>>> Hi, >>> >>> is stub-zone is only serving private domains but not public domains? > stub zones and forward zones are selected closest to the name of the > query. That one is used. > > If you run another (authoritative) server on the same host, > do-not-query-localhost: no is usually necessary to enable unbound to > query it. Otherwise unbound attempts to not get into some sort of loop > by querying localhost (itself in many cases), hence it is off by default.
That does not seems to be an issue. BIND-9 as authoritative server is not bound on lo/127.0.0.1 but eth0/172.24.120.10 and port 42053. The local QDN set in a stub-zone gets resolved just fine by unbound. However, for the public FQDN set in a stub-zone it does not and unbound is querying upstream resolvers instead and I do not see why it should. Is there a hard-coded logic in unbound for FQDN to always (or first) be resolved from upstream servers? The sub-zone is configured as follows: stub-zone: name: foo.bar stub-host: dns stub-addr: 172.24.120.10@42053 Doing a [ dig foo.bar ] unbound is neglecting [ stub-addr: 172.24.120.10@42053 ] and heads straight for the upstream resolver. And that does not make sense to me as the dig query is matching the [ stub-zone name ]