I’m migrating to unbound for my home network which also contains a lab environment for my work.
I have multiple labs and ages ago chose the ‘test’ TLD for all of them. For example, if I’m running a lab for Server 2019, I’d give it the domain w2k19.test while a lab for Server 2016 would be w2k16.test. I had this working well with the technitium DNS server as I made the server authoritative for the test TLD and used either stub zones or forwards for each lab subdomain (either worked). I’m trying to replicate this in unbound.
To get this to work with unbound, I had to override the default where all test domains are blocked. I did this with:
local-zone: “test.” transparent
This works if I query unbound for a server within the w2k19 lab (e.g. dc1.w2k19.test returns a record).
However, if I misspell the domain part (e.g. query dc1.w2k18.test), unbound sends the query to the internet (due to the local-zone above).
Is there a way to configure this, such that forward-zones are processed, but queries that would be sent to the root (for test) are blocked instead? forward-first and forward-no-cache looked promising at first, but didn’t help.
While I agree that hosting the “test.” domain would be the correct way to do this, I’m trying to avoid running a DNS server that merely forwards to known subdomains or returns NXDOMAIN. I was hoping that there would be a way to get unbound to reject anything that failed to forward. If not, I’ll simply have to bite the bullet and host “test.”