Unbound as sinkhole setup

[Marc Franquesa]

I'm implementing a sinkhole using unbound, almost all documentation/example
I found configure the blocked domains as:

local-zone "zone" inform_deny

As per unbound documentation, 'deny' drops the query. My understanding is
that client querying that domain will experience a timeout during DNS
resolution. This would cause an added delay/latency in resolution and even
the client failing back to another DNS server (and may be getting a
positive answer).

So instead of 'inform_deny', I use 'always_nxdomain' so get immediate
response and stop the resolution process on the client.

However this way I lose the logging feature provided by 'inform'.

How could I get this/which would be the recommended setup?:

- Quickly get a no-way response (NODATA/NXDOMAIN/...) which don't cause any
latency/delay on the client while
- Record clients querying the black listed domains

BTW, I'm reviewing the use of RPZ on unbound to achieve the same, as I like
the way they are implemented. I suppose this method will also have a
different setup to achieve the saem (immediate negative response and
logging the suspicious client).

Thanks much for any idea/suggestion on the right path.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220317/eca0adeb/attachment.htm>