Hi together,
I am a newbie to unbound and wasted hours to create my first bind
configuration. The bind users even told me to ask you, because bind
won't be appropriate for my aims. My target is simply creating a
configuration with a CNAME for www.google.com to nosslsearch.google.com.
First: I use Ubuntu Precise Pangolin with unbound 1.4.16. I have a
transparent proxy (Dansguardian + Squid) that I use for just this lonely
copmuter.
My question: how can I manage what google suggests:
"Information for school network administrators about the No-SSL option
To utilize the no SSL option for your network, configure the DNS entry
for www.google.com to be a CNAME for nosslsearch.google.com."
Source:
http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669.
You can find this quite at the end of the document.
Can anyone help me to create a working unbound configuration file?
Greetings,
Tobias
Hello again.
You want something like this:
local-zone: "google.com." transparent
local-data: "www.google.com. 300 IN CNAME nosslsearch.google.com."
...along with the normal unbound.conf config for recursive resolution.
To repeat what I've said elsewhere: I think this is a bad idea, and you shouldn't do it. It breaks DNSSEC, and potentially other things.
I am a newbie to unbound and wasted hours to create my first bind
configuration. The bind users even told me to ask you, because bind
won't be appropriate for my aims. My target is simply creating a
configuration with a CNAME for www.google.com to nosslsearch.google.com.
I'd recommend you start with Unbound's default configuration in which
most options have quite sane defaults; you'll notice the configuration
file has most options commented out -- those are the defaults.
Add your CNAME record as local-data like this:
local_data "www.google.com. CNAME nosslsearch.google.com."
That should get you started.
-JP
Hi Tobias,
My target is simply creating a
configuration with a CNAME for www.google.com to nosslsearch.google.com.
Can anyone help me to create a working unbound configuration file?
I think you're looking for the 'local-data' option. This option is documented
in the default unbound.conf; look for it there. It also has a number of
examples that illustrate how to use it.
In your case, you probably just need:
local-data: "www.google.com CNAME nosslsearch.google.com."
Cheers,
Thijs
Add your CNAME record as local-data like this:
local_data "www.google.com. CNAME nosslsearch.google.com."
That should get you started.
Unless something has changed CNAME does not work. This is explained here:
http://unbound.net/pipermail/unbound-users/2009-March/000509.html
Hi Thijs and Jan-Piet,
In your case, you probably just need:
local-data: "www.google.com CNAME nosslsearch.google.com."
I simply added this line to my /etc/unbound/unbound.conf
When restarting unbound I get the following error:
-----%<-----
root@tobias-xps:/# /etc/init.d/unbound restart
* Restarting recursive DNS server unbound
/etc/unbound/unbound.conf:13: error: unknown keyword 'local_data'
/etc/unbound/unbound.conf:13: error: stray '"'
/etc/unbound/unbound.conf:13: error: unknown keyword 'www.google.com.'
/etc/unbound/unbound.conf:13: error: unknown keyword 'CNAME'
/etc/unbound/unbound.conf:13: error: unknown keyword
'nosslsearch.google.com.'
/etc/unbound/unbound.conf:13: error: stray '"'
read /etc/unbound/unbound.conf failed: 6 errors in configuration file
[1334668654] unbound[15064:0] fatal error: Could not read config file:
/etc/unbound/unbound.conf
[fail]
-----%<-----
Well, I made a mistake. Can you help me?
Greetings,
Tobias
Hi Björn,
local_data "www.google.com. CNAME nosslsearch.google.com."
Unless something has changed CNAME does not work.
thanks for the hint. Do I understand correctly: I need an additional
line in my configuration. But which one?
Greetings,
Tobias
You write "local_data" with an underscore, while it needs a dash, like I
wrote.
Someone mentioned in this thread that CNAME may not work, so you may have to
replace it with an A record for Google's IP for that hostname instead.
Hi Phil,
You want something like this:
local-zone: "google.com." transparent
local-data: "www.google.com. 300 IN CNAME nosslsearch.google.com."
I added this and my unbound restarts correctly, but...
...along with the normal unbound.conf config for recursive resolution.
how can I enable recursive resolution?
Here my current unbound.conf:
-----%<-----
server:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
local-zone: "google.com." transparent
local-data: "www.google.com. 300 IN CNAME nosslsearch.google.com."
-----%<-----
To repeat what I've said elsewhere: I think this is a bad idea, and you
shouldn't do it. It breaks DNSSEC, and potentially other things.
I agree. But do you know a better solution for the Google CNAME
suggestion? If not: let's continue ...
Greetings,
Tobias
Looks like you'll need to use a stub zone pointing to an authoritative
server under your control (my example is using 192.168.1.2):
> local_data "www.google.com. CNAME nosslsearch.google.com."
Unless something has changed CNAME does not work. This is explained here:
http://unbound.net/pipermail/unbound-users/2009-March/000509.html
Apart from the fact that I erroneously used an underscore instead of a
dash in `local-data', it works: it returns the CNAME. But you are indeed
correct in that it doesn't expand the CNAME, which is probably what the
OP needs.
-JP
You are right in that it works if a client would ask for the CNAME.
However, the client will never ask for the CNAME, it will ask for an A
or AAAA and expects the expanded CNAME back. That does not work in
unbound with local-data.
Best thing to do is to use an A and AAAA record instead.
/S
However, the client will never ask for the CNAME
The crux of the biscuit. In fact it breaks access to Google unless the
local-zone is defined as typetransparent (which basically means the
local-data is ignored unless doing a dig/drill for CNAME).
Best thing to do is to use an A and AAAA record instead.
Then you have to maintain synchronization with Google's DNS records
and your local-data. Using a stub-zone works perfectly and avoids this
scenario.
> Best thing to do is to use an A and AAAA record instead.
Then you have to maintain synchronization with Google's DNS records and
your local-data. Using a stub-zone works perfectly and avoids this
scenario.
Then you will have to maintain an authoritative server. Pick whichever you find easiest.
/S
Hi all together,
quite interesting what you suggest. But I only understand half. Now,
here is my use case: Squid + Dansguardian as Content Filter for my local
computer. Currently, www.google.com search is blocked completely. All
additional services like www.google.com/calendar is blocked also and
that is bad.
Opening my browser, typing www.google.com should call
nosslsearch.google.com and open the www.google.com startpage. And this
with the simplest configuration.
Can you tell me: what is the simplest way? And: can you guide me in this
way (I am very, very new to DNS issues)?
Greetings,
Tobias