Configuration not using root hints, but forwarders configured later

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Mon Oct 7 15:02:59 UTC 2024 

Hi Petr!

"unbound-control forward" is very specific as it operates implicitly on 
a '.' zone. When you add a forward that zone is implicitly changed. When 
you turn it off that zone (which is the one configured in the file) is 
removed.

What I would do instead is configure forwarders as desired from the 
get-go or through unbound-control.

Then for access control I would use
	local-zone: "." deny/refuse
in the configuration file.

And when your forwarders are ready you can remove the local-zone via 
unbound-control to let queries flow into Unbound.

You can also add that local zone via unbound-control if you want to 
block queries while changing something.

Of course with whatever you configure on the upstream proper cache 
management may need to happen, unless you want your forwarders without 
caching any data with 'forward-no-cache: yes'.

Best regards,
-- Yorgos

On 07/10/2024 16:37, Petr Menšík via Unbound-users wrote:
> Hi!
> 
> When working on dnsconfd, we have uncovered a problem configuration of 
> forwarding via unbound-control. If we try to use unbound-control 
> explicitly, there does not seem to be a way to tell unbound to not use 
> root hints.
> 
> I can configure forwarding when starting unbound via configuration file 
> and use forward-first: no. The problem is I cannot do the same, if 
> unbound should be started before we know exact forwarders to use. For 
> example I want to serve localhost and built-in authoritative zones, but 
> until I know forwarder address and possible TLS status of it, I cannot 
> configure forwarder at startup.
> 
> I have found there is a trick to make queries to outer hosts fail, until 
> forwarders are configured.
> 
> forward-zone:
>      name: "."
>      forward-first: no
> 
> Problem is, after I use "unbound-control forward 192.0.2.53", followed 
> by "unbound-control forward off", root hints are used back again. It 
> does not seem to be possible to return back to original configuration. 
> Not by simple reuse of unbound-control forward, at least. Or is there?
> 
> Is there some other way in latest unbound releases, how to tell unbound 
> to use only forwarders configured or fail always?
> 
> I have tried this on unbound-1.19.0, but I expect that has not changed 
> since then.
> 
> This behavior is needed to use only some trusted protective DNS service, 
> which might have applied some protective query filter (RPZ) applied. 
> Therefore iteration from root is not acceptable, as it could circumvent 
> such filter. Most likely something with TLS authentication endpoint.
> 
> Regards,
> Petr Menšík
>

More information about the Unbound-users mailing list