[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?
bry8star at inventati.org
Fri May 24 00:32:19 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
THANK YOU. :)
Config is updated, and Unbound service is restarted.
IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
unbound-users at unbound.net
Please do not send any email directly to me, Thanks.
- -- Bright Star.
Received from staticsafe, on 2013-05-23 4:27 PM:
> On Thu, May 23, 2013 at 03:21:13PM -0700, Bright Star wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> Hello, Unbound Mailing List users & experts,
>> Please check this below configuration, and let me know, IF this is
>> fit and CORRECTLY CONFIGURED to work as a complete Validating
>> DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based
>> computer (which has 2GB RAM, 1 CPU Core), where it is currently
>> installed and will run, and it will also have to serve, as a
>> DNS-Server, for other computers and VMs (with different OSes) in
>> local LAN.
>> (Amount of free RAM memory size is large, so not a factor).
>> Windows DNS Client service is set onto "Manual Startup" mode, so it
>> is not running, and, local network adapter/interface is configured
>> to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer.
>> And LAN network adapter/interface of this (Win7) computer is also
>> using fixed/static IP address 192.168.0.10.
>> And other computer's in LAN, VMs are configured to use 192.168.0.10
>> as their's DNS-Server.
>> Most websites/domains/zones are not yet signed with DNSSEC. I want
>> this DNS-Server, still be able to send DNS query results for such
>> unsigned websites to its users/clients. (DNS query answer will not
>> have "AD" flag).
>> I do NOT want this DNS-Server to completely block (or stop sending)
>> DNS query results for ANY sites/zones which are not yet DNSSEC signed.
>> Firefox will have DNSSEC Validation based addons which will be
>> configured to use this DNS-Server. Firefox addons will display
>> colored icon or message, when a website is visited, and icon will
>> indicate if a website is signed or secured with DNSSEC yet or not.
>> (DNS query answer will have "AD" flag and "NOERROR" status for
>> DNSSEC signed sites/zones).
>> There are other software which we are using, they do not have
>> built-in support for doing any DNSSEC based query and cannot
>> understand DNSSEC based answer, those software still need to be able
>> to function (that is: sending regular DNS query, and receiving
>> regular response via this DNS-Server).
>> So IF CORRECTION is NEEDED to be done on this config, please provide
>> correct + practical + real config line that can be used, please do
>> not give examples, or confusing comments/response. I'm looking for
>> practical configuration that will serve my purpose and work right
>> now. PLEASE describe ACCURATELY for what reason why a specific real
>> config line is better or should be used what you are suggesting, and
>> PLEASE describe what else need to be changed, exactly.
>> Please do not assume, i will do or i'm suppose to do something
>> automatically, so pls describe & explain.
>> WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
>> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
>> "TO:" FIELD/Text-Box:
>> unbound-users at unbound.net
>> Please do not send any email directly to me, Thanks.
>> PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS.
>> Thanks (again) in advance,
>> - -- Bright Star (Bry8Star).
> Only one thing stood out to me as an obvious error.
> access-control: 192.168.0.10 allow
> As you said, other computers in your LAN are supposed to use this DNS
> The access-control statement should be as follows:
> access-control: 192.168.0.0/24 allow
> Assuming /24 as your LAN subnet mask.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Unbound-users