(Resending to list) Yes, I thought of and tried that too with similar lack of success. But as I could see from the tcpdump (see reply to Raimo's mail) NSD responds so it's probably an Unbound issue. The forward-zone directive can be used but it expects the forward-addr to be able to provide recursion so it should not be used in my case (although it should work since recursion is not needed).
2016-10-11 8:51 GMT+02:00 mxb <[email protected]>: > > Try to use forward-zone instead of stub-zone in unbound.conf > > forward-zone: > name: “abc.com" > forward-addr: 127.0.0.1 > > >> On 10 okt. 2016, at 23:42, Johan Mellberg <[email protected]> wrote: >> >> Hi all, >> >> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my >> home network with DNS. I have a custom zone (only for LAN use) set up >> and previously used BIND successfully (but that VM crashed and its >> disk was hosed...) both as authoritative and caching/resolving. >> >> So now I am trying to learn to set up NSD to be authoritative for my >> small zone and Unbound to serve the LAN with all other queries. But >> there is a problem: >> >> 1. Unbound successfully responds to queries and provides lookup to the >> LAN machines for "the internet". >> 2. NSD successfully responds to queries for the custom zone. >> 3. But I cannot get Unbound to get a reply from NSD... >> >> I have tried multiple combinations of ports and interface bindings and >> I suspect that I am missing something simple here. Currently I have >> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - >> so there should not be a conflict. In fact it works fine if I use dig >> @localhost <LANhostname> and dig @192.168.x.91 <internethostname> >> respectively, but the second version only provides an answer-less >> response if asked for a LAN hostname. >> >> Unbound is set to ask localhost for the stub zones, forward and reverse. >> >> And, yes, I could of course use Unbound to serve my local zone and >> drop NSD - but that would be giving up... It's supposed to work from >> all I read! :-) >> >> I have also tried having NSD listen on 127.0.0.1@5353, and telling >> unbound to use that as the stub-address, while then having Unbound >> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set >> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I >> can't test NSD with dig as it can't use an alternative port. >> >> A possibly related question: I can't seem to be able to use >> shortnames. The domain part should be picked up from the host name as >> given in /etc/myname, but that does not seem to work as I expect, I >> always have to provide the FQDN. Again something I have missed >> perhaps? >> >> Anyway, I am staring blindly at the config files now and really need >> help figuring it out. I have removed all that is commented, otherwise >> it's the default except for changes of course. >> >> Thanks for any clue bats coming my way... >> /Johan >> >> * resolv.conf >> lookup file bind >> nameserver 192.168.x.91 >> >> # cat /etc/myname >> dns03.my.domain >> >> # cat /etc/hosts >> 127.0.0.1 localhost >> ::1 localhost >> 192.168.x.91 dns03.my.domain dns03 >> >> # cat /var/unbound/etc/unbound.conf >> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ >> >> server: >> interface: 192.168.x.91 >> interface: ::1 >> do-not-query-localhost: no >> >> access-control: 192.168.x.64/24 allow >> access-control: 127.0.0.0/8 allow >> access-control: 0.0.0.0/0 refuse >> access-control: ::0/0 refuse >> access-control: ::1 allow >> >> hide-identity: yes >> hide-version: yes >> >> # Uncomment to enable DNSSEC validation. >> # >> auto-trust-anchor-file: "/var/unbound/db/root.key" >> >> root-hints: /var/unbound/etc/root.hints >> >> remote-control: >> control-enable: yes >> control-use-cert: no >> control-interface: /var/run/unbound.sock >> >> stub-zone: >> name: "my.domain" >> stub-addr: 127.0.0.1 >> stub-zone: >> name: "x.168.192.in-addr.arpa" >> stub-addr: 127.0.0.1 >> >> # cat /var/nsd/etc/nsd.conf >> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ >> >> server: >> hide-version: yes >> verbosity: 1 >> database: "" # disable database >> >> ## bind to a specific address/port >> ip-address: 127.0.0.1 >> >> remote-control: >> control-enable: yes >> >> zone: >> name: "my.domain" >> zonefile: "master/my.domain" >> zone: >> name: "x.168.192.in-addr.arpa" >> zonefile: "master/192.168.x.rev"
