/etc/hosts handling plugin for unbound

Paul Wouters paul at nohats.ca
Wed Dec 21 18:18:46 UTC 2022

On Dec 21, 2022, at 05:39, Petr Menšík <pemensik at redhat.com> wrote:
>> This happens before the "dns" entry, so before unbound is used. So for
>> apps on localhost this should work fine? It is always read (and not
>> cached)
> That is not strictly true. Some software may use DNS explicitly via specialized libraries, like libresolv, ldns, libunbound, etc.

Like libunbound, they can offer that functionality.

> dig and host tools are the best examples.

The host command was obsoleted before the ifconfig command was obsoleted.

The dig command is a dns specific tool.

> I am more inspired by dnsmasq, which I maintain also. But both of those is able to watch /etc/hosts and auto-load its entries into the local DNS cache.

You mean not just to “cache” for local host but to serve for the network ? For that I would use inbound-control to feed it.

> I think it might be useful in some cases to have very simple way to add address override for some names on whole machine. I use it sometimes to create common records for virtual machines or containers running on my machine.

You can drop these in /etc/unbound.d/ ?

> Sure, it should be possible to disable this behavior. An unbound module or plugin might be a way.

Instead of using your command to add the entry to /etc/hosts, wrap it in an unbound command to either inject in the running daemon or put it in the .d directory if you want it to persist. You could reload/restart unbound on each change if you are just serving the local machine ?

>> I guess I feel /etc/hosts is there only for localhost apps in case of
>> broken DNS. The days you could leave something out of DNS by putting in
>> the /etc/hosts file are kinda long gone.
> Is that true? Can you give an example, why it is so? Isn't it the argument for adding /etc/hosts to the DNS then?

I think it’s a reason to stop using /etc/hosts
For fedora, I insured you could configure local data in a persistent way using the .d directory.

People putting thousands of entries in /etc/hosts for anti-spam and ad blocking is also not the best and fully supported using the .d directly with unbound.

> I just would like ability to provide a way both dnsmasq and systemd-resolved have. Yes, I know it is possible to use unbound-control to add local zone and local data into it. But that is too complicated for ordinary user IMO.

Then I guess write a systemd ExecStartPost= option for unbound to loop over /etc/hosts and run unbound-control for the user ? I would approve such a change for the fedora package.

> It is not persistent. sudoedit /etc/hosts is simple enough even for (a bit) advanced user. Should be relatively simple to implement also. It should not break anything if enabled by default on workstations.

I think this would be covered by the above change.


More information about the Unbound-users mailing list