Is it possible to tell unbound not to use forwarders only for some specific domains?

Gerben Wierda gerben.wierda at rna.nl
Sat Dec 28 19:12:41 UTC 2019



> On 28 Dec 2019, at 18:13, Gerben Wierda via unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> I am using unbound and rspamd.
> 
> Unbound is configured as follows (snippet)
> 
> forward-zone: 
>         name: "."
>         # Quad9 phising/malware site blocking DNS 9.9.9.9
>         forward-addr: 9.9.9.9
>         # Quad9 2nd DNS
>         forward-addr: 149.112.112.112
>         # Fallback if Quad9 is out: Google:
>         # forward-addr: 8.8.4.4
> 
> It seems that rspamd doesn’t like that, because the DNS masters for multi.uribl.com <http://multi.uribl.com/> and dnl.dnswl.org <http://dnl.dnswl.org/> apparently do not like getting a DNS query forwarded from public DNS servers. Which produces errors like:
> 
> 2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com/> (127.0.0.1 returned), possibly due to high volume
> 2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org/> while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org <http://tte6_6bjcreyadp1do_tgob69-n7r.dwl.dnswl.org/>'(likely DNS spoofing or BL internal issues)
> 
> which breaks rspamd I think
> 
> So, I think (not sure) that I am supposed not to use a forwarder to a public DNS provider with rspamd. But that would mean I lose the advantage of Quad9. Hence, I was thinking that I m,ight need to tell unbound an exception for these domains, sidestepping the forwarding. Is that possible? (Does it solve my issue? I don’t know but I’d like to try).

Adding to this: Assuming I understand the man page for unbound.conf, this is not possible. Given that I cannot define a forward per ’server’ (and only one server per unbound.conf), I need to have two unbound.conf files and two unbound servers. So I will have to set up two unbound resolvers, one listening on port 53 that does forwarding to the public DNS servers and one listening on port 5353 that doesn’t forward but does everything itself, each with his own unbound.conf file.

Too bad I cannot define multiple servers in a single unbound.conf, each with its own forwards (stubs etc.). That would make life simpler.

Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191228/4e8ed115/attachment.htm>


More information about the Unbound-users mailing list