<div dir="ltr">thanks to all of you for the detailed answers and examples. I agree sending a refuse is a better option and as a matter of fact it may have also yielded the answer to something else entirely that I was using a python script for (I mentioned this in another thread on caching). From the docs it says<div><br></div><div>refuse<div> Send an error message reply, with rcode REFUSED. If there is</div><div> a match from local data, the query is answered.</div></div><div><br></div><div>So if I get that correctly I could have</div><div><br></div><div>local-zone: <a href="http://example.com">example.com</a> refuse</div><div>local-data: <a href="http://ok.example.com">ok.example.com</a> A x.x.x.x</div><div><br></div><div>and all queries to all subdomains of <a href="http://example.com">example.com</a> will be rejected except for <a href="http://ok.example.com">ok.example.com</a>. Is that correct?</div><div><br></div><div>In which case, I have a diff question: is it possible to set it up so that instead of setting an ip for the A the query is passed to the iterator? in other words create a sort of whitelist, deny everything except these subdomains?</div><div><br></div><div>thanks,</div><div><br></div><div>Spike</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 28, 2016 at 8:46 AM Simon Deziel via Unbound-users <<a href="mailto:unbound-users@unbound.net">unbound-users@unbound.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016-11-27 01:08 PM, Spike via Unbound-users wrote:<br class="gmail_msg">
> We've been using one of those ads blocklists that is basically a long<br class="gmail_msg">
> text file of local-data statements sending everything to 127.0.0.1.<br class="gmail_msg">
<br class="gmail_msg">
Memory-wise, I found that just using local-data with the implied<br class="gmail_msg">
transparent local-zone was best. With a ~12k hosts list:<br class="gmail_msg">
<br class="gmail_msg">
# local-data: "<a href="http://ads.com" rel="noreferrer" class="gmail_msg" target="_blank">ads.com</a> A 127.0.0.1"<br class="gmail_msg">
$ ps aux| grep unbound<br class="gmail_msg">
unbound 32557 1.5 0.2 58316 15964 ? Ss 11:27 0:00 /usr/sbin/unbound -d<br class="gmail_msg">
<br class="gmail_msg">
# local-zone: "<a href="http://ads.com" rel="noreferrer" class="gmail_msg" target="_blank">ads.com</a>" static<br class="gmail_msg">
$ ps aux| grep unbound<br class="gmail_msg">
unbound 32139 0.5 0.7 152840 63352 ? Ss 11:21 0:00 /usr/sbin/unbound -d<br class="gmail_msg">
<br class="gmail_msg">
# local-zone: "<a href="http://ads.com" rel="noreferrer" class="gmail_msg" target="_blank">ads.com</a>" refuse<br class="gmail_msg">
$ ps aux| grep unbound<br class="gmail_msg">
unbound 32247 2.3 0.7 152840 63432 ? Ss 11:22 0:00 /usr/sbin/unbound -d<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
Setting a local-data with only the A record will return an empty AAAA.<br class="gmail_msg">
<br class="gmail_msg">
HTH,<br class="gmail_msg">
Simon<br class="gmail_msg">
</blockquote></div>