Re: disable forwardig for specific zones

Hajo Locke via Unbound-users Wed, 30 Mar 2016 07:46:28 -0700

Hello,

Am 30.03.2016 um 15:06 schrieb W.C.A. Wijngaards via Unbound-users:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hi Hajo,

On 30/03/16 14:59, Hajo Locke via Unbound-users wrote:

Hello,

thanks for your help.

Am 30.03.2016 um 14:02 schrieb W.C.A. Wijngaards via
Unbound-users: Hi Hajo,

On 30/03/16 13:25, Hajo Locke via Unbound-users wrote:

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone: name: "." forward-addr: ip.ip.ip.ip


now i want to exclude some zones from forwarding and do
nameresolution on same machine. i do not find an option to
disable forwarding. Is there a possibility for me?

Unbound uses the closest match for what forward and stub clause to
use.  So you can config more specific forward and stub clauses for
the zones and send their queries elsewhere.

With stub-zone you can make unbound ask authority servers.

# For example; stub-zone: name: "nlnetlabs.nl" stub-host:
ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
anyns.pch.net. stub-addr: 185.49.140.60   # for ns.nlnetlabs.nl
stub-addr: 2a04:b900::8:0:0:60  # for ns.nlnetlabs.nl

so a wildcardforwarding is only overwriteable by specific
forwarding? a possibility to stop forwarding for some zones and
do lookup on localhost would be nice.

Yes.  Do you mean specific, with specific authority servers for a
zone?  Or do you mean that a name: "nl" stub-zone and forward-zone
would catch all zones ending in '.nl' (this is the way unbound works
now, all queries ending in that name are forwarded)?

yes, i mean a specific name.

currently i have the wildcardforward. i just want to exclude somedomainnames from this forwarding and use unbound as local resolver forthis domains.

to clarify i use the imaginary directive "exclude" as example to show.

forward-zone:
        name: "."
        exclude: "example.com"
        forward-addr: ip.ip.ip.ip

As reverse solution i could only forwarding zones which i already know,which is not possible/useful, when running as dns-cache.

I could achive the same on indirect way by using a further forward toanother unbound on localhost on different port, wich is not configuredas forwarder.


forward-zone:
        name: "example.com"
        forward-addr: 127.0.0.1@54
        forward-first: yes

But this seems to be not that easy to realise as i thought. It seems bydefault unbound is not ready to start in multiple instances on differentports with different settings. I could not create multipe servers. Ithink the only way is to start a 2nd unbound deamon with completedifferent startscript, pids, confs etc.

hmm, to big effort for my puposes.


But you can definitely forward some zones and do a lookup on localhost
by entering more specific overrides.
forward-zone:
        name: "example.com"
        stub-addr: 127.0.0.1@54
And then add entries for all the zones for which you want to query the
other unbound on port 54.  (set do-not-query-localhost: no to allow
queries to go to 127.0.0.1).

Best regards, Wouter

(For the nameservers in the zone itself I used IP addresses, to
avoid a circular dependency).

stub-prime: yes will make it fetch the NS set using this list of
servers and use that NS set for further queries.  Note that it
will use your global forwarder to lookup sec2.authdns.ripe.net.  If
you do not desire such lookups to the global forwarder, give IP
addresses.

Best regards, Wouter

As fallback i could forward to 127.0.0.1:54 and create a new,
not forwarding unbound on port 54.

Thanks, Hajo

Thanks, Hajo

Thanks,
Hajo

Re: disable forwardig for specific zones

Reply via email to