disable forwardig for specific zones

Hajo_Locke · March 30, 2016, 11:25am

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone:
name: "."
forward-addr: ip.ip.ip.ip

now i want to exclude some zones from forwarding and do nameresolution on same machine.
i do not find an option to disable forwarding. Is there a possibility for me?
As fallback i could forward to 127.0.0.1:54 and create a new, not forwarding unbound on port 54.

Thanks,
Hajo

Wouter · March 30, 2016, 12:02pm

Hi Hajo,

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone: name: "." forward-addr: ip.ip.ip.ip

now i want to exclude some zones from forwarding and do
nameresolution on same machine. i do not find an option to disable
forwarding. Is there a possibility for me?

Unbound uses the closest match for what forward and stub clause to
use. So you can config more specific forward and stub clauses for the
zones and send their queries elsewhere.

With stub-zone you can make unbound ask authority servers.

# For example;
stub-zone:
  name: "nlnetlabs.nl"
  stub-host: ns-ext1.sidn.nl.
  stub-host: sec2.authdns.ripe.net.
  stub-host: anyns.pch.net.
  stub-addr: 185.49.140.60 # for ns.nlnetlabs.nl
  stub-addr: 2a04:b900::8:0:0:60 # for ns.nlnetlabs.nl

(For the nameservers in the zone itself I used IP addresses, to avoid
a circular dependency).

stub-prime: yes will make it fetch the NS set using this list of
servers and use that NS set for further queries. Note that it will
use your global forwarder to lookup sec2.authdns.ripe.net. If you do
not desire such lookups to the global forwarder, give IP addresses.

Best regards, Wouter

Hajo_Locke · March 30, 2016, 12:59pm

Hello,

thanks for your help.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Hajo,

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone: name: "." forward-addr: ip.ip.ip.ip

now i want to exclude some zones from forwarding and do
nameresolution on same machine. i do not find an option to disable
forwarding. Is there a possibility for me?

Unbound uses the closest match for what forward and stub clause to
use. So you can config more specific forward and stub clauses for the
zones and send their queries elsewhere.

With stub-zone you can make unbound ask authority servers.

# For example;
stub-zone:
  name: "nlnetlabs.nl"
  stub-host: ns-ext1.sidn.nl.
  stub-host: sec2.authdns.ripe.net.
  stub-host: anyns.pch.net.
  stub-addr: 185.49.140.60 # for ns.nlnetlabs.nl
  stub-addr: 2a04:b900::8:0:0:60 # for ns.nlnetlabs.nl

so a wildcardforwarding is only overwriteable by specific forwarding? a possibility to stop forwarding for some zones and do lookup on localhost would be nice.

(For the nameservers in the zone itself I used IP addresses, to avoid
a circular dependency).

stub-prime: yes will make it fetch the NS set using this list of
servers and use that NS set for further queries. Note that it will
use your global forwarder to lookup sec2.authdns.ripe.net. If you do
not desire such lookups to the global forwarder, give IP addresses.

Best regards, Wouter

As fallback i could forward to 127.0.0.1:54 and create a new, not
forwarding unbound on port 54.

Thanks, Hajo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW+8BVAAoJEJ9vHC1+BF+NHngQAKN1MwmVa25RIUlzjz2mF6Yh
vKCbpuDX4Bim2M1D85WYQpBPlpgDpMSo5yaP7Pk3lvKVgaB3ewQEQ+a6hEtnv3Ri
WMUeOVp+tNNPpLYID4zytXwuL4NV31dhn7oy6E2OVf0T0YwxSk52qUY2w396aBw3
qULMqXGMMc5snIjF+idOuv3AYWgahx+U+XaYGnuSCyTMoXqGzMt0KHRrVhDS4SBd
T6i8WvdUz8vo8ILv0U9/yeMwBBMak0rFS8XVEGQ2B45QCDEJUwSgX8iKP6rCP1S5
OijAaMliSmnVxxJ7to8hdqnaGes3zxO7H/W8Ie9qTueFIfW+OJPBUft8EhvA5Kg8
PrSc1R/DDAQPQ6mTvRrw8WPw45YpSqPd/dJ7sppMk2a8ENkjOnGE4bIkx75s+T2v
eGOCku8mNmYCiNKAyekOfa14FTQHSHXxNQVbMDkbeu9pxk9i5eXvboOQgPnaJ6sG
g+4kB6grQSaUTwxHM68TvteCmbd4pdnfhzeRAxwuItC1HSDci8fhLoemrrYAumml
9+ZIYeR3+rtwcElaCb86aLhtoqkqYhtd5w2oOYKaKvlz7O+uatq7wJikycIn8GVn
/au+BLrJjj0ococvXaQTq9a39hJbYArwjHiOuaISFfp3DNywGFp5lEBNOLGW15lw
pWYGXRkohoWeWMUc5sW9
=u70b
-----END PGP SIGNATURE-----

Thanks, Hajo

Wouter · March 30, 2016, 1:06pm

Hi Hajo,

Hello,

thanks for your help.

Unbound-users: Hi Hajo,

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone: name: "." forward-addr: ip.ip.ip.ip

now i want to exclude some zones from forwarding and do
nameresolution on same machine. i do not find an option to
disable forwarding. Is there a possibility for me?

Unbound uses the closest match for what forward and stub clause to
use. So you can config more specific forward and stub clauses for
the zones and send their queries elsewhere.

With stub-zone you can make unbound ask authority servers.

# For example; stub-zone: name: "nlnetlabs.nl" stub-host:
ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
anyns.pch.net. stub-addr: 185.49.140.60 # for ns.nlnetlabs.nl
stub-addr: 2a04:b900::8:0:0:60 # for ns.nlnetlabs.nl

so a wildcardforwarding is only overwriteable by specific
forwarding? a possibility to stop forwarding for some zones and
do lookup on localhost would be nice.

Yes. Do you mean specific, with specific authority servers for a
zone? Or do you mean that a name: "nl" stub-zone and forward-zone
would catch all zones ending in '.nl' (this is the way unbound works
now, all queries ending in that name are forwarded)?

But you can definitely forward some zones and do a lookup on localhost
by entering more specific overrides.
forward-zone:
name: "example.com"
stub-addr: 127.0.0.1@54
And then add entries for all the zones for which you want to query the
other unbound on port 54. (set do-not-query-localhost: no to allow
queries to go to 127.0.0.1).

Best regards, Wouter

Hajo_Locke · March 30, 2016, 2:39pm

Hello,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Hajo,

Hello,

thanks for your help.

Unbound-users: Hi Hajo,

Hello List,

i use unbound 1.4.22 as forwarder to my global dns-cache:

forward-zone: name: "." forward-addr: ip.ip.ip.ip

now i want to exclude some zones from forwarding and do
nameresolution on same machine. i do not find an option to
disable forwarding. Is there a possibility for me?

Unbound uses the closest match for what forward and stub clause to
use. So you can config more specific forward and stub clauses for
the zones and send their queries elsewhere.

With stub-zone you can make unbound ask authority servers.

# For example; stub-zone: name: "nlnetlabs.nl" stub-host:
ns-ext1.sidn.nl. stub-host: sec2.authdns.ripe.net. stub-host:
anyns.pch.net. stub-addr: 185.49.140.60 # for ns.nlnetlabs.nl
stub-addr: 2a04:b900::8:0:0:60 # for ns.nlnetlabs.nl

so a wildcardforwarding is only overwriteable by specific
forwarding? a possibility to stop forwarding for some zones and
do lookup on localhost would be nice.

Yes. Do you mean specific, with specific authority servers for a
zone? Or do you mean that a name: "nl" stub-zone and forward-zone
would catch all zones ending in '.nl' (this is the way unbound works
now, all queries ending in that name are forwarded)?

yes, i mean a specific name.
currently i have the wildcardforward. i just want to exclude some domainnames from this forwarding and use unbound as local resolver for this domains.
to clarify i use the imaginary directive "exclude" as example to show.

forward-zone:
         name: "."
         exclude: "example.com"
         forward-addr: ip.ip.ip.ip

As reverse solution i could only forwarding zones which i already know, which is not possible/useful, when running as dns-cache.

I could achive the same on indirect way by using a further forward to another unbound on localhost on different port, wich is not configured as forwarder.

forward-zone:
         name: "example.com"
         forward-addr: 127.0.0.1@54
         forward-first: yes

But this seems to be not that easy to realise as i thought. It seems by default unbound is not ready to start in multiple instances on different ports with different settings. I could not create multipe servers. I think the only way is to start a 2nd unbound deamon with complete different startscript, pids, confs etc.
hmm, to big effort for my puposes.

But you can definitely forward some zones and do a lookup on localhost
by entering more specific overrides.
forward-zone:
name: "example.com"
stub-addr: 127.0.0.1@54
And then add entries for all the zones for which you want to query the
other unbound on port 54. (set do-not-query-localhost: no to allow
queries to go to 127.0.0.1).

Best regards, Wouter

(For the nameservers in the zone itself I used IP addresses, to
avoid a circular dependency).

stub-prime: yes will make it fetch the NS set using this list of
servers and use that NS set for further queries. Note that it
will use your global forwarder to lookup sec2.authdns.ripe.net. If
you do not desire such lookups to the global forwarder, give IP
addresses.

Best regards, Wouter

As fallback i could forward to 127.0.0.1:54 and create a new,
not forwarding unbound on port 54.

Thanks, Hajo

Thanks, Hajo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW+89AAAoJEJ9vHC1+BF+N3LcP/1sfa6G+FOh4GZ2ZuK0aMKK6
NQeQz/T0MF2yMdvONyP9X5Q0Fiimy3CSDkZxU+SgXFL4BTk1T9GJzc0Z5Mw1/xc7
kmUBEJN4ppn4zhz7JmnZEdtvPUefaogCO8us+NTbnm2ZyGTZOlDanoaick1Fp1MV
FIciBtjt4vNkGWr6xUlq/rZaBhHas+FFJnf7f4sSEWpW6s93/hZpYmj7rA7Vt+H8
tjHhBKmwKHG2gTopJ+9VoeyI2Cn4MHyhRhz0sWLH7Ced+VVcICXdysk0ZDFSF5O2
lVnsLnY+VibtBYiS+Rwi5A+edOSdiEM9RqlZx/M5yeCMswOSNYK02SdFz4WU+5Yb
AK2OR/CVJgBmFEuWdhdEnlggddmPj9IJqyeejjTbDq2IDiDc+1J6ddc0E8HD6NXQ
C9DnHf0OyWkyg08uJ0hXcvxTudsTUqGtdfjuk2gz5AkyzkZYfVWTRvnBq0G50zQ+
CsL1dZaLINAghYuw3Zs4oKu/NrvFwkzVkb7VOY14CbEjXLAoggnIJQNIWIswiZT4
PbskjWS6urAy/T78lvmAt4IQjVqLOJ2jbCKeJbS82Ocjm4lgn5nM49AHiF51+LtE
KFopuQubueJpWn5G16n3VjwmBfqpN65hRpWIHP1pYlIyc0wmbV5SglP+119J6sQb
OHo9NhzVmWys0O6zvEgZ
=Atc0
-----END PGP SIGNATURE-----

Thanks,
Hajo