[Unbound-users] preventing host lookup/reply

Chris Smith fixie at chrissmith.org
Fri Feb 18 20:46:51 UTC 2011


Specifically in this case I want to prevent wpad.<whatever> lookups.

Seems I can refuse to answer the query with:

local-zone: "wpad.<whatever>." refuse

or send effectively invalid information:

local-data: "wpad.<whatever>. A 127.0.0.1" - or via a stub-zone auth
server (nsd) method

The network in question has a mix of corporate owned and privately
owned systems, the users have full control over their privately owned
systems however they must use the local unbound cache for DNS as only
the server running unbound has egress to port 53. DHCP assigns only
this one DNS server to the internal clients.

Is one more effective than the other? Does a refusal effectively stop
further inquiries from the client? Or would it free up the client
sooner, longer or more effectively to send it the localhost address?
Is one possibly more effective against a rogue DNS server on the
network? Or against a rogue system with a hostname of wpad (maybe
advertising itself via NetBIOS - hopefully static wins entries prevent
this - or some other method)?

Thank you,

Chris



More information about the Unbound-users mailing list