
# rides necessary for a working unbound server. Copy this content or 
# this file to /usr/local/etc/unbound/unbound.conf and your ready to 
# go. 

# Start of the working unbound.conf file. 
# Server config section. 

server: 

# chroot: "/usr/local/etc/unbound" 
chroot: "" # disable chroot 

# Specify the interfaces to answer queries from by ip-address. 
# The default is to listen to localhost (127.0.0.1 and ::1) only. 
# Specify 0.0.0.0 and ::0 to bind to all available interfaces. 
interface: ::0 # listen on all ipv6 interfaces 
interface: 0.0.0.0 # listen on all ipv4 interfaces 

# Control which clients are allowed to make (recursive) queries 
# to this server. Specify classless netblocks with /size and action. 
# By default everything is refused, except for localhost. 
# Example 10.0.0.0/8 is the ip address block assigned to the LAN. 
access-control: 10.0.0.0/8 allow 
access-control: 127.0.0.0/8 allow 

# Use this to include another text file content into this file. 
# include: "/path/file-name" 
include: /usr/local/etc/unbound/void-zones-all 
# This is where the statements go to block un-wanted fqdn 
# local-zone: ads.youtube.com always_nxdomain 

# Remote control config section. 
# Remote control must be enabled before the unbound-control(8) 
# command can be used to send commands to the running unbound server. 
# To enable security, execute the unbound-control-setup command 
# to set up the keys and certificates. 
# This remote-control: section enables remote-control with 
# security disabled. 

remote-control: 
control-enable: yes 
control-interface: /var/run/unbound.ctl 
control-use-cert: no 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170925/3429f399/attachment.html>