Stub zone behavior
Mike Brown
mike at skew.org
Wed Dec 21 11:35:00 UTC 2016
The Unbound configuration I was using on FreeBSD 10 last year is not behaving
the same way on FreeBSD 11. Maybe I overlooked something.
My goal is to have a caching resolver that forwards to Comcast or Google's
nameservers for all but a handful of DNSBL zones, namely multi.uribl.com,
dnsbl.sorbs.net, iadb.isipp.com, and zen.spamhaus.org.
This was easy to set up in BIND by just defining the forwarders for those
zones as an empty set, but I was advised here last year that in Unbound, to
get that behavior, I have to set those up as stub zones with hard-coded
authoritative nameservers. So I did that, creating files like
/var/unbound/conf.d/multi.uribl.com.conf, containing:
stub-zone:
name: multi.uribl.com
stub-host: hh.uribl.com.
stub-host: aa.uribl.com.
stub-host: bb.uribl.com.
stub-host: cc.uribl.com.
stub-host: dd.uribl.com.
stub-host: ee.uribl.com.
stub-host: ff.uribl.com.
stub-host: gg.uribl.com.
/var/unbound/forward.conf looks like this:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
name: .
forward-addr: 75.75.75.75
forward-addr: 75.75.76.76
forward-addr: 8.8.8.8
After a 'service local_unbound reload' it worked great; in response to
'host -tTXT test.uribl.com.multi.uribl.com' I would get the "permanent
testpoint" response instead of a "Query Refused" message referencing my
ISP's server.
For some reason, this technique is not working on a fresh installation
of FreeBSD 11-STABLE, running the Unbound 1.5.10 that it comes with.
I still keep getting the Query Refused messages. What did I miss?
Thanks,
Mike
More information about the Unbound-users
mailing list