Hi all
After long time with Bind, I’m moving to NSD and Unbound for my internal DNS infra.
I’m testing it thru docker containers, one for NSD and another for unbound. I add the zone files on NSD which thru a script loads the zones and (using unbound-control) notifies the unbound service (resolver) to set the zones as stub-zones to forward to NSD.
Ths is my test zone (I think quite representative):
dome. 3600 IN SOA ns.dome. hostmaster.dome. 2020032501 300 120 600 86400
dome. 3600 IN NS ns.dome.
emba.dome. 3600 IN NS ns.dome.
ns.dome. 3600 IN A 192.168.128.128
priv.dome. 3600 IN A 10.0.0.1
priv.dome. 3600 IN TXT “Private record”
pub.dome. 3600 IN A 80.0.0.1
pub.dome. 3600 IN TXT “Public record”
alias.dome. 3600 IN CNAME www.gmail.com.
The problem is expected: my current setup sets the RFC1918 blocks as private, so unbound is stripping the answers for the ‘priv.dome’:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;priv.dome. IN A
;; AUTHORITY SECTION:
dome. 3580 IN NS ns.dome.
And on the logs clear states the reason:
Apr 30 08:43:55 unbound[11:0] debug: sanitize: removing public name with private address <priv.dome.> 10.0.0.1#53
Obviously the records pointing to public IPs got answered correctly.
The fix is to add ‘dome’ on unbound.conf as ‘private-domain’, however this requires modifying the config file and I didn’t found any ‘control’ command to set the domain as private remotely.
Is there any alternate solution/workarround? (entirely managing unbound thru unbound-control)
Additionally, I read many references about unbound NOT being authoritative server, however implements many features and provide the ‘auth-zones’ config stuff. Could anyone which features/RFCs doesn’t implement to not be considered authoritative. I meant what lacks to work as authoritative server ?
Thanks much