Join Log in
Score:1
AAB avatar Server

unbound DNS without recursive

au flag
AAB

I want to configure the unbound DNS for the domain e.g. domain.com in a way that it only answers for *.domain.com and rest of any query like gmail.com or hotmail.com are refused. I have following configuration but it doesn't work as desired.

server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
hide-identity: yes
hide-version: yes
access-control: 127.0.0.1/8 allow
access-control: 192.168.0.0/24 allow
access-control: 0.0.0.0/0 refuse_non_local

local-zone: "domain.com" transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1    #### local DNS server

So the idea is that the query comes on the live/public interface (IP a.b.c.d) for a zone domain.com, the query is forwarded to the local DNS 192.168.0.1 and then the answer is forwarded to a.b.c.d which is then sent to the client/internet. If the query arrives for lets say gmail.com on a.b.c.d then REFUSED should be answer like following

** server can't find gmail.com: REFUSED

I am not able to achieve REFUSED for the domains(e.g. gmail/hotmail) other than domain.com In a nut shell I can't get access-control: 0.0.0.0/0 refuse_non_local to work

95
1 + 4
librhnylmz avatar
cn flag
librhnylmz
Does your DNS server have internet access or is there any block rule to deny 53. port? Unbound needs to connect root hints server to resolve domains which it doesn't know.
0
Reply
AAB avatar
au flag
AAB
I think you didn't understand what I want to achieve, in a nut shell I can't get "access-control: 0.0.0.0/0 refuse_non_local" to work
0
Reply
librhnylmz avatar
cn flag
librhnylmz
You can change the config as below. First line is being rejected all of other queries and second line accepts only listed domains. I hope it is work for you. `local-zone: "." refuse local-zone: "domain.com" transparent local-zone: "domain2.com" transparent`
0
Reply
AAB avatar
au flag
AAB
Thanks librhnylmz, your solution works :)
0
Reply
Score:0
AAB avatar Server
au flag
AAB

librhnylmz solution worked. Following is working.

server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
extended-statistics: no
access-control: 0.0.0.0/0 allow
local-zone: "." refuse 
local-zone: "domain.com." transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1 ### Local DNS
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.