<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'>Hi!<br><br>Sorry if it has been already asked.<br><br>My question is about the configuration of "unbound.conf" for a local server with a registered domain name.<br><br>I
am new to unbound. At home, I have an Ubiquiti EdgeRouter where I
configured unbound from Debian repositories ("unbound.conf" at the end
of the post)..<br><br>It seems to work, and I run some tests with success.<br><br>However,
even when reading carefully the man page, I do not understand how to
configure a server on my LAN which has a registered domain name.<br><br>I read about :<br>- private-domain and/or private-address ;
<br>- local-zone and/or local-data ;
<br>- stub-zone ;
<br>- forward-zone ;
<br>- etc.<br><br>My server has a local IP address as 192.168.10.100 (example), and my LAN 192.168.10.0/24.<br>The domain name of my server is secured by http over TLS (https).<br><br>I
think I have to use local-zone and local-data, but I am not sure. It
will probably alert me my https redirect to a wrong address (local
private address), and I also have domains like :<br>- first.example.com ;<br>- second.example.com ;<br>- third.example.com.<br>Assuming my domain name is example.com and all redirect to the same server (same IP address).<br><br>How can I configure it on "unbound.conf"?<br><br>Thanks.<br><br>Ludo<br><br><b>unbound.conf</b><br>server:<br> # The following line will configure unbound to perform cryptographic<br> # DNSSEC validation using the root trust anchor.<br> auto-trust-anchor-file: "/var/lib/unbound/root.key"<br> # verbosity: 3<br> # logfile: "/var/log/unbound.log"<br> interface: 0.0.0.0<br> port: 53<br> do-ip4: yes<br> do-ip6: no<br> do-udp: yes<br> do-tcp: yes<br> access-control: 127.0.0.0/8 allow<br> access-control: 192.168.10.0/24 allow<br> access-control: 192.168.20.0/24 allow<br> access-control: 0.0.0.0/0 refuse<br> root-hints: "/var/lib/unbound/root.hints"<br> hide-identity: yes<br> hide-version: yes<br> harden-glue: yes<br> harden-dnssec-stripped: yes<br> use-caps-for-id: yes<br> cache-min-ttl: 3600<br> cache-max-ttl: 86400<br> prefetch: yes<br> num-threads: 2<br> msg-cache-slabs: 4<br> rrset-cache-slabs: 4<br> infra-cache-slabs: 4<br> key-cache-slabs: 4<br> rrset-cache-size: 48m<br> msg-cache-size: 24m<br> so-rcvbuf: 1m<br> private-address: 192.168.10.0/24<br> private-address: 192.168.20.0/24<br> unwanted-reply-threshold: 10000<br> do-not-query-localhost: no<br> val-clean-additional: yes<br> local-zone: "doubleclick.net" redirect<br> local-data: "doubleclick.net A 127.0.0.1"<br> local-zone: "googlesyndication.com" redirect<br> local-data: "googlesyndication.com A 127.0.0.1"<br> local-zone: "googleadservices.com" redirect<br> local-data: "googleadservices.com A 127.0.0.1"<br> local-zone: "google-analytics.com" redirect<br> local-data: "google-analytics.com A 127.0.0.1"<br> local-zone: "ads.youtube.com" redirect<br> local-data: "ads.youtube.com A 127.0.0.1"<br> local-zone: "adserver.yahoo.com" redirect<br> local-data: "adserver.yahoo.com A 127.0.0.1"<br> local-zone: "ask.com" redirect<br> local-data: "ask.com A 127.0.0.1"<br><br></div></body></html>