I am using unbound and it is configured to use cloud9 as a forwarder.

But spamhaus.org DNSBL will not answer requests for IP addresses from public DNS, such as cloud9.

So, what I would like to do is configure unbound in such a way that it always goes to cloud9, except when the query is about spamhaus.org. Can I do that?

If that is not possible, I would like to configure unbound that is forwards everything to cloud9, unless it comes from a specific set of local IP addresses. Is that possible?

Thanks,

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate

Hello,

I think what you want is a Forward Zone.

https://docs.netgate.com/tnsr/en/latest/dns/fwd-zone.html

Thank you,
Steven

Yes, that is what I thought a while back, so I decided at the time to test with this:

forward-zone:
name: “apple.com.”
forward-addr: 8.8.8.8@53 # testing if I can forward based on fqdn

forward-zone:
name: “.”

If the forwarding fails, do your own recursion

forward-first: yes

Quad9 phising/malware site blocking DNS 9.9.9.9

forward-addr: 9.9.9.9

to see if that worked, but all the request kept being forwarded to 9.9.9.9 at the time. I gave up at the time (for another reason) but now I need it again.

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate

I re read your emails and you mention “local” IP addresses. Maybe a stub-zone is what you’re after? But I don’t think that is the case since a stub zone is meant to point to an authoritative server. Maybe someone with a better idea of what you’re asking can weigh in.

I use a stub-zone to point to my NSD server.

stub-zone:
name: “swills.org”
stub-addr: 10.0.10.25

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=stub%20zone#stub-zone-options

Thanks again,
Steven

No, this is about certain DNS servers not accepting queries from public resolvers, such as DNS servers that are used to disseminate information about bad actors. DNS blacklists and all that.

My standard LAN resolver (unbound) forwards to cloud9 (9.9.9.9) so I am protected by their filtering of bad domains. But requests from rspamd and postfix cannot use that setup. rspamd does not accept requests from a public DNS such as 9.9.9.9. And neither does zen.apamhaus.org that provides a DNSBL that can be used in the postfix setup.

main.cf: postscreen_dnsbl_sites = zen.spamhaus.org =127.0.0.[2..11]

rspamd has a setting to direct it to a different DNS. To make use of that but still offer the 9.9.9.9 protection to all clients in my LAN, I had to set up a second unbound running on a different port (1053) on localhost. That way, I can tell rspamd

options.inc: nameserver = “127.0.0.1:1053”;

And rspamd is now not indirectly using 9.9.9.9 while the rest is. But postfix doesn’t have such a setting. So, zen.spamhaus.org doesn’t work. I was able to use

forward-zone:
name: “spamhaus.org”
forward-addr: 127.0.0.1@1053 # do not resolve spamhaus via public DNS resolvers

Because I already had that second non-forwarding unbound running on port 1053 for rspamd.

I also am running NSD for the local private addresses, but that doesn’t end up here, other than that NSD wants to run on the same port as unbound (53) so my NSD runs on port 54 and unbound has:

The authorative NSD for rna.nl/192.168.2.x is on this machine (127.0.0.1@54)

stub-zone:
name: “rna.nl”
stub-addr: 127.0.0.1@54
stub-zone:
name: “2.168.192.in-addr.arpa”
stub-addr: 127.0.0.1@54

Basically, that gies me the split-DNS, where external resolving of rna.nl and internal resolving of anything on rna.nl work, some more hosts internally than externally of course.

My question about local addresses was directed at another possible scenario: make sure that requests to unbound from one set of addresses does forwarding and another (the server itself) does not. But the solution I now have is better. For instance, domains not resolved by 9.9.9.9 because they are bad actors also do not resolve in postfix and get dropped because they do not have a decent DNS/reverse set up, even if they have.

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate

I meant quad9 below, not cloud9. Apologies.

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate

Hello Gerben,

I'm not aware, unbound support a mode "forward all but [list of domains]"

My expectation: unbound is a recursive resolver and should know to which nameservers query for [list of domains] must be sent.
There is no option known to me to configure unbound this way.

But it is possible to forward all to one recursive resolver and send queries for some zones to a list of known other name servers.

  forward-zone:
    name: "."
    forward-addr: 9.9.9.9

  stub-zone:
    name: "nlnetlabs.nl."
    stub-host: "ns.nlnetlabs.nl."
    stub-host: "ns-ext1.sidn.nl."
    stub-host: "anyns.pch.net."

The downside of such configurations:
- stub-host will be resolved via 9.9.9.9
- stub-host must be outside the stub-zone
- stub-addr may be used to circumvent this limitation
- you MUST list a correct set of nameservers (names or addresses)
  To be more robust against changed nameserver sets, you should enable "stub-prime: yes"
h
Andreas

I was able to use

forward-zone:
name: “spamhaus.org”
forward-addr: 127.0.0.1@1053 # do not resolve spamhaus via public DNS resolvers

Because I have a second non-forwarding unbound running on port 1053 for rspamd already (which has more or less the same issue, but which — unlike postfix — can be told to use a different name server itself)

So, for spamhaus.org alone, I forward to my own second unbound which does not forward to quad9.

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate