Config file ns0# cat /var/unbound/etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ server: interface: 127.0.0.1 #interface: ::1 do-ip6: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for specific zones. # forward-zone: name: "testing." forward-addr: 127.0.0.1@5353 # to nsd daemon forward-zone: name: "." # use for ALL queries forward-addr: 1.1.1.1 forward-addr: 74.82.42.42 forward-addr: 2001:470:20::2 forward-addr: 208.67.222.222 forward-first: yes -- Sincerely flipchan On July 28, 2019 6:21:49 PM GMT+03:00, Flipchan <flipc...@riseup.net> wrote: >Thanks for the configs ! > >https://jonwillia.ms/2018/09/23/anycast-dns-openbsd >(github.com/bongozone/kibble) > >I have got it to work as only either only working with my internal zone >records or working with everything else > >Unbound ignores when i put a forward-zone: name: ".testing" when i have >another forward-zone: name: "." > >Does anyone know how this could be done ? I have nsd running the zone >records for .testing and it works when i only have the .testing >forward-zone in the unbound.conf , does anyone know what im doing wrong >? > > > >On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar ><vsan...@foretell.ca> wrote: >> >>Quoting Stuart Henderson <s...@spacehopper.org>: >> >>> No - you wouldn't do it with Unbound which is a *recursive* DNS >>> server, you would use an authoritative one like NSD, PowerDNS, Knot > >>> or BIND. All you would do with Unbound is use stub-zone to point it > >>> at an authoritative server. >>> >>> -- >>> Sent from a phone, apologies for poor formatting. >>> On 26 July 2019 11:05:44 Flipchan <flipc...@riseup.net> wrote: >>>> Can you link to any guides or pratical howtos on how to pratically > >>>> do that with unbound ? >>>> >>>> Thanks >>>> >>>> >>>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson >>>> <s...@spacehopper.org> wrote: >>>> On 2019-07-25, Flipchan <flipc...@riseup.net> wrote: >>>> >>>> Greetings everyone, >>>> >>>> Does anyone have a good solution for syncing unbound configuration >>files? >>>> >>>> >>>> i have the senario where i have two internal LAN's that in two >>>> different offices that need to have the same internal >>>> dns system for the local systems, and there is a lot of changes >>>> being done in the internal zone records so i need >>>> a good way to sync them(the ideal way where to have a similar >>>> solution like mysql's master-master replication). >>>> >>>> Both dns resolvers are running unbound on openbsd 6.5 and right now > >> >>>> the configuration file is synced with ansible. >>>> Does anyone have a good solution on replicating dns records/configs > >> >>>> for unbound. In the future it will be scaled >>>> even more so right now is a good time to implement some replication > >> >>>> for the unbound configs. >>>> >>>> Does anyone have a solution for this? >>>> >>>> There is people changing the config files on both instances so the > >>>> ideal way would be a replication real time sync function. >>>> >>>> Anyone got any ideas? >>>> >>>> >>>> Thanks in advance >>>> Ciao >>>> flipchan >>>> >>>> >>>> If multiple sites are updating records in the same internal zone at >>various >>>> times, they would probably be better off with a normal >>>> authoritative DNS server >>>> serving that zone (with e.g. stub-zone to point unbound at it), >>>> editing it in >>>> one place, and using normal DNS replication (zone-transfer and >>notify) >>>> to push the updates. >>>> >>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my >brevity. >> >>I have two locations (foretell.ca and lab.foretell.ca) and for quite a > >> >>while used NSD and Unbound. But switched to the following approach >>(however my use case is very simple and my networks are small, but it > >>works well for me) >> >>My unbound.conf on four DNS servers have >> >>include: "/var/unbound/etc/zonedata" >> >>I then set up a simple zonedata file on one server with stuff such as: >> >>local-zone: "foretell.ca." static >>. >>. >>local-zone: "lab.foretell.ca." static >>. >>. >>local-zone: "0.0.10.in-addr.arpa." static >>. >>. >>local-zone: "3.72.10.in-addr.arpa." static >>. >>. >>etc. etc. >> >>Changes to zonedata reflect changes at both locations. Then I just >>have a rsync process running a few times a day that does the >following: >> >>fr1s1.foretell.ca# more dnsupdate.sh >>rsync -av zonedata 10.0.0.1:/var/unbound/etc/ >>rsync -av zonedata 10.0.0.3:/var/unbound/etc/ >>rsync -av zonedata 10.72.3.1:/var/unbound/etc/ >>rsync -av zonedata 10.72.3.3:/var/unbound/etc/ >>ssh 10.0.0.1 /etc/rc.d/unbound restart >>ssh 10.0.0.3 /etc/rc.d/unbound restart >>ssh 10.72.3.1 /etc/rc.d/unbound restart >>ssh 10.72.3.3 /etc/rc.d/unbound restart >> >>Obviously I am not sure if this will scale for your requirements but >>mentioning this just in case it helps. >> >>Vijay >> >> >>-- >>ForeTell Technologies Limited >>59 Flamingo Avenue >>Winnipeg, MB, Canada >>R3J 0X6 > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
