Define a local zone to return NXDOMAIN

Philipp_Berger · August 31, 2014, 2:51pm

Hello List,

I have a local recursive resolver based on unbound.

I would like to perform "reverse nxdomain-highjacking". I have defined
an existing domain I would like to block as a local zone.
Currently, I reply with a local IP for those zones. But I would like to
reply with NXDOMAIN.

How can I achieve that in unbound? There is no hint on this in the
documentation.

I know this is probably not an intended use-case, but if there is a way,
I would appreciate it.

Cheers,
Philipp

Sonic · August 31, 2014, 4:05pm

Define the local zone as static and provide no local data.

Sonic · August 31, 2014, 4:54pm

Sure there is. Both in the unbound.conf man page and in the sample
unbound.conf file.

Maciej_Soltysiak · August 31, 2014, 7:24pm

You mean you want to reply nxdomain for domains of your choosing?
If so, then this is your answer:

local-zone: "ads.youtube.com" refuse
local-zone: "googlesyndication.com" refuse
# etc..

Best regards,
Maciej

Sonic · August 31, 2014, 7:53pm

Refuse does not supply NXDOMAIN.

Test it yourself and see the man page:

Maciej_Soltysiak · September 1, 2014, 1:37pm

You mean you want to reply nxdomain for domains of your choosing?
If so, then this is your answer:

local-zone: "ads.youtube.com" refuse
local-zone: "googlesyndication.com" refuse

Refuse does not supply NXDOMAIN.

Test it yourself and see the man page:

       refuse Send an error message reply, with rcode REFUSED. If there is
                 a match from local data, the query is answered.

       static If there is a match from local data, the query is answered.
                 Otherwise, the query is answered with nodata or nxdomain.
                 For a negative answer a SOA is included in the answer if
                 present as local-data for the zone apex domain.

I stand corrected.

When deploying my own set of refused zones I opted for REFUSED rcode
because that's actually more informative and to the fact.
I'm not lying the domain doesn't exist, I'm saying I am refusing to
answer this question.

I guess it must be very very rare that applications make a distinction
between REFUSED and NXDOMAIN.

That goes even lower down the IP stack. I rarely DROP packets. I
mostly send ICMP Admin prohibited. Especially for UDP traffic.

Chris

Maciej

Sonic · September 1, 2014, 1:48pm

When deploying my own set of refused zones I opted for REFUSED rcode
because that's actually more informative and to the fact.
I'm not lying the domain doesn't exist, I'm saying I am refusing to
answer this question.

Same here.

I guess it must be very very rare that applications make a distinction
between REFUSED and NXDOMAIN.

I'm not aware of any cases off hand.

That goes even lower down the IP stack. I rarely DROP packets. I
mostly send ICMP Admin prohibited. Especially for UDP traffic.

I try to use a good working mix, and do answer ping requests. I think
the whole "stealth" stance is not net friendly.

Chris

Define a local zone to return NXDOMAIN

Test it yourself and see the man page:

static If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local-data for the zone apex domain.

static If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.