Hi, On 13-11-17 06:02, A. Cutright via Unbound-users wrote: > I am uncertain as to how to configure unbound to do the following: > - forward local domains to a local authoritative server and not cache.
Can you elaborate on the issue you are facing? You might want to change the forward-zone and forward-addr to stub-zone and stub-addr, since you are sending the queries to an authoritative nameserver. There is no need to have these two transparent local-zones, there is no local-data for them. > - forward all other non-local requests to a dnssec proxy and cache > the results. Configuration looks fine. Try querying the proxy directly if you are facing problems, to be sure that part is working. -- Ralph > > I am having difficulty getting this to work the way I understand the > configuration options. > > Setup: > OpenBSD 6.2 > unbound 1.6.6 > nsd 4.1.10 > dnscrypt-proxy 1.9.5 > > unbound.conf > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > > server: > interface: 127.0.0.1 > interface: 192.168.5.20 > do-ip6: no > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: ::0/0 refuse > access-control: 192.168.5.0/24 allow > > hide-identity: yes > hide-version: yes > > verbosity: 2 > log-queries: yes > > auto-trust-anchor-file: "/var/unbound/db/root.key" > > do-not-query-localhost: no > > # private networks: > private-address: 10.0.0.0/8 > private-address: 100.64.0.0/10 > private-address: 172.16.0.0/12 > private-address: 192.0.0.0/29 > private-address: 192.168.0.0/16 > private-address: 198.18.0.0/15 > # example source code & documentation: > private-address: 192.0.2.0/24 > private-address: 198.51.100.0/24 > private-address: 203.0.113.0/24 > # subnet, autoconfiguration between two hosts on a single link: > private-address: 169.254.0.0/16 > # reserved for multicast assignments: > private-address: 224.0.0.0/4 > # reserved for future use: > private-address: 240.0.0.0/4 > > > local-zone: "example.net" transparent > local-zone: "168.192.in-addr.arpa." transparent > > local-zone: "localhost." static > local-data: "localhost. 10800 IN NS localhost." > local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 > 1200 604800 10800" > local-data: "localhost. 10800 IN A 127.0.0.1" > local-zone: "127.in-addr.arpa." static > local-data: "127.in-addr.arpa. 10800 IN NS localhost." > local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 > 3600 1200 604800 10800" > local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost." > > remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > > # Local domains > # Forwarded to NSD authoritative server > forward-zone: > name: "example.net." > forward-addr: 127.0.0.1@8053 > forward-zone: > name: "168.192.in-addr.arpa." > forward-addr: 127.0.0.1@8053 > > # dnscrypt proxy > #forward-zone: > # name: "." > # forward-addr: 127.0.0.1@40 > > > Sent with ProtonMail <https://protonmail.com> Secure Email. >
