<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'>Hi Ernie,<br><br>Thanks for your answer, but I is not my problem here.<br><br>My question is about the unbound configuration to access a server on the same LAN.<br><br><br>Example:<br><br>- router with unbound configured as DNS: 192.168.10.1<br><br>- web server on another system: 192.168.10.100<br>It has a registered domain name "example.com" and sub-domains "first.exemple.com", "second.example.com, etc.<br>Each pointing to a different path of the same web server, so with the same IP address.<br>The web server is reachable from Internet with the public IP address from my router (WAN), with ports forwarded to my web server.<br>The domain name "example.com" and sub-domains points to my router public IP address.<br><br>- computer: 192.168.10.2<br><br>Reachable:<br>- web server from Internet (with either the domain name or the public IP address from the router);<br>- web server from LAN (only with the LAN IP address of my web server).<br><br>Unreachable:<br>- web server from LAN with it's domain name.<br>Normal, without telling unbound it is a local server.<br><br>But I don't understand the documentation for this configuration. What is the proper way to write that in unbound.conf.<br><br>Thanks. ;)<br><br>Ludo<br><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: </b>"Ernie Luzar" <luzar722@gmail.com><br><b>À: </b>"ludovic macros" <ludovic.macros@free.fr><br><b>Cc: </b>unbound-users@unbound.net<br><b>Envoyé: </b>Lundi 25 Septembre 2017 17:47:08<br><b>Objet: </b>Re: Configuration for local server<br><br>Ludo via Unbound-users wrote:<br><br>snip<br><br>This is what I use on my Freebsd system.<br><br>#<br># FreeBSD 11.0 & newer, unbound quick start instructions.<br>#<br># 1. In the /etc/rc.conf file<br># Comment out this if it's there local_unbound_enable="YES"<br># add unbound_enable="YES"<br># Freebsd OS built-in local_unbound can not co-exist with port<br># version.<br>#<br># 2. unbound comes with a built-in "root zone" which negates the need<br># for a "forward-zone: section" all together. This built-in<br># "root zone" sends DNS requests to the up-stream public DSN<br># servers. Verify that your host firewall doesn't have rules<br># restricting port 53 to using only your ISP's DNS IP addresses.<br>#<br># 3. Delete the contents of the /etc/resolv.conf and add this line<br># nameserver 127.0.0.1<br># Then make it immutable using "chflags -R schg /etc/resolv.conf"<br># This makes it un-writable by anyone, Contents will never change.<br># Use "ls -lo /etc/resolv.conf" to see its flags.<br># Use "chflags -R noschg /etc/resolv.conf" to return to normal.<br># This stops /etc/resolv.conf being refreshed at boot time with DNS<br># information from your ISP over riding the nameserver 127.0.0.1<br># statement needed to drive host dns requests to unbound.<br>#<br># 4. If you have a LAN behind this host and want those LAN device's<br># DNS requests to also go through the hosts unbound server.<br># Change the hosts DHCP server config file DNS ip address to the<br># LAN ip address assigned to the host network adapter the LAN is on.<br>#<br># 5. Use service unbound restart command after making changes to the<br># content of your unbound.conf file. Note: Any unbound.conf content<br># errors causes the unbound server to not start. This means ALL DNS<br># requests go un-serviced, basically your host system and LAN users<br># are dead in the water until you fix things.<br># The service unbound stop command results in the same thing.<br>#<br># 6. Take note: The unbound man pages are not FreeBSD specific.<br># Unbound is open source software that runs on many different<br># platforms. Some statements and ideas expressed are incorrect based<br># on the FreeBSD way of doing things.<br>#<br># 7. The /usr/local/etc/unbound/unbound.conf.sample file shows all the<br># possible options available in the unbound.conf file. The defaults<br># are designed to create a running unbound server. In most all cases<br># the following working unbound.conf file contains the default over<br># rides necessary for a working unbound server. Copy this content or<br># this file to /usr/local/etc/unbound/unbound.conf and your ready to<br># go.<br><br># Start of the working unbound.conf file.<br># Server config section.<br><br>server:<br><br># chroot: "/usr/local/etc/unbound"<br> chroot: "" # disable chroot<br><br># Specify the interfaces to answer queries from by ip-address.<br># The default is to listen to localhost (127.0.0.1 and ::1) only.<br># Specify 0.0.0.0 and ::0 to bind to all available interfaces.<br> interface: ::0 # listen on all ipv6 interfaces<br> interface: 0.0.0.0 # listen on all ipv4 interfaces<br><br># Control which clients are allowed to make (recursive) queries<br># to this server. Specify classless netblocks with /size and action.<br># By default everything is refused, except for localhost.<br># Example 10.0.0.0/8 is the ip address block assigned to the LAN.<br> access-control: 10.0.0.0/8 allow<br> access-control: 127.0.0.0/8 allow<br><br># Use this to include another text file content into this file.<br># include: "/path/file-name"<br> include: /usr/local/etc/unbound/void-zones-all<br># This is where the statements go to block un-wanted fqdn<br># local-zone: ads.youtube.com always_nxdomain<br><br># Remote control config section.<br># Remote control must be enabled before the unbound-control(8)<br># command can be used to send commands to the running unbound server.<br># To enable security, execute the unbound-control-setup command<br># to set up the keys and certificates.<br># This remote-control: section enables remote-control with<br># security disabled.<br><br>remote-control:<br> control-enable: yes<br> control-interface: /var/run/unbound.ctl<br> control-use-cert: no<br><br><br><br></div><br></div></body></html>