I’m implementing a sinkhole using unbound, almost all documentation/example I found configure the blocked domains as:
local-zone “zone” inform_deny
As per unbound documentation, ‘deny’ drops the query. My understanding is that client querying that domain will experience a timeout during DNS resolution. This would cause an added delay/latency in resolution and even the client failing back to another DNS server (and may be getting a positive answer).
So instead of ‘inform_deny’, I use ‘always_nxdomain’ so get immediate response and stop the resolution process on the client.
However this way I lose the logging feature provided by ‘inform’.
How could I get this/which would be the recommended setup?:
- Quickly get a no-way response (NODATA/NXDOMAIN/…) which don’t cause any latency/delay on the client while
- Record clients querying the black listed domains
BTW, I’m reviewing the use of RPZ on unbound to achieve the same, as I like the way they are implemented. I suppose this method will also have a different setup to achieve the saem (immediate negative response and logging the suspicious client).
Thanks much for any idea/suggestion on the right path.