Hello Carsten, Chris and you nailed the problem. I had unbound forwarding set up. As soon as I turned that off, I got the following results (see below) - same as yours. I've attached my unbound.conf - it is based on the calomel.org unbound.conf but with modifications and improvements. :-) It probably could use further improvement. To be clear, I'm only using unbound for internal purposes - it does not serve the internet. As I understand it, unbound becomes "authoritative" (only for your own network) when you define the machines on your local network within unbound as it will then return the private addresses of your local machines. Thank you for your help! Patrick |
{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf400
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\f0\fs24 \cf0 ## Authoritative, validating, recursive caching DNS\ ## unbound.conf -- Based on unbound.conf provided by https://calomel.org - last modified 20140727\ #\ server:\ # log verbosity\ verbosity: 1\ \ # specify the interfaces to answer queries from by ip-address. The default\ # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to\ # bind to all available interfaces. specify every interface[@port] on a new\ # 'interface:' labeled line. The listen interfaces are not changed on\ # reload, only on restart.\ interface: 127.0.0.1\ \ # port to answer queries from\ port: 53\ \ # Enable IPv4, "yes" or "no".\ do-ip4: yes\ \ # Enable IPv6, "yes" or "no".\ do-ip6: no\ \ # Enable UDP, "yes" or "no".\ do-udp: yes\ \ # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually\ # quicker to resolve as the functions related to TCP checks are not done.i\ # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains\ # due to their size.\ do-tcp: yes\ \ # control which client ips are allowed to make (recursive) queries to this\ # server. Specify classless netblocks with /size and action. By default\ # everything is refused, except for localhost. Choose deny (drop message),\ # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive\ # and nonrecursive ok)\ access-control: 127.0.0.0/8 allow\ access-control: 192.168.220.0/24 allow\ \ # Read the root hints from this file. Default is nothing, using built in\ # hints for the IN class. The file has the format of zone files, with root\ # nameserver names and addresses only. The default may become outdated,\ # when servers change, therefore it is good practice to use a root-hints\ # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache\ root-hints: "/usr/local/etc/unbound/root.hints"\ \ # enable to not answer id.server and hostname.bind queries.\ hide-identity: yes\ \ # enable to not answer version.server and version.bind queries.\ hide-version: yes\ \ # Will trust glue only if it is within the servers authority.\ # Harden against out of zone rrsets, to avoid spoofing attempts. \ # Hardening queries multiple name servers for the same data to make\ # spoofing significantly harder and does not mandate dnssec.\ harden-glue: yes\ \ # Require DNSSEC data for trust-anchored zones, if such data is absent, the\ # zone becomes bogus. Harden against receiving dnssec-stripped data. If you\ # turn it off, failing to validate dnskey data for a trustanchor will trigger\ # insecure mode for that zone (like without a trustanchor). Default on,\ # which insists on dnssec data for trust-anchored zones.\ harden-dnssec-stripped: yes\ \ # Use 0x20-encoded random bits in the query to foil spoof attempts.\ # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00\ # While upper and lower case letters are allowed in domain names, no significance\ # is attached to the case. That is, two names with the same spelling but\ # different case are to be treated as if identical. This means calomel.org is the\ # same as CaLoMeL.Org which is the same as CALOMEL.ORG.\ use-caps-for-id: yes\ \ # the time to live (TTL) value lower bound, in seconds. Default 0.\ # If more than an hour could easily give trouble due to stale data.\ cache-min-ttl: 3600\ \ # the time to live (TTL) value cap for RRsets and messages in the\ # cache. Items are not cached for longer. In seconds.\ cache-max-ttl: 86400\ \ # perform prefetching of close to expired message cache entries. If a client\ # requests the dns lookup and the TTL of the cached hostname is going to\ # expire in less than 10% of its TTL, unbound will (1st) return the ip of the\ # host to the client and (2nd) pre-fetch the dns request from the remote dns\ # server. This method has been shown to increase the amount of cached hits by\ # local clients by 10% on average.\ prefetch: yes\ \ # number of threads to create. 1 disables threading. This should equal the number\ # of CPU cores in the machine. Our example machine has 4 CPU cores.\ num-threads: 4\ \ \ ## Unbound Optimization and Speed Tweaks ###\ \ # the number of slabs to use for cache and must be a power of 2 times the\ # number of num-threads set above. more slabs reduce lock contention, but\ # fragment memory usage.\ msg-cache-slabs: 8\ rrset-cache-slabs: 8\ infra-cache-slabs: 8\ key-cache-slabs: 8\ \ # Increase the memory size of the cache. Use roughly twice as much rrset cache\ # memory as you use msg cache memory. Due to malloc overhead, the total memory\ # usage is likely to rise to double (or 2.5x) the total cache memory. The test\ # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.\ rrset-cache-size: 256m\ msg-cache-size: 128m\ \ # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets\ # the kernel buffer larger so that no messages are lost in spikes in the traffic.\ so-rcvbuf: 4m\ \ # From http://unbound.net/documentation/unbound.conf.html\ outgoing-range: 8192 \ num-queries-per-thread: 4096 \ \ ## Unbound Optimization and Speed Tweaks ###\ \ \ # Enforce privacy of these addresses. Strips them away from answers. It may\ # cause DNSSEC validation to additionally mark it as bogus. Protects against\ # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and\ # 'local-data' names are allowed to have these private addresses. No default.\ private-address: 10.0.0.0/8\ private-address: 172.16.0.0/12\ private-address: 192.168.0.0/16\ private-address: 169.254.0.0/16\ \ # Allow the domain (and its subdomains) to contain private addresses.\ # local-data statements are allowed to contain private addresses too.\ private-domain: "mywidgets.net"\ \ # If nonzero, unwanted replies are not only reported in statistics, but also\ # a running total is kept per thread. If it reaches the threshold, a warning\ # is printed and a defensive action is taken, the cache is cleared to flush\ # potential poison out of it. A suggested value is 10000000, the default is\ # 0 (turned off). We think 10K is a good value.\ unwanted-reply-threshold: 10000\ \ # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on\ # localhost you will want to allow the resolver to send queries to localhost.\ # Make sure to set do-not-query-localhost: yes . If yes, the above default\ # do-not-query-address entries are present. if no, localhost can be queried\ # (for testing and debugging). \ do-not-query-localhost: no\ \ # File with trusted keys, kept up to date using RFC5011 probes, initial file\ # like trust-anchor-file, then it stores metadata. Use several entries, one\ # per domain name, to track multiple zones. If you use forward-zone below to\ # query the Google DNS servers you MUST comment out this option or all DNS\ # queries will fail.\ auto-trust-anchor-file: "/usr/local/etc/unbound/anchor/root.key"\ \ # Configure DLV (DNSSEC Lookaside Validation)\ # dlv-anchor-file: "/usr/local/etc/unbound/anchor/dlv.isc.org.key"\ \ # Should additional section of secure message also be kept clean of unsecure\ # data. Useful to shield the users of this validator from potential bogus\ # data in the additional section. All unsigned data in the additional section\ # is removed from secure messages.\ val-clean-additional: yes\ \ # Permit failed lookups:\ # Instruct the validator to mark bogus messages as indeterminate.\ # The security checks are performed, but if the result is bogus\ # (failed security), the reply is not withheld from the client\ # with SERVFAIL as usual. The client receives the bogus data. For\ # messages that are found to be secure the AD bit is set in\ # replies. Also logging is performed as for full validation. The\ # default value is "no".\ val-permissive-mode: no \ \ # Instruct unbound to ignore the CD flag from clients and refuse\ # to return bogus answers to them. Thus, the CD (Checking Dis-\ # abled) flag does not disable checking any more. This is useful\ # if legacy (w2008) servers that set the CD flag but cannot vali-\ # date DNSSEC themselves are the clients, and then unbound pro-\ # vides them with DNSSEC protection. The default value is "no".\ ignore-cd-flag: no \ \ # Have the validator print validation failures to the log.\ # Regardless of the verbosity setting. Default is 0, off. At 1,\ # for every user query that fails a line is printed to the logs.\ # This way you can monitor what happens with validation. Use a\ # diagnosis tool, such as dig or drill, to find out why validation\ # is failing for these queries. At 2, not only the query that\ # failed is printed but also the reason why unbound thought it was\ # wrong and which server sent the faulty data.\ val-log-level: 1\ \ # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo\ # account for a 70 percent share of all advertising traffic. Block them.\ local-zone: "doubleclick.net" redirect\ local-data: "doubleclick.net A 127.0.0.1"\ local-zone: "googlesyndication.com" redirect\ local-data: "googlesyndication.com A 127.0.0.1"\ local-zone: "googleadservices.com" redirect\ local-data: "googleadservices.com A 127.0.0.1"\ local-zone: "google-analytics.com" redirect\ local-data: "google-analytics.com A 127.0.0.1"\ local-zone: "ads.youtube.com" redirect\ local-data: "ads.youtube.com A 127.0.0.1"\ local-zone: "adserver.yahoo.com" redirect\ local-data: "adserver.yahoo.com A 127.0.0.1"\ \ # Unbound will not load if you specify the same local-zone and local-data\ # servers in the main configuration as well as in this "include:" file. We\ # suggest commenting out any of the local-zone and local-data lines above if\ # you suspect they could be included in the unbound_ad_servers servers file.\ #include: "/usr/local/etc/unbound/unbound_ad_servers"\ \ # locally served zones can be configured for the machines on the LAN.\ \ local-zone: "mywidgets.net" static\ local-data: "main.mywidgets.net IN A 192.168.200.20"\ local-data: "mail-10.mywidgets.net. IN A 192.168.200.23"\ local-data: "mail-20.mywidgets.net. IN A 192.168.200.21"\ \ local-data-ptr: "192.168.200.23 mail-10.mywidgets.net"\ local-data-ptr: "192.168.200.21 mail-20.mywidgets.net"\ local-data-ptr: "192.168.200.20 main.mywidgets.net"\ \ # Unbound can query your NSD or BIND server for private domain queries too.\ # On our NSD page we have NSD configured to serve the private domain,\ # "home.lan". Here we can tell Unbound to connect to the NSD server when it\ # needs to resolve a *.home.lan hostname or IP.\ #\ # private-domain: "home.lan"\ # local-zone: "0.0.10.in-addr.arpa." nodefault\ # stub-zone:\ # name: "home.lan"\ # stub-addr: 10.0.0.111@53\ \ # If you have an internal or private DNS names the external DNS servers can\ # not resolve, then you can assign domain name strings to be redirected to a\ # seperate dns server. For example, our comapny has the domain\ # organization.com and the domain name internal.organization.com can not be\ # resolved by Google's public DNS, but can be resolved by our private DNS\ # server located at 1.1.1.1. The following tells Unbound that any\ # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1\ # instead of the public dns servers.\ #\ # forward-zone:\ # name: "organization.com"\ # forward-addr: 1.1.1.1 # Internal or private DNS\ \ # Use the following forward-zone to forward all queries to Google DNS,\ # OpenDNS.com or your local ISP's dns servers for example. To test resolution\ # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in\ # milliseconds.\ #\ # forward-zone:\ # name: "."\ # forward-addr: 8.8.8.8 # Google DNS\ # forward-addr: 74.82.42.42 # Hurricane Electric\ # forward-addr: 4.2.2.4 # Level3 Verizon}
# dig 158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org. ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;; ANSWER SECTION: ;; Query time: 25 msec ;; SERVER: 217.149.192.170#53(217.149.192.170) ;; WHEN: Sun Jul 27 20:22:08 CEST 2014 ;; MSG SIZE rcvd: 79 # dig 158.24.39.46.zen.spamhaus.org ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1310 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;; ANSWER SECTION: ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jul 27 20:22:19 CEST 2014 ;; MSG SIZE rcvd: 90 On Jul 27, 2014, at 10:36 AM, Carsten Strotmann <[email protected]> wrote:
|
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
