CNAMEs not going through view

George Thessalonikefs george at nlnetlabs.nl
Tue Dec 28 14:37:12 UTC 2021


Hi Jan,

Local data (and views since they are essentially conditional local data) 
are the first thing that Unbound tries to find an answer to a query. 
They are not consulted again later on.

In your case alias.example.com is not found in local data and since the 
zone is implicitly of type "transparent" Unbound continues to try and 
find an answer elsewhere which happens to be the configured auth zone.

In your case I would add
	local-data: alias.example.com A 2.2.2.2

in the view and any other records you would need from server.example.com.

Best regards,
-- George

On 28/12/2021 13:07, Jan Palus via Unbound-users wrote:
> On 27.12.2021 18:55, George Thessalonikefs via Unbound-users wrote:
>> Hi Jan,
>>
>> It is not clear to me how you have set up Unbound.
>> Can you provide a configuration snippet of how things look currently?
>>
>> Just to note from what you said that you can't combine the global local data
>> with view local data.
>>
>> If there is a local zone from a view then that is used. If there is no zone
>> in the view and view-first is enabled, then Unbound will look for the zone
>> in the global local data.
> 
> To express what I meant with sample relevant parts of config:
> 
> unbound.conf:
> 
> server:
>          access-control-view: 127.0.0.0/8 vpn
>     
> auth-zone:
>          name: "example.com"
>          for-downstream: yes
>          for-upstream: yes
>          zonefile: "/etc/unbound/example.zone"
> 
> view:
>          name: "vpn"
>          local-data: "server.example.com A 2.2.2.2"
>          view-first: yes
> 
> example.zone:
> 
> $ORIGIN example.com.
> $TTL 3600
> alias IN CNAME server
> server IN A 1.1.1.1
> 
> What I would like to achieve is to have same IP (2.2.2.2) for both following
> queries:
> 
> $ nslookup server.example.com 127.0.0.1
> Server:127.0.0.1
> Address:127.0.0.1#53
> 
> Name:server.example.com
> Address: 2.2.2.2
> 
> $ nslookup alias.example.com 127.0.0.1
> Server:127.0.0.1
> Address:127.0.0.1#53
> 
> alias.example.com canonical name = server.example.com.
> Name:server.example.com
> Address: 1.1.1.1
> 
> So when resolving alias.example.com to server.example.com I would like
> server.example.com to pass through view which does not seem to be the case.
> 
>> Best regards,
>> -- George
>>
>> On 20/12/2021 20:02, Jan Palus via Unbound-users wrote:
>>> Hi,
>>>
>>> I have an unbound instance that serves as DNS for small local network
>>> (let's assume it's example.com domain). One of the servers (let's call
>>> it server) is accessed by either IPLAN or by IPVPN depending on what's
>>> the source of a query. The IP is changed with view for
>>> server.example.com however other CNAMEs in zone file do not seem to go
>>> through that view. So ie if I have an "alias IN CNAME server", then
>>> alias.example.com resolves to IPLAN despite query coming from VPN. Is
>>> there a way to make CNAMEs resolutions go through view as well?
>>>
>>> Regards
>>> Jan


More information about the Unbound-users mailing list