Adding a second, authoritative, view, to my config

Stilez stilezy at
Sun Feb 24 19:21:17 UTC 2019

I've been using unbound simply as a basic resolver for my LAN, with a very 
simple config, and it works fine. My .conf just contains some basic 
global.config, and some local-zone/local-data entries.  I now want to 
enhance my use in about 3 ways. To avoid mistakes, I'd like to check the 
correct way to do these in my unbound.conf:

1. I'm using the domain "mydomain.lan" internally for my LAN. How do I 
ensure that if someone does an nslookup/ping of the TLD ".lan" or any 
subdomain, the query will directly return nxdomain/unknown if it can't be 
found in local data, and not forward the query or  attempt to resolve it 
from external nameservers?

2. I need to host an authoritative name server locally for Let's Encrypt 
DNS-01 challenge purposes, which is exposed to the WAN and contains just 
TXT records for "". I don't really want to 
run a whole separate RFC2136-compliant name server (BIND, knot) for this 
tiny task, as it's very small and can be handled manually with ease using 
Unbound (just automate the part where it updates an included file and 
reloads .conf). But to do this, I need to add views to my unbound.conf to 
accomplish it, and I can't find an example of unbound.conf with such a 
split view to adapt from. I need 2 views:  any client in (=LAN) 
will see view "LAN-VIEW",  where Unbound acts as a recursive resolver, 
configured as I already have it with forwarding, recursion, caching, and 
various local hard-coded local-zone and local-data, and local devices added 
from DHCP. But any client *not* in (=WAN) will see view 
"WAN-VIEW", which has no recursion or forwarding at all, and responds 
authoritatively with statically-defined "" 
TXT records when that domain is queried, but always returns 
nxdomain/"unknown" for any other query. How do I do that?

3. I want to force a specific domain (and subdomains) to "disappear" from 
DNS in my LAN view. Most guides do this by redefining the domain to resolve 
to (eg for ad blocking), but I'd like Unbound to authoritatively 
return "nxdomain/lookup failed", rather than return a valid A record 
pointing to localhost (which suggests the domain does exist but is 
unresponsive). What is the correct way to do that?

I can't find good examples of these online (especially for the 2nd one). 
Being shown how to correctly do them would be much appreciated.


More information about the Unbound-users mailing list