Hi Rod, On 11/10/2019 23:35, rod--- via Unbound-users wrote: > > Here is my scenario... > > I use untangle as my firewall and typically utilize its DNS server > static entries for routing DNS on my home LAN to get to servers by > private IP and then let my domains public DNS manage everything from > the outside world.
Your config entry for the local-zone is wrong. There are several options for the local-zone you can use. It defaults to 'static' that gives not found for records not listed in the zone. local-zone: "strumbel.com" transparent That would use the local data entries, but if there is no local-data entry try to look it up upstream. That seems to be what you want. In the example config and man page there is a longer list of possibilities for the local-zone depending on what you want (refusal, logging). If you decide to use a separate namespace for that set of machines as Andreas suggests, a local-zone of type static may be easier, as it denies other names in that namespace. Best regards, Wouter > > This past week I decided to setup a home lab where I will want to > access a different set of machines by the same names as what are > already registered in Untangle... BUT at different IPs from those > machines the other users in my LAN would access them from. > Example: > Typical config: iis.strumbel.com <//iis.strumbel.com> is > at 192.168.1.200 > In my test env: iis.strumbel.com <//iis.strumbel.com> needs > to be at 192.168.1.171 > > Unbound seemed the ideal solution, spun up a Centos 7 vm, installed > Unbound and configured my test machines into the local-zone utilizing > local-data commands. And pointed a forward-addr at my Untangle box. > Pretty neat and as long as I am querying for items either in the > local-data, or items not managed by Untangle all works fine. > > The issue comes when I try to query for an item that is NOT in my > local-data but IS in the Untangle DNS entries. > Those come back NOT FOUND. > Example: > iis.strumbel.com <//iis.strumbel.com> is managed by unbound > via local-data: "iis.strumbel.com. IN A 192.168.1.171" this > works fine > webmail.strumbel.com <//webmail.strumbel.com> is managed by > untangle this cannot be found > www.crunch.com <http://www.crunch.com> is not managed by > either this works fine > > > Thinking maybe it was an issue with how Untangle handles DNS, spun up > another Centos vm and installed BIND in its most basic form and added > a zone for my domain and entered the same records Untangle was > managing and then pointed by Unbound forward-addr to this new BIND box > instead. Same results. local-data items: OK, items not maintained > in BIND: OK, items NOT in local-data but are in BIND: NOT FOUND. > > Tells me I must have screwed up something in my Unbound config: > > > > server: > > # verbosity number, 0 is least verbose. 1 is default. > verbosity: 1 > > # answer queries for this interface 0.0.0.0 says ALL interfaces > interface: 0.0.0.0 > > # what port are we listening on - needs to be opened up in the firewall > port: 53 > > # turn on ipv4 turn off ipv6 queries > do-ip4: yes > do-ip6: no > > # turn on udp and tcp querying - don't forget to open in the firewall > do-udp: yes > do-tcp: yes > > # what client ips can access utilize the results of this dns server > access-control: 192.168.1.0/24 allow > access-control: 127.0.0.1/32 allow > > # hide hacking information from anyone accessing the server > hide-identity: yes > hide-version: yes > > # this helps avoid spoofing attempts > harden-glue: yes > harden-dnssec-stripped: yes > > # upper and lower bounds for TTL > cache-min-ttl: 3600 > cache-max-ttl: 14400 > > # prefetch > prefetch: yes > > # Optimization parameters > num-threads: 4 > msg-cache-slabs: 8 > rrset-cache-slabs: 8 > infra-cache-slabs: 8 > key-cache-slabs: 8 > rrset-cache-size: 256m > msg-cache-size: 128m > so-rcvbuf: 1m > unwanted-reply-threshold: 10000 > val-clean-additional: yes > > # avoid rebinding attacks > private-address: 192.168.1.0/24 > > # here is what allows us to OVERRIDE DNS settings > private-domain: "DNS.OVERRIDES" > do-not-query-localhost: no > > # here are our overrides! > local-zone: "DNS.OVERRIDES." static > # forward OVERRIDE records > local-data: "iis.strumbel.com. IN A 192.168.1.171" > local-data: "sm.strumbel.com. IN A 192.168.1.171" > local-data: "rodsmachine.strumbel.com. IN A 192.168.1.98" > # reverse OVERRIDE records > local-data-ptr: "192.168.1.171 apps.strumbel.com" > local-data-ptr: "192.168.1.98 rodsmachine.strumbel.com" > > # and where do we go if records are not overridden above? > forward-zone: > name: "." > forward-addr: 192.168.1.238 > # The below was the setting to talk to untangle as the DNS forward - > same issue as the above which is a temporarily setup BIND server > # forward-addr: 192.168.1.1 > > ## END OF CONFIG FILE > > > Anyone have any ideas? > > Rod
