Configuration not using root hints, but forwarders configured later

Petr Menšík pemensik at redhat.com
Mon Oct 7 14:37:21 UTC 2024 

Hi!

When working on dnsconfd, we have uncovered a problem configuration of 
forwarding via unbound-control. If we try to use unbound-control 
explicitly, there does not seem to be a way to tell unbound to not use 
root hints.

I can configure forwarding when starting unbound via configuration file 
and use forward-first: no. The problem is I cannot do the same, if 
unbound should be started before we know exact forwarders to use. For 
example I want to serve localhost and built-in authoritative zones, but 
until I know forwarder address and possible TLS status of it, I cannot 
configure forwarder at startup.

I have found there is a trick to make queries to outer hosts fail, until 
forwarders are configured.

forward-zone:
     name: "."
     forward-first: no

Problem is, after I use "unbound-control forward 192.0.2.53", followed 
by "unbound-control forward off", root hints are used back again. It 
does not seem to be possible to return back to original configuration. 
Not by simple reuse of unbound-control forward, at least. Or is there?

Is there some other way in latest unbound releases, how to tell unbound 
to use only forwarders configured or fail always?

I have tried this on unbound-1.19.0, but I expect that has not changed 
since then.

This behavior is needed to use only some trusted protective DNS service, 
which might have applied some protective query filter (RPZ) applied. 
Therefore iteration from root is not acceptable, as it could circumvent 
such filter. Most likely something with TLS authentication endpoint.

Regards,
Petr Menšík

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB.asc
Type: application/pgp-keys
Size: 9736 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20241007/90c09202/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20241007/90c09202/attachment-0001.bin>

More information about the Unbound-users mailing list