Unbound as local DNS cacher, overwrite some domains

Christopher Sean Hilton chris at vindaloo.com
Thu Oct 15 16:55:16 UTC 2015 

On Tue, Oct 13, 2015 at 11:57:08AM +0100, Arthur Chance wrote:
> On 13/10/2015 11:16, B.J.Scharp wrote:
> >Hello,
> >
> >I have a setup where there are several machines on a LAN that have both
> >internal and external addresses. I would like to use Unbound as a local
> >DNS cacher that provides the internal address when queried, while the
> >external (authoritive) DNS gives the external address.
> >

[ ...snip... ]

> 
> Take a look at the local-zone, local-data and local-data-ptr directives. You
> can totally override a zone or simply make changes and additions to one
> depending on the type specified in local-zone.
> 

I use unbound and nsd like this on a traveling vpn router that I
bring to hotel rooms. I looked at local-zone, local-data, and
local-data-ptr but even with an emacs macro to convert the zone file
I found that the configuration didn't scale for me. If you can keep
all your hosts in a hosts file then those directives will probably
work but if you are using DNS because you really need it then you
probably want a different solution.

My traveling router connects to the local Ethernet. It uses an old
Apple Airport Express to provide a low power 5GHz WiFi network
piggybacked onto the provided connection. When I'm in the hotel All my
devices funnel through the one connection. The router runs OpenBSD so
the unbound and nsd are both built in. If nsd isn't stock on FreeBSD
you can probably add it from ports. The router provides the LAN:
10.17.98.0/24. It VPN's back to a greater LAN of 10.17.96.0/23. It
also provides an IPv6 LAN of 2001:db8:fade:cafe::/64.

In this configuration nsd runs as an authoritative server. It only
listens to the loopback interface at port 5300. Nsd's configuration is
straightforward. The man pages lead me right to the what I needed and
testing was drop dead simple.

The unbound configuration was a little tougher. For reasons I don't
understand, unbound won't query on the loopback interface by
default. I'm sure that there's a good reason for this but I don't
claim to understand it. Now that I have it working, the config looks
like this:

     # $OpenBSD: unbound.conf,v 1.4 2014/04/02 21:43:30 millert Exp $

     server:
             interface: 0.0.0.0
             interface: ::
             do-ip6: yes

             access-control: 0.0.0.0/0 refuse
             access-control: 127.0.0.0/8 allow
             access-control: 10.17.98.0/24 allow
             access-control: 2001:db8:fade:cafe::/64 allow

             hide-identity: yes
             hide-version: yes

             do-not-query-localhost: no

     ## Reverse dns is tricky for unbound on RFC1918 space. I tried
     ## private-address but a transparent local zone worked better.
     ##
     ##      private-address: 10.17.96.0/22
             local-zone: "17.10.in-addr.arpa." transparent

     forward-zone:
             name: "17.10.in-addr.arpa."
             forward-addr: 127.0.0.1 at 5300

     forward-zone:
             name: "example.com."
             forward-addr: 127.0.0.1 at 5300

     ## forward-zone:
     ##      name: "."                               # use for ALL queries
     ##      forward-addr: 8.8.8.8
     ##      forward-addr: 8.8.4.4
     ##      forward-first: yes                      # try direct if forwarder fails

     ## End of file: unbound.conf

That's pretty much it. When I first did this I bitched that it was a
lot of work to do something that named did by default. But since then, I
appreciate the separation of concerns you get with this design. 

-- Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 841 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151015/42371aa8/attachment.bin>

More information about the freebsd-questions mailing list