Happy New Year to everyone. Hope you all had fun over the holidays.
Sorry for my late response - I spent most of the holidays with family and away
from the computer. (I tried to stay away from devices as best I could!)
I’ve been reading and re-reading the responses and trying to understand all of
the comments. And I am fairly sure I’ve caused most of the confusion with my
poor questions and lack of details. I owe you all an apology for that!
———
First: Here is one response that was not sent to the mailing list:
> On Dec 24, 2023, at 4:46 PM, Jon Murphy <jcmurph...@gmail.com> wrote:
>
> Steven,
> I am using an unbound system setup by someone else. For the outside world,
> it is set-up for DNSSEC (recursive) and DoT. And I am using (really
> experimenting!) with RPZ also. So I am modifying someone else’s work while
> trying to learn unbound.
> Does that help?
>
> Jon
So I am experimenting with an Unbound set-up that already exists and for the
most part works very well!
———
Second: And since this is already set-up, the lines below is the current
`unbound.conf` created by someone else. This is just for reference.
```
server:
chroot: ""
directory: "/etc/unbound"
username: "nobody"
do-ip6: no
include: "/etc/unbound/tuning.conf"
use-syslog: yes
log-time-ascii: yes
statistics-interval: 86400
extended-statistics: yes
prefetch: yes
prefetch-key: yes
hide-identity: yes
hide-version: yes
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-log-level: 1
log-servfail: yes
harden-large-queries: yes
harden-referral-path: yes
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
unwanted-reply-threshold: 1000000
interface-automatic: yes
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
infra-keep-probing: yes
root-hints: "/etc/unbound/root.hints"
include: "/etc/unbound/dhcp-leases.conf"
include: "/etc/unbound/hosts.conf"
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
include: "/etc/unbound/local.d/*.conf"
```
———
Third: And probably the most important items I left off (sorry again!)
I am experimenting with the bridge between ISC-DHCP and unbound. What I see
coming out of ISC-DHCP is an IP address and the device hostname. And I am
sending it to unbound mostly as-is (expect for some error checking).
So ISC-DHCP sends out a dhcp event with:
192.168.60.175 and deb12dell
And I add some text and send this to unbound via `unbound-control local_data`:
deb12dell.localdomain. 60 IN A 192.168.60.175
175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
A few moments later, ISC-DHCP sends out a 2nd set of IP/Hostnames with:
192.168.65.180 and deb12dell
And I add some text and send this to unbound via `unbound-control local_data`:
deb12dell.localdomain. 60 IN A 192.168.65.180
180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
Again I am sorry for not including the needed details. I am not looking for
guidance on the ISC-DHCP side.
And back to my original post:
> So my question is:
> - should there only be one A Record per device?
> - or maybe only one PTR Record per device?
Does the above help?
Best regards!
Jon
> On Dec 24, 2023, at 7:33 PM, marki via Unbound-users
> <unbound-users@lists.nlnetlabs.nl> wrote:
>
> You don't add devices. DNS does not know what a "device" is. It's like a
> phonebook, it assigns names to numbers and doesn't care if some live in the
> same house or not.
>
> What is the proper way? I explained it. Usually, the proper way is to avoid
> assigning different IP addresses to the same name.
>
> In your specific case, use names like
> Deb12dell-eth0 <-> ip1
> Deb12dell-eth1 <-> ip2
> Make the names unique.
>
> I think DNS may be treated in networking forums. Unbound is an
> implementation of a dns server, besides bind and many others. Once you know
> what you want to do with DNS, only then can you choose what server you want
> to use, and then find out how to configure it. You may be doing this the
> wrong way by trying to configure a server without understanding the protocol.
>
>
> On December 25, 2023 2:05:27 AM GMT+01:00, Jon Murphy <jcmurph...@gmail.com>
> wrote:
> Comments below...
>
> Jon
>
>
>> On Dec 24, 2023, at 5:44 PM, marki via Unbound-users
>> <unbound-users@lists.nlnetlabs.nl> wrote:
>>
>> IMHO these are not issues concerning unbound but rather understanding of DNS
>> in general. So maybe this is not the right forum.
>
> This is my first time experimenting with DNS (though I have been
> experimenting with RPZ)..
>
> What is the right forum?
>
>
>> To answer your question, what you are suggesting is not normally done.
>
> That is the main thing I want to know! What is normally done!
>
>> But it doesn't necessarily generate errors. You need to know what you are
>> doing / what goal you want to achieve.
>
> I am trying to add devices (clients) to unbound DNS. Most have one network
> interface and a few have two interfaces.
>
>>
>> If you are declaring two identical A records pointing to different IP
>> addresses, then the resolved IP will randomly be chosen between all entries.
>> It can be used as a load-balancer for the poor.
>
> That makes sense! I had not heard this before (and I had not considered it).
> This helps - Thank you!
>
>>
>> Usually you have one IP (and one name) per interface. It doesn't matter what
>> "device" that interface belongs to.
>>
>> Very often people use "service names" to point to some IP and then the name
>> of the actual host the IP is assigned to is used in the reverse lookup.
>>
>> I.e.
>> accounting CNAME acc01prd
>> acc01prd IP 1.2.3.4
>> 1.2.3.4 PTR acc01prd
>>
>
> So when loading the up `unbound-control list_local_data` or even writing
> line(s) to "/etc/unbound/dhcp-leases.conf", what is the proper way to add the
> 1st network interface and the 2nd network interface.
>
> This is my current items:
> deb12dell.localdomain. 60 IN A 192.168.60.175
> 175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>
> deb12dell.localdomain. 60 IN A 192.168.65.180
> 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>
> What would the the proper way?
>
> Can CNAMES be added to a "/etc/unbound/dhcp-leases.conf" file?
>
>
>> So you don't use the cryptic hostname to access the service, but if you do a
>> reverse lookup you find out where the IP is hosted.
>>
>> But it all depends on what you want to accomplish.
>
> Thank you! The above does help!
>
