Can I tell unbound to forward all requests except for some domains?

Sat Mar 5 12:27:54 UTC 2022

No, this is about certain DNS servers not accepting queries from public resolvers, such as DNS servers that are used to disseminate information about bad actors. DNS blacklists and all that. 

My standard LAN resolver (unbound) forwards to cloud9 (9.9.9.9) so I am protected by their filtering of bad domains. But requests from rspamd and postfix cannot use that setup. rspamd does not accept requests from a public DNS such as 9.9.9.9. And neither does zen.apamhaus.org that provides a DNSBL that can be used in the postfix setup.

main.cf:	postscreen_dnsbl_sites = zen.spamhaus.org =127.0.0.[2..11]

rspamd has a setting to direct it to a different DNS. To make use of that but still offer the 9.9.9.9 protection to all clients in my LAN, I had to set up a second unbound running on a different port (1053) on localhost. That way, I can tell rspamd 

options.inc:    nameserver = "127.0.0.1:1053";

And rspamd is now not indirectly using 9.9.9.9 while the rest is. But postfix doesn’t have such a setting. So, zen.spamhaus.org doesn’t work. I was able to use

forward-zone:
	name: "spamhaus.org <http://spamhaus.org/>"
	forward-addr: 127.0.0.1 at 1053 # do not resolve spamhaus via public DNS resolvers

Because I already had that second non-forwarding unbound running on port 1053 for rspamd.

I also am running NSD for the local private addresses, but that doesn’t end up here, other than that NSD wants to run on the same port as unbound (53) so my NSD runs on port 54 and unbound has:

# The authorative NSD for rna.nl/192.168.2.x is on this machine (127.0.0.1 at 54)
stub-zone:
        name: "rna.nl"
        stub-addr: 127.0.0.1 at 54
stub-zone:
        name: "2.168.192.in-addr.arpa"
        stub-addr: 127.0.0.1 at 54

Basically, that gies me the split-DNS, where external resolving of rna.nl and internal resolving of anything on rna.nl work, some more hosts internally than externally of course.

My question about local addresses was directed at another possible scenario: make sure that requests to unbound from one set of addresses does forwarding and another (the server itself) does not. But the solution I now have is better. For instance, domains not resolved by 9.9.9.9 because they are bad actors also do not resolve in postfix and get dropped because they do not have a decent DNS/reverse set up, even if they have.

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>

> On 5 Mar 2022, at 07:17, Steven Wills <steven at swills.me> wrote:
> 
> I re read your emails and you mention "local" IP addresses. Maybe a stub-zone is what you're after? But I don't think that is the case since a stub zone is meant to point to an authoritative server. Maybe someone with a better idea of what you're asking can weigh in.
> 
> I use a stub-zone to point to my NSD server.
> 
> stub-zone:
>         name: "swills.org"
>         stub-addr: 10.0.10.25
> 
> 
> https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=stub%20zone#stub-zone-options <https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=stub%20zone#stub-zone-options>
> 
> Thanks again,
> Steven
> 
> 
> ------- Original Message -------
> On Friday, March 4th, 2022 at 20:14, Gerben Wierda <gerben.wierda at rna.nl> wrote:
> 
>> Yes, that is what I thought a while back, so I decided at the time to test with this:
>> 
>> forward-zone:
>>        name: "apple.com <http://apple.com/>."
>>        forward-addr: 8.8.8.8 at 53 # testing if I can forward based on fqdn
>> 
>> forward-zone:
>>         name: "."
>>         # If the forwarding fails, do your own recursion
>>         forward-first: yes
>>         # Quad9 phising/malware site blocking DNS 9.9.9.9
>>         forward-addr: 9.9.9.9
>> 
>> to see if that worked, but all the request kept being forwarded to 9.9.9.9 at the time. I gave up at the time (for another reason) but now I need it again.
>> 
>> Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
>> R&A IT Strategy <https://ea.rna.nl/> (main site)
>> Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
>> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
>> 
>>> On 5 Mar 2022, at 03:03, Steven Wills <steven at swills.me <mailto:steven at swills.me>> wrote:
>>> 
>>> Hello,
>>> 
>>> I think what you want is a Forward Zone.
>>> 
>>> 
>>> https://docs.netgate.com/tnsr/en/latest/dns/fwd-zone.html <https://docs.netgate.com/tnsr/en/latest/dns/fwd-zone.html>
>>> 
>>> Thank you,
>>> Steven
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -------- Original Message --------
>>> On Mar 4, 2022, 19:36, Gerben Wierda via Unbound-users < unbound-users at lists.nlnetlabs.nl <mailto:unbound-users at lists.nlnetlabs.nl>> wrote:
>>> 
>>> I am using unbound and it is configured to use cloud9 as a forwarder.
>>> 
>>> But spamhaus.org <http://spamhaus.org/> DNSBL will not answer requests for IP addresses from public DNS, such as cloud9.
>>> 
>>> So, what I would like to do is configure unbound in such a way that it always goes to cloud9, except when the query is about spamhaus.org <http://spamhaus.org/>. Can I do that?
>>> 
>>> If that is not possible, I would like to configure unbound that is forwards everything to cloud9, unless it comes from a specific set of local IP addresses. Is that possible?
>>> 
>>> Thanks,
>>> 
>>> Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
>>> R&A IT Strategy <https://ea.rna.nl/> (main site)
>>> Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
>>> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220305/3650c8bf/attachment-0001.htm>