Getting setup for first time

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Oct 14 06:25:04 UTC 2019 

Hi Rod,

On 11/10/2019 23:35, rod--- via Unbound-users wrote:
>
> Here is my scenario...
>
> I use untangle as my firewall and typically utilize its DNS server
> static entries for routing DNS on my home LAN to get to servers by
> private IP and then let my domains public DNS manage everything from
> the outside world.


Your config entry for the local-zone is wrong. There are several options
for the local-zone you can use.  It defaults to 'static' that gives not
found for records not listed in the zone.

local-zone: "strumbel.com" transparent

That would use the local data entries, but if there is no local-data
entry try to look it up upstream.  That seems to be what you want.

In the example config and man page there is a longer list of
possibilities for the local-zone depending on what you want (refusal,
logging).  If you decide to use a separate namespace for that set of
machines as Andreas suggests, a local-zone of type static may be easier,
as it denies other names in that namespace.

Best regards, Wouter


>
> This past week I decided to setup a home lab where I will want to
> access a different set of machines by the same names as what are
> already registered in Untangle... BUT at different IPs from those
> machines the other users in my LAN would access them from.
>     Example:
>         Typical config:   iis.strumbel.com <//iis.strumbel.com>   is
> at   192.168.1.200
>         In my test env:   iis.strumbel.com <//iis.strumbel.com> needs
> to be at 192.168.1.171
>
> Unbound seemed the ideal solution, spun up a Centos 7 vm, installed
> Unbound and configured my test machines into the local-zone utilizing
> local-data commands.  And pointed a forward-addr at my Untangle box.
>  Pretty neat and as long as I am querying for items either in the
> local-data, or items not managed by Untangle all works fine.
>
> The issue comes when I try to query for an item that is NOT in my
> local-data but IS in the Untangle DNS entries.
> Those come back NOT FOUND.
>     Example:
>         iis.strumbel.com <//iis.strumbel.com> is managed by unbound
> via   local-data: "iis.strumbel.com.  IN A 192.168.1.171"     this
> works fine
>         webmail.strumbel.com <//webmail.strumbel.com>    is managed by
> untangle     this cannot be found
>         www.crunch.com <http://www.crunch.com>    is not managed by
> either             this works fine
>
>
> Thinking maybe it was an issue with how Untangle handles DNS, spun up
> another Centos vm and installed BIND in its most basic form and added
> a zone for my domain and entered the same records Untangle was
> managing and then pointed by Unbound forward-addr to this new BIND box
> instead.  Same results.   local-data items: OK, items not maintained
> in BIND: OK, items NOT in local-data but are in BIND: NOT FOUND.
>
> Tells me I must have screwed up something in my Unbound config:
>
>
>
> server:
>
> # verbosity number, 0 is least verbose. 1 is default.
> verbosity: 1
>
> # answer queries for this interface 0.0.0.0 says ALL interfaces
> interface: 0.0.0.0
>
> # what port are we listening on - needs to be opened up in the firewall
> port: 53
>
> # turn on ipv4 turn off ipv6 queries
> do-ip4: yes
> do-ip6: no
>
> # turn on udp and tcp querying - don't forget to open in the firewall
> do-udp: yes
> do-tcp: yes
>
> # what client ips can access utilize the results of this dns server
> access-control: 192.168.1.0/24 allow
> access-control: 127.0.0.1/32 allow
>
> # hide hacking information from anyone accessing the server
> hide-identity: yes
> hide-version: yes
>
> # this helps avoid spoofing attempts
> harden-glue: yes
> harden-dnssec-stripped: yes
>
> # upper and lower bounds for TTL
> cache-min-ttl: 3600
> cache-max-ttl: 14400
>
> # prefetch
> prefetch: yes
>
> # Optimization parameters
> num-threads: 4
> msg-cache-slabs: 8
> rrset-cache-slabs: 8
> infra-cache-slabs: 8
> key-cache-slabs: 8
> rrset-cache-size: 256m
> msg-cache-size: 128m
> so-rcvbuf: 1m
> unwanted-reply-threshold: 10000
> val-clean-additional: yes
>
> # avoid rebinding attacks
> private-address: 192.168.1.0/24
>
> # here is what allows us to OVERRIDE DNS settings
> private-domain: "DNS.OVERRIDES"
> do-not-query-localhost: no
>
> # here are our overrides!
> local-zone: "DNS.OVERRIDES." static
> # forward OVERRIDE records
> local-data: "iis.strumbel.com. IN A 192.168.1.171"
> local-data: "sm.strumbel.com. IN A 192.168.1.171"
> local-data: "rodsmachine.strumbel.com. IN A 192.168.1.98"
> # reverse OVERRIDE records
> local-data-ptr: "192.168.1.171 apps.strumbel.com"
> local-data-ptr: "192.168.1.98 rodsmachine.strumbel.com"
>
> # and where do we go if records are not overridden above?
> forward-zone:
> name: "."
> forward-addr: 192.168.1.238
> # The below was the setting to talk to untangle as the DNS forward -
> same issue as the above which is a temporarily setup BIND server
> # forward-addr:  192.168.1.1
>
> ## END OF CONFIG FILE
>
>
> Anyone have any ideas?
>
> Rod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191014/3ab0bf50/attachment.htm>

More information about the Unbound-users mailing list