Adding a second, authoritative, view, to my config
stilezy at gmail.com
Sun Feb 24 19:21:17 UTC 2019
I've been using unbound simply as a basic resolver for my LAN, with a very
simple config, and it works fine. My .conf just contains some basic
global.config, and some local-zone/local-data entries. I now want to
enhance my use in about 3 ways. To avoid mistakes, I'd like to check the
correct way to do these in my unbound.conf:
1. I'm using the domain "mydomain.lan" internally for my LAN. How do I
ensure that if someone does an nslookup/ping of the TLD ".lan" or any
subdomain, the query will directly return nxdomain/unknown if it can't be
found in local data, and not forward the query or attempt to resolve it
from external nameservers?
2. I need to host an authoritative name server locally for Let's Encrypt
DNS-01 challenge purposes, which is exposed to the WAN and contains just
TXT records for "_acme-challenge.myrealdomain.com". I don't really want to
run a whole separate RFC2136-compliant name server (BIND, knot) for this
tiny task, as it's very small and can be handled manually with ease using
Unbound (just automate the part where it updates an included file and
reloads .conf). But to do this, I need to add views to my unbound.conf to
accomplish it, and I can't find an example of unbound.conf with such a
split view to adapt from. I need 2 views: any client in 10.0.0.0/8 (=LAN)
will see view "LAN-VIEW", where Unbound acts as a recursive resolver,
configured as I already have it with forwarding, recursion, caching, and
various local hard-coded local-zone and local-data, and local devices added
from DHCP. But any client *not* in 10.0.0.0/8 (=WAN) will see view
"WAN-VIEW", which has no recursion or forwarding at all, and responds
authoritatively with statically-defined "_acme-challenge.myrealdomain.com"
TXT records when that domain is queried, but always returns
nxdomain/"unknown" for any other query. How do I do that?
3. I want to force a specific domain (and subdomains) to "disappear" from
DNS in my LAN view. Most guides do this by redefining the domain to resolve
to 127.0.0.1 (eg for ad blocking), but I'd like Unbound to authoritatively
return "nxdomain/lookup failed", rather than return a valid A record
pointing to localhost (which suggests the domain does exist but is
unresponsive). What is the correct way to do that?
I can't find good examples of these online (especially for the 2nd one).
Being shown how to correctly do them would be much appreciated.
More information about the Unbound-users