Getting setup for first time
wouter at nlnetlabs.nl
Mon Oct 14 06:25:04 UTC 2019
On 11/10/2019 23:35, rod--- via Unbound-users wrote:
> Here is my scenario...
> I use untangle as my firewall and typically utilize its DNS server
> static entries for routing DNS on my home LAN to get to servers by
> private IP and then let my domains public DNS manage everything from
> the outside world.
Your config entry for the local-zone is wrong. There are several options
for the local-zone you can use. It defaults to 'static' that gives not
found for records not listed in the zone.
local-zone: "strumbel.com" transparent
That would use the local data entries, but if there is no local-data
entry try to look it up upstream. That seems to be what you want.
In the example config and man page there is a longer list of
possibilities for the local-zone depending on what you want (refusal,
logging). If you decide to use a separate namespace for that set of
machines as Andreas suggests, a local-zone of type static may be easier,
as it denies other names in that namespace.
Best regards, Wouter
> This past week I decided to setup a home lab where I will want to
> access a different set of machines by the same names as what are
> already registered in Untangle... BUT at different IPs from those
> machines the other users in my LAN would access them from.
> Typical config: iis.strumbel.com <//iis.strumbel.com> is
> at 192.168.1.200
> In my test env: iis.strumbel.com <//iis.strumbel.com> needs
> to be at 192.168.1.171
> Unbound seemed the ideal solution, spun up a Centos 7 vm, installed
> Unbound and configured my test machines into the local-zone utilizing
> local-data commands. And pointed a forward-addr at my Untangle box.
> Pretty neat and as long as I am querying for items either in the
> local-data, or items not managed by Untangle all works fine.
> The issue comes when I try to query for an item that is NOT in my
> local-data but IS in the Untangle DNS entries.
> Those come back NOT FOUND.
> iis.strumbel.com <//iis.strumbel.com> is managed by unbound
> via local-data: "iis.strumbel.com. IN A 192.168.1.171" this
> works fine
> webmail.strumbel.com <//webmail.strumbel.com> is managed by
> untangle this cannot be found
> www.crunch.com <http://www.crunch.com> is not managed by
> either this works fine
> Thinking maybe it was an issue with how Untangle handles DNS, spun up
> another Centos vm and installed BIND in its most basic form and added
> a zone for my domain and entered the same records Untangle was
> managing and then pointed by Unbound forward-addr to this new BIND box
> instead. Same results. local-data items: OK, items not maintained
> in BIND: OK, items NOT in local-data but are in BIND: NOT FOUND.
> Tells me I must have screwed up something in my Unbound config:
> # verbosity number, 0 is least verbose. 1 is default.
> verbosity: 1
> # answer queries for this interface 0.0.0.0 says ALL interfaces
> interface: 0.0.0.0
> # what port are we listening on - needs to be opened up in the firewall
> port: 53
> # turn on ipv4 turn off ipv6 queries
> do-ip4: yes
> do-ip6: no
> # turn on udp and tcp querying - don't forget to open in the firewall
> do-udp: yes
> do-tcp: yes
> # what client ips can access utilize the results of this dns server
> access-control: 192.168.1.0/24 allow
> access-control: 127.0.0.1/32 allow
> # hide hacking information from anyone accessing the server
> hide-identity: yes
> hide-version: yes
> # this helps avoid spoofing attempts
> harden-glue: yes
> harden-dnssec-stripped: yes
> # upper and lower bounds for TTL
> cache-min-ttl: 3600
> cache-max-ttl: 14400
> # prefetch
> prefetch: yes
> # Optimization parameters
> num-threads: 4
> msg-cache-slabs: 8
> rrset-cache-slabs: 8
> infra-cache-slabs: 8
> key-cache-slabs: 8
> rrset-cache-size: 256m
> msg-cache-size: 128m
> so-rcvbuf: 1m
> unwanted-reply-threshold: 10000
> val-clean-additional: yes
> # avoid rebinding attacks
> private-address: 192.168.1.0/24
> # here is what allows us to OVERRIDE DNS settings
> private-domain: "DNS.OVERRIDES"
> do-not-query-localhost: no
> # here are our overrides!
> local-zone: "DNS.OVERRIDES." static
> # forward OVERRIDE records
> local-data: "iis.strumbel.com. IN A 192.168.1.171"
> local-data: "sm.strumbel.com. IN A 192.168.1.171"
> local-data: "rodsmachine.strumbel.com. IN A 192.168.1.98"
> # reverse OVERRIDE records
> local-data-ptr: "192.168.1.171 apps.strumbel.com"
> local-data-ptr: "192.168.1.98 rodsmachine.strumbel.com"
> # and where do we go if records are not overridden above?
> name: "."
> forward-addr: 192.168.1.238
> # The below was the setting to talk to untangle as the DNS forward -
> same issue as the above which is a temporarily setup BIND server
> # forward-addr: 192.168.1.1
> ## END OF CONFIG FILE
> Anyone have any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users