Hi Laura, Hey, that's quite the advanced config, it's too advanced for me. Though I'd do this setup a bit different. I program a program called delphinusdnsd and it can do forwarding but is otherwise authoritative. I would put it on port 53 with a zone for bar.corp and a forwarder to unbound at another port at localhost.
It's quite possibly the wrong way to do things but it is simple and basic... I'm sure you _must_ use unbound, and I looked into the config manpage for you but didn't see anything other than that perhaps you could use "transparent" in the local-zone, dunno. I'd only be guessing. Good luck! -peter On Sun, Feb 06, 2022 at 12:29:39PM +0000, Laura Smith wrote: > I have a local OpenBSD setup with NSD and Unbound. > > I'm seeing a weird problem where I am getting an NXDOMAIN (per below) on my > internal "bar.corp" domain. > > My unbound config is as follows. If I do the same dig query directly against > the stub resolvers, it works with no issue. > > server: > interface: 127.0.0.1 > # extra interface: entries removed for list post > # > do-ip6: yes > # > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: ::1 allow > access-control: 10.0.0.0/8 allow > # > hide-identity: yes > hide-version: yes > hide-version: yes > auto-trust-anchor-file: "/var/unbound/db/root.key" > prefetch: yes > prefetch-key: yes > rrset-roundrobin: yes > minimal-responses: yes > root-hints: "/var/unbound/db/named.root" > domain-insecure: "bar.corp" > local-zone: "bar.corp" nodefault > local-zone: "use-application-dns.net" always_nxdomain > remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > stub-zone: > name: "bar.corp" > stub-addr: 10.0.0.50 > stub-addr: 10.0.1.50 > > > ; <<>> DiG 9.16.22-Debian <<>> foo.bar.corp > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46113 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; QUESTION SECTION: > ;foo.bar.corp. IN A > > ;; AUTHORITY SECTION: > . 3501 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2022020600 1800 900 604800 86400 > > ;; Query time: 4 msec > ;; SERVER: <MY_UNBOUND_RESOLVER_IP> > ;; WHEN: Sun Feb 06 12:21:04 GMT 2022 > ;; MSG SIZE rcvd: 122 >
