Maintained by: NLnet Labs

Configuration issue

W.C.A. Wijngaards
Tue Nov 28 14:11:13 CET 2017


Hi Aggelos,

And also add local-zones name transparent for your names for which you
also have the forward-zones.  Those local-zones with the local zone type
transparent make holes in the refuse policy for '.', and unbound uses
the most specific local-zone, so unbound then allows the names that are
transparent, but then denies all the other names.

Best regards, Wouter

On 28/11/17 11:31, Aggelos Kanarelis wrote:
> Hi Wouter
> 
>  
> 
> So just to summarize.
> 
>  
> 
> A local zone with "." refuse
> 
>  
> 
> Then my existing forward zones?
> 
>  
> 
> Thanks
> 
>  
> 
> Aggelos Kanarelis
> 
> Systems Engineer
> 
>  
> 
> *Arts Alliance Media Ltd*
> 
> T:  +44 (0)20 7751 7525 / M: +44 (0)7809427708
> 
> Aggelos.kanarelis at artsalliancemedia.com
> <mailto:Aggelos.kanarelis at artsalliancemedia.com>____
> 
> www.artsalliancemedia.com <http://www.artsalliancemedia.com/>
> 
>  
> 
> Landmark House
> Hammersmith Bridge Road
> London W6 9EJ__
> 
>  
> 
> Follow us on  Twitter <https://twitter.com/ArtsAllianceM/>/ Facebook
> <http://www.facebook.com/pages/Arts-Alliance-Media/115700988468309>/
> LinkedIn <https://www.linkedin.com/company/arts-alliance-media>
> 
>  
> 
> *From:*W.C.A. Wijngaards [mailto:wouter at nlnetlabs.nl]
> *Sent:* 28 November 2017 08:15
> *To:* Aggelos Kanarelis <Aggelos.Kanarelis at artsalliancemedia.com>
> *Subject:* Re: Configuration issue
> 
>  
> 
> Hi Aggelos,
> 
> With that I mean you could have the defaults after the local-zone
> statements that act to filter the inputs. And then unbound performs
> regular recursive DNS server lookups.
> 
> But you could also include the forward-zone: text from config that you
> have already, and configure the lookups to be performed at particular
> upstream servers.
> 
> So I meant the pieces of text starting with forward-zone:
> 
> Best regards, Wouter
> 
> On 27/11/17 17:28, Aggelos Kanarelis wrote:
>> Thanks Wouter
>>
>>  
>>
>> I am a little green so what do you mean by forward clauses? How would I
>> add those?
>>
>>  
>>
>> Thanks
>>
>>  
>>
>> Aggelos Kanarelis
>>
>> Systems Engineer
>>
>>  
>>
>> *Arts Alliance Media Ltd*
>>
>> T:  +44 (0)20 7751 7525 / M: +44 (0)7809427708
>>
>> Aggelos.kanarelis at artsalliancemedia.com
> <mailto:Aggelos.kanarelis at artsalliancemedia.com>
>> <mailto:Aggelos.kanarelis at artsalliancemedia.com>____
>>
>> www.artsalliancemedia.com <http://www.artsalliancemedia.com>
> <http://www.artsalliancemedia.com/>
>>
>>  
>>
>> Landmark House
>> Hammersmith Bridge Road
>> London W6 9EJ__
>>
>>  
>>
>> Follow us on  Twitter <https://twitter.com/ArtsAllianceM/>/ Facebook
>> <http://www.facebook.com/pages/Arts-Alliance-Media/115700988468309>/
>> LinkedIn <https://www.linkedin.com/company/arts-alliance-media>
>>
>>  
>>
>> *From:*Unbound-users [mailto:unbound-users-bounces at unbound.net] *On
>> Behalf Of *W.C.A. Wijngaards via Unbound-users
>> *Sent:* 27 November 2017 16:09
>> *To:* unbound-users at unbound.net <mailto:unbound-users at unbound.net>
>> *Subject:* Re: Configuration issue
>>
>>  
>>
>> Hi,
>>
>> The order does not matter for local-zone, local-data, forward and stub
>> clauses. Unbound picks the closest one. First the local-zone and
>> local-data statements are processed. Then the cache of forward and stub
>> data. Then the lookup vi forward and stub data.
>>
>> You could create a local-zone: "." refuse and local-zone: "example.com
> <http://example.com>
>> <http://example.com>"
>> transparent for all of the names you want resolved. If you want those
>> names forwarded somewhere, you can then also include forward clauses for
>> those names. The other names are rejected.
>>
>> Best regards, Wouter
>>
>> On 27/11/17 15:09, Sonic via Unbound-users wrote:
>>> Maybe post the unbound.conf file (no comment lines please).
>>>
>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20171128/161d7fae/attachment.sig>