unbound as a proxy of authoritative server
Fred Morris
m3047-unbound-b3u at m3047.net
Sun Sep 21 18:56:20 UTC 2025
I've got a similar situation where I have a "proper" server (BIND 9)
exposed to the Internet with a fleet of telemetry servers under a private
/ non-ICANN TLD behind it. As far as the Internet is concerned, this
server is authoritative for the private domain.
Technically the server needs to recurse to obtain answers, so on the
"happy path" non-recursive queries do not work. (The lack of an "aa" flag
is more of a cosmetic concern.) There are some other issues as well, and
there are ways around most of them.
There's also a lot of FUD around servers dropping queries rather than
answering REFUSED. (Yet the BIND RPZ implementation provides Drop and
NXDOMAIN policies, but not REFUSED.)
There's a lot of trampled ground, but not a lot of clear "pathways of
desire".
Exactly how widespread this kind of usage is is unclear. (Spamhaus and
virus signature services are other examples although the popularity they
enjoy is probably not reflected in most such services.)
On Sun, 21 Sep 2025, François Lafont via Unbound-users wrote:
> [...]
> In this case, if I request the unbound server with
> a _recursive_ request, I have a response from the
> "domain.tld." authoritative servers. OK, but:
>
> * I have no "aa" flag (ie authoritative answer).
> * A no-recursive request doesn't work (REFUSED).
--
Fred Morris, internet plumber
More information about the Unbound-users
mailing list