disable forwardig for specific zones
wouter at nlnetlabs.nl
Wed Mar 30 13:06:13 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 30/03/16 14:59, Hajo Locke via Unbound-users wrote:
> thanks for your help.
> Am 30.03.2016 um 14:02 schrieb W.C.A. Wijngaards via
> Unbound-users: Hi Hajo,
> On 30/03/16 13:25, Hajo Locke via Unbound-users wrote:
>>>> Hello List,
>>>> i use unbound 1.4.22 as forwarder to my global dns-cache:
>>>> forward-zone: name: "." forward-addr: ip.ip.ip.ip
>>>> now i want to exclude some zones from forwarding and do
>>>> nameresolution on same machine. i do not find an option to
>>>> disable forwarding. Is there a possibility for me?
> Unbound uses the closest match for what forward and stub clause to
> use. So you can config more specific forward and stub clauses for
> the zones and send their queries elsewhere.
> With stub-zone you can make unbound ask authority servers.
> # For example; stub-zone: name: "nlnetlabs.nl" stub-host:
> ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
> anyns.pch.net. stub-addr: 18.104.22.168 # for ns.nlnetlabs.nl
> stub-addr: 2a04:b900::8:0:0:60 # for ns.nlnetlabs.nl
>> so a wildcardforwarding is only overwriteable by specific
>> forwarding? a possibility to stop forwarding for some zones and
>> do lookup on localhost would be nice.
Yes. Do you mean specific, with specific authority servers for a
zone? Or do you mean that a name: "nl" stub-zone and forward-zone
would catch all zones ending in '.nl' (this is the way unbound works
now, all queries ending in that name are forwarded)?
But you can definitely forward some zones and do a lookup on localhost
by entering more specific overrides.
stub-addr: 127.0.0.1 at 54
And then add entries for all the zones for which you want to query the
other unbound on port 54. (set do-not-query-localhost: no to allow
queries to go to 127.0.0.1).
Best regards, Wouter
> (For the nameservers in the zone itself I used IP addresses, to
> avoid a circular dependency).
> stub-prime: yes will make it fetch the NS set using this list of
> servers and use that NS set for further queries. Note that it
> will use your global forwarder to lookup sec2.authdns.ripe.net. If
> you do not desire such lookups to the global forwarder, give IP
> Best regards, Wouter
>>>> As fallback i could forward to 127.0.0.1:54 and create a new,
>>>> not forwarding unbound on port 54.
>>>> Thanks, Hajo
> Thanks, Hajo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Unbound-users