unbound forwarding local and dnssec proxy

A_Cutright · November 13, 2017, 5:02am

I am uncertain as to how to configure unbound to do the following:

forward local domains to a local authoritative server and not cache.
forward all other non-local requests to a dnssec proxy and cache the results.

I am having difficulty getting this to work the way I understand the configuration options.

Setup:

OpenBSD 6.2

unbound 1.6.6

nsd 4.1.10

dnscrypt-proxy 1.9.5

unbound.conf

$OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:

interface: 127.0.0.1

interface: 192.168.5.20

do-ip6: no

access-control: 0.0.0.0/0 refuse

access-control: 127.0.0.0/8 allow

access-control: ::0/0 refuse

access-control: 192.168.5.0/24 allow

hide-identity: yes

hide-version: yes

verbosity: 2

log-queries: yes

auto-trust-anchor-file: “/var/unbound/db/root.key”

do-not-query-localhost: no

private networks:

private-address: 10.0.0.0/8

private-address: 100.64.0.0/10

private-address: 172.16.0.0/12

private-address: 192.0.0.0/29

private-address: 192.168.0.0/16

private-address: 198.18.0.0/15

example source code & documentation:

private-address: 192.0.2.0/24

private-address: 198.51.100.0/24

private-address: 203.0.113.0/24

subnet, autoconfiguration between two hosts on a single link:

private-address: 169.254.0.0/16

reserved for multicast assignments:

private-address: 224.0.0.0/4

reserved for future use:

private-address: 240.0.0.0/4

local-zone: “example.net” transparent

local-zone: “168.192.in-addr.arpa.” transparent

local-zone: “localhost.” static

local-data: “localhost. 10800 IN NS localhost.”

local-data: “localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800”

local-data: “localhost. 10800 IN A 127.0.0.1”

local-zone: “127.in-addr.arpa.” static

local-data: “127.in-addr.arpa. 10800 IN NS localhost.”

local-data: “127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800”

local-data: “1.0.0.127.in-addr.arpa. 10800 IN PTR localhost.”

remote-control:

control-enable: yes

control-use-cert: no

control-interface: /var/run/unbound.sock

Local domains

Forwarded to NSD authoritative server

forward-zone:

name: “example.net.”

forward-addr: 127.0.0.1@8053

forward-zone:

name: “168.192.in-addr.arpa.”

forward-addr: 127.0.0.1@8053

dnscrypt proxy

#forward-zone:

name: “.”

forward-addr: 127.0.0.1@40

Ralph_Dolmans · November 17, 2017, 10:09am

Hi,

I am uncertain as to how to configure unbound to do the following:
- forward local domains to a local authoritative server and not cache.

Can you elaborate on the issue you are facing? You might want to change
the forward-zone and forward-addr to stub-zone and stub-addr, since you
are sending the queries to an authoritative nameserver.

There is no need to have these two transparent local-zones, there is no
local-data for them.

- forward all other non-local requests to a dnssec proxy and cache
the results.

Configuration looks fine. Try querying the proxy directly if you are
facing problems, to be sure that part is working.

-- Ralph