Configuration for local server

Ludo · September 24, 2017, 6:20pm

Hi!

Sorry if it has been already asked.

My question is about the configuration of “unbound.conf” for a local server with a registered domain name.

I am new to unbound. At home, I have an Ubiquiti EdgeRouter where I configured unbound from Debian repositories (“unbound.conf” at the end of the post)..

It seems to work, and I run some tests with success.

However, even when reading carefully the man page, I do not understand how to configure a server on my LAN which has a registered domain name.

I read about :

private-domain and/or private-address ;
local-zone and/or local-data ;
stub-zone ;
forward-zone ;
etc.

My server has a local IP address as 192.168.10.100 (example), and my LAN 192.168.10.0/24.
The domain name of my server is secured by http over TLS (https).

I think I have to use local-zone and local-data, but I am not sure. It will probably alert me my https redirect to a wrong address (local private address), and I also have domains like :

first.example.com ;
second.example.com ;
third.example.com.
Assuming my domain name is example.com and all redirect to the same server (same IP address).

How can I configure it on “unbound.conf”?

Thanks.

Ludo

unbound.conf
server:

The following line will configure unbound to perform cryptographic

DNSSEC validation using the root trust anchor.

auto-trust-anchor-file: “/var/lib/unbound/root.key”

verbosity: 3

logfile: “/var/log/unbound.log”

interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 192.168.10.0/24 allow
access-control: 192.168.20.0/24 allow
access-control: 0.0.0.0/0 refuse
root-hints: “/var/lib/unbound/root.hints”
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 48m
msg-cache-size: 24m
so-rcvbuf: 1m
private-address: 192.168.10.0/24
private-address: 192.168.20.0/24
unwanted-reply-threshold: 10000
do-not-query-localhost: no
val-clean-additional: yes
local-zone: “doubleclick.net” redirect
local-data: “doubleclick.net A 127.0.0.1”
local-zone: “googlesyndication.com” redirect
local-data: “googlesyndication.com A 127.0.0.1”
local-zone: “googleadservices.com” redirect
local-data: “googleadservices.com A 127.0.0.1”
local-zone: “google-analytics.com” redirect
local-data: “google-analytics.com A 127.0.0.1”
local-zone: “ads.youtube.com” redirect
local-data: “ads.youtube.com A 127.0.0.1”
local-zone: “adserver.yahoo.com” redirect
local-data: “adserver.yahoo.com A 127.0.0.1”
local-zone: “ask.com” redirect
local-data: “ask.com A 127.0.0.1”

Ernie_Luzar · September 25, 2017, 1:47pm

snip

This is what I use on my Freebsd system.

Ludo · September 25, 2017, 3:57pm

Hi Ernie,

Thanks for your answer, but I is not my problem here.

My question is about the unbound configuration to access a server on the same LAN.

Example:

router with unbound configured as DNS: 192.168.10.1
web server on another system: 192.168.10.100
It has a registered domain name “example.com” and sub-domains “first.exemple.com”, "second.example.com, etc.
Each pointing to a different path of the same web server, so with the same IP address.
The web server is reachable from Internet with the public IP address from my router (WAN), with ports forwarded to my web server.
The domain name “example.com” and sub-domains points to my router public IP address.
computer: 192.168.10.2

Reachable:

web server from Internet (with either the domain name or the public IP address from the router);
web server from LAN (only with the LAN IP address of my web server).

Unreachable:

web server from LAN with it’s domain name.
Normal, without telling unbound it is a local server.

But I don’t understand the documentation for this configuration. What is the proper way to write that in unbound.conf.

Thanks.

Ludo

Sonic · September 25, 2017, 4:31pm

Setup unbound with a local-zone and local-data, which will override
what your Internet facing DNS servers provide (simplest). Or use an
authoritative server such as NSD for your internal network and set up
a stub-zone in Unbound.

Ludo · September 25, 2017, 5:04pm

Hi Sonic,

Thank you for your advice.

I think I will go for the local-zone and local-data solution.
It is exactly the same as modifying a hosts file and there is no difference between a real registered domain name and a private name, but it seems the simpliest way to achieve my first goal.

Thanks again.