<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><br>
Thank you Willem, unbound-host was extremely useful in tracking
down this problem.<br>
<br>
my first test with it came up with the correct answer with no
problem.<br>
unbound-host -d ns2.editnew.net<br>
<br>
I then figured out that I could use the same configuration as the
daemon<br>
unbound-host -C unbound.conf -d ns2.editnew.net<br>
<br>
and it failed. so something in the config file.<br>
comment and retry until success.<br>
that is when I discovered my giant brain fart.<br>
<br>
When I set dns server up I grabbed a full featured config from
somewhere.<br>
<br>
I'm not sure where I got it, but you can see it here:<br>
<a class="moz-txt-link-freetext" href="https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143">https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143</a><br>
<br>
it includes the lines:<br>
# Enforce privacy of these addresses. Strips them away from
answers. <br>
# It may cause DNSSEC validation to additionally mark it as
bogus. <br>
# Protects against 'DNS Rebinding' (uses browser as network
proxy). <br>
# Only 'private-domain' and 'local-data' names are allowed to
have <br>
# these private addresses. No default.<br>
# private-address: 10.0.0.0/8<br>
# private-address: 172.16.0.0/12<br>
# private-address: 192.168.0.0/16<br>
# private-address: 192.254.0.0/16<br>
# private-address: fd00::/8<br>
# private-address: fe80::/10<br>
<br>
and I uncommented them all. Except that<br>
<b> # private-address: 192.254.0.0/16</b><b><br>
</b><b>
</b>is not a private address space. and is in fact part of the
address space used by ns2.editnew.net<br>
<br>
so using private-address is an effective way to black hole an IP
address range.<br>
<br>
thanks for all the help.<br>
<br>
MM<br>
<br>
</div>
</body>
</html>