Unbound-control to add private-domain

Marc Franquesa marc.franquesa at gmail.com
Thu Apr 30 10:09:13 UTC 2020 

Hi all

After long time with Bind, I'm moving to NSD and Unbound for my internal
DNS infra.

I'm testing it thru docker containers, one for NSD and another for unbound.
I add the zone files on NSD which thru a script loads the zones and (using
unbound-control) notifies the unbound service (resolver) to set the zones
as stub-zones to forward to NSD.

Ths is my test zone (I think quite representative):

dome. 3600 IN SOA ns.dome. hostmaster.dome. 2020032501 300 120 600 86400
dome. 3600 IN NS ns.dome.
emba.dome. 3600 IN NS ns.dome.
ns.dome. 3600 IN A 192.168.128.128
priv.dome. 3600 IN A 10.0.0.1
priv.dome. 3600 IN TXT "Private record"
pub.dome. 3600 IN A 80.0.0.1
pub.dome. 3600 IN TXT "Public record"
alias.dome. 3600    IN  CNAME www.gmail.com.

The problem is expected: my current setup sets the RFC1918 blocks as
private, so unbound is stripping the answers for the 'priv.dome':

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;priv.dome. IN A

;; AUTHORITY SECTION:
dome. 3580 IN NS ns.dome.

And on the logs clear states the reason:

Apr 30 08:43:55 unbound[11:0] debug: sanitize: removing public name with
private address <priv.dome.> 10.0.0.1#53

Obviously the records pointing to public IPs got answered correctly.

The fix is to add 'dome' on unbound.conf as 'private-domain', however this
requires modifying the config file and I didn't found any 'control' command
to set the domain as private remotely.

Is there any alternate solution/workarround? (entirely managing unbound
thru unbound-control)

Additionally, I read many references about unbound NOT being authoritative
server, however implements many features and provide the 'auth-zones'
config stuff. Could anyone which features/RFCs doesn't implement to not be
considered authoritative. I meant what lacks to work as authoritative
server ?


Thanks much
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200430/6a42e349/attachment.htm>

More information about the Unbound-users mailing list