I meant quad9 below, not cloud9. Apologies. Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R&A IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
> On 5 Mar 2022, at 13:27, Gerben Wierda via Unbound-users > <unbound-users@lists.nlnetlabs.nl> wrote: > > No, this is about certain DNS servers not accepting queries from public > resolvers, such as DNS servers that are used to disseminate information about > bad actors. DNS blacklists and all that. > > My standard LAN resolver (unbound) forwards to cloud9 (9.9.9.9) so I am > protected by their filtering of bad domains. But requests from rspamd and > postfix cannot use that setup. rspamd does not accept requests from a public > DNS such as 9.9.9.9. And neither does zen.apamhaus.org > <http://zen.apamhaus.org/> that provides a DNSBL that can be used in the > postfix setup. > > main.cf: postscreen_dnsbl_sites = zen.spamhaus.org > <http://en.spamhaus.org/> =127.0.0.[2..11] > > rspamd has a setting to direct it to a different DNS. To make use of that but > still offer the 9.9.9.9 protection to all clients in my LAN, I had to set up > a second unbound running on a different port (1053) on localhost. That way, I > can tell rspamd > > options.inc: nameserver = "127.0.0.1:1053"; > > And rspamd is now not indirectly using 9.9.9.9 while the rest is. But postfix > doesn’t have such a setting. So, zen.spamhaus.org <http://zen.spamhaus.org/> > doesn’t work. I was able to use > > forward-zone: > name: "spamhaus.org <http://spamhaus.org/>" > forward-addr: 127.0.0.1@1053 # do not resolve spamhaus via public DNS > resolvers > > Because I already had that second non-forwarding unbound running on port 1053 > for rspamd. > > I also am running NSD for the local private addresses, but that doesn’t end > up here, other than that NSD wants to run on the same port as unbound (53) so > my NSD runs on port 54 and unbound has: > > # The authorative NSD for rna.nl/192.168.2.x <http://rna.nl/192.168.2.x> is > on this machine (127.0.0.1@54) > stub-zone: > name: "rna.nl <http://rna.nl/>" > stub-addr: 127.0.0.1@54 > stub-zone: > name: "2.168.192.in-addr.arpa" > stub-addr: 127.0.0.1@54 > > Basically, that gies me the split-DNS, where external resolving of rna.nl > <http://rna.nl/> and internal resolving of anything on rna.nl work, some more > hosts internally than externally of course. > > My question about local addresses was directed at another possible scenario: > make sure that requests to unbound from one set of addresses does forwarding > and another (the server itself) does not. But the solution I now have is > better. For instance, domains not resolved by 9.9.9.9 because they are bad > actors also do not resolve in postfix and get dropped because they do not > have a decent DNS/reverse set up, even if they have. > > Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) > R&A IT Strategy <https://ea.rna.nl/> (main site) > Book: Chess and the Art of Enterprise Architecture > <https://ea.rna.nl/the-book/> > Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> > >> On 5 Mar 2022, at 07:17, Steven Wills <ste...@swills.me >> <mailto:ste...@swills.me>> wrote: >> >> I re read your emails and you mention "local" IP addresses. Maybe a >> stub-zone is what you're after? But I don't think that is the case since a >> stub zone is meant to point to an authoritative server. Maybe someone with a >> better idea of what you're asking can weigh in. >> >> I use a stub-zone to point to my NSD server. >> >> stub-zone: >> name: "swills.org <http://swills.org/>" >> stub-addr: 10.0.10.25 >> >> >> https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=stub%20zone#stub-zone-options >> >> <https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=stub%20zone#stub-zone-options> >> >> Thanks again, >> Steven >> >> >> ------- Original Message ------- >> On Friday, March 4th, 2022 at 20:14, Gerben Wierda <gerben.wie...@rna.nl >> <mailto:gerben.wie...@rna.nl>> wrote: >> >>> Yes, that is what I thought a while back, so I decided at the time to test >>> with this: >>> >>> forward-zone: >>> name: "apple.com <http://apple.com/>." >>> forward-addr: 8.8.8.8@53 # testing if I can forward based on fqdn >>> >>> forward-zone: >>> name: "." >>> # If the forwarding fails, do your own recursion >>> forward-first: yes >>> # Quad9 phising/malware site blocking DNS 9.9.9.9 >>> forward-addr: 9.9.9.9 >>> >>> to see if that worked, but all the request kept being forwarded to 9.9.9.9 >>> at the time. I gave up at the time (for another reason) but now I need it >>> again. >>> >>> Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) >>> R&A IT Strategy <https://ea.rna.nl/> (main site) >>> Book: Chess and the Art of Enterprise Architecture >>> <https://ea.rna.nl/the-book/> >>> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> >>> >>>> On 5 Mar 2022, at 03:03, Steven Wills <ste...@swills.me >>>> <mailto:ste...@swills.me>> wrote: >>>> >>>> Hello, >>>> >>>> I think what you want is a Forward Zone. >>>> >>>> >>>> https://docs.netgate.com/tnsr/en/latest/dns/fwd-zone.html >>>> <https://docs.netgate.com/tnsr/en/latest/dns/fwd-zone.html> >>>> >>>> Thank you, >>>> Steven >>>> >>>> >>>> >>>> >>>> >>>> >>>> -------- Original Message -------- >>>> On Mar 4, 2022, 19:36, Gerben Wierda via Unbound-users < >>>> unbound-users@lists.nlnetlabs.nl >>>> <mailto:unbound-users@lists.nlnetlabs.nl>> wrote: >>>> >>>> I am using unbound and it is configured to use cloud9 as a forwarder. >>>> >>>> But spamhaus.org <http://spamhaus.org/> DNSBL will not answer requests for >>>> IP addresses from public DNS, such as cloud9. >>>> >>>> So, what I would like to do is configure unbound in such a way that it >>>> always goes to cloud9, except when the query is about spamhaus.org >>>> <http://spamhaus.org/>. Can I do that? >>>> >>>> If that is not possible, I would like to configure unbound that is >>>> forwards everything to cloud9, unless it comes from a specific set of >>>> local IP addresses. Is that possible? >>>> >>>> Thanks, >>>> >>>> Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) >>>> R&A IT Strategy <https://ea.rna.nl/> (main site) >>>> Book: Chess and the Art of Enterprise Architecture >>>> <https://ea.rna.nl/the-book/> >>>> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> >>>> >>> >> >
