Configuration issue

Aggelos_Kanarelis · November 27, 2017, 11:01am

Hello

I am trying to configure Unbound as a server that forwards all queries about specific domains to Route 53. That part I managed to configure using forward zones for each domain I want to serve. The problem is that the server has to drop every other query about every other domain and this is something I haven’t been able to configure. If a user tries to resolve facebook or google or anything else it will just send a reply. Can anyone offer some tips on how to achieve that?

Thanks

Aggelos Kanarelis

Systems Engineer

Arts Alliance Media Ltd

T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708

Aggelos.kanarelis@artsalliancemedia.com

www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Sonic · November 27, 2017, 12:56pm

Two ways, as a validator that queries the root servers and follows the
chain, or use a wildcard forward for all of the other domains you
don't want to specifically route to a particular cache.
Ex. of forward:

Aggelos_Kanarelis · November 27, 2017, 1:10pm

Hi Sonic

Thanks for your reply, but that will only have the queries answered by a different server. I don't want them answered at all. The endpoints that will be configured with that DNS server must only be able to resolve the domains that I will specifically configure with a forward zone. Everything else must be denied, sorry if I wasn't clear enough in my initial query.

Thanks

Aggelos Kanarelis
Systems Engineer

Arts Alliance Media Ltd
T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708
Aggelos.kanarelis@artsalliancemedia.com
www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Sonic · November 27, 2017, 1:25pm

Guess I misread that. Then don't use a wildcard forward and drop the
validator module from the configuration):

module-config: iterator

Then unbound can only answer the configured forwards, stub-zones, and
local data.

Is that what you want?

Aggelos_Kanarelis · November 27, 2017, 1:27pm

Thank you.

That's probably what I want.

There's no stub zones and no local data, so I guess it will only answer the forward zones queries.

I'll let you know if it worked.

Aggelos Kanarelis
Systems Engineer

Arts Alliance Media Ltd
T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708
Aggelos.kanarelis@artsalliancemedia.com
www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Aggelos_Kanarelis · November 27, 2017, 1:42pm

I don't think this is working

nslookup facebook.com unboundIP
Server: UnKnown
Address: unbound IP

Non-authoritative answer:
Name: facebook.com
Addresses: 2a03:2880:f101:83:face:b00c:0:25de
31.13.76.68

I run an unbound-control reload before to read the config file again and flush the cache.

What if I create a wildcard forward zone and send it to something like i.am.not.resolving.this.net?

Aggelos Kanarelis
Systems Engineer

Arts Alliance Media Ltd
T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708
Aggelos.kanarelis@artsalliancemedia.com
www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Aggelos_Kanarelis · November 27, 2017, 1:48pm

Right, so when I create a wildcard zone and forward to nothing it stopped resolving my addresses as well.

Any ideas?

Aggelos Kanarelis
Systems Engineer

Arts Alliance Media Ltd
T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708
Aggelos.kanarelis@artsalliancemedia.com
www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Sonic · November 27, 2017, 2:01pm

Order may be important - make sure the wildcard zone is last.

Aggelos_Kanarelis · November 27, 2017, 2:02pm

It is.

Aggelos Kanarelis
Systems Engineer

Arts Alliance Media Ltd
T: +44 (0)20 7751 7525 / M: +44 (0) 7809427708
Aggelos.kanarelis@artsalliancemedia.com
www.artsalliancemedia.com

Landmark House
Hammersmith Bridge Road
London W6 9EJ

Follow us on Twitter / Facebook / LinkedIn

Sonic · November 27, 2017, 2:03pm

Are you blocking access to all other DNS servers from the system
you're testing with?

Aggelos_Kanarelis · November 27, 2017, 2:06pm

No, but I specifically use unbound in my nslookup command.

Wildcard forward zone all blocked

No wildcard all answered

Sonic · November 27, 2017, 2:09pm

Maybe post the unbound.conf file (no comment lines please).

Wouter · November 27, 2017, 4:08pm

Hi,

The order does not matter for local-zone, local-data, forward and stub
clauses. Unbound picks the closest one. First the local-zone and
local-data statements are processed. Then the cache of forward and stub
data. Then the lookup vi forward and stub data.

You could create a local-zone: "." refuse and local-zone: "example.com"
transparent for all of the names you want resolved. If you want those
names forwarded somewhere, you can then also include forward clauses for
those names. The other names are rejected.

Best regards, Wouter

Aggelos_Kanarelis · November 28, 2017, 10:31am

Hi Wouter

So just to summarize.

A local zone with “.” refuse

Then my existing forward zones?

Thanks

Wouter · November 28, 2017, 1:11pm

Hi Aggelos,

And also add local-zones name transparent for your names for which you
also have the forward-zones. Those local-zones with the local zone type
transparent make holes in the refuse policy for '.', and unbound uses
the most specific local-zone, so unbound then allows the names that are
transparent, but then denies all the other names.

Best regards, Wouter

Aggelos_Kanarelis · November 28, 2017, 1:43pm

Thank you Wouter

That was exactly what I needed and also thank you for the explanation since it cleared a couple of things for me.