Can I tell unbound to forward all requests except for some domains?
Gerben Wierda
gerben.wierda at rna.nl
Sat Mar 5 23:36:50 UTC 2022
I was able to use
forward-zone:
name: "spamhaus.org"
forward-addr: 127.0.0.1 at 1053 # do not resolve spamhaus via public DNS resolvers
Because I have a second non-forwarding unbound running on port 1053 for rspamd already (which has more or less the same issue, but which — unlike postfix — can be told to use a different name server itself)
So, for spamhaus.org alone, I forward to my own second unbound which does not forward to quad9.
Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
> On 5 Mar 2022, at 18:40, A. Schulze via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
>
> Am 05.03.22 um 02:36 schrieb Gerben Wierda via Unbound-users:
>> I am using unbound and it is configured to use cloud9 as a forwarder.
>>
>> But spamhaus.org <http://spamhaus.org> DNSBL will not answer requests for IP addresses from public DNS, such as cloud9.
>>
>> So, what I would like to do is configure unbound in such a way that it always goes to cloud9, except when the query is about spamhaus.org <http://spamhaus.org>. Can I do that?
>
> Hello Gerben,
>
> I'm not aware, unbound support a mode "forward all but [list of domains]"
>
> My expectation: unbound is a recursive resolver and should know to which nameservers query for [list of domains] must be sent.
> There is no option known to me to configure unbound this way.
>
> But it is possible to forward all to one recursive resolver and send queries for some zones to a list of known other name servers.
>
> forward-zone:
> name: "."
> forward-addr: 9.9.9.9
>
> stub-zone:
> name: "nlnetlabs.nl."
> stub-host: "ns.nlnetlabs.nl."
> stub-host: "ns-ext1.sidn.nl."
> stub-host: "anyns.pch.net."
>
> The downside of such configurations:
> - stub-host will be resolved via 9.9.9.9
> - stub-host must be outside the stub-zone
> - stub-addr may be used to circumvent this limitation
> - you MUST list a correct set of nameservers (names or addresses)
> To be more robust against changed nameserver sets, you should enable "stub-prime: yes"
> h
> Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220306/a8cce476/attachment.htm>
More information about the Unbound-users
mailing list