unbound with local-zone: option

Ernie Luzar luzar722 at gmail.com
Mon Aug 28 14:52:54 UTC 2017

Host is running release 11.1 and I enabled the built in unbound.
Have public internet provided by time warner and using their dns 
servers. Also have LAN behind host.

The goal is to deny access to facebook.com at the local host level for 
all LAN devices.

The first "service local_unbound onestart" command auto created all 
kinds of files in /var/unbound and /etc.

I added this line into the /var/ubound/unbound.con file
Before the first include: statement
IE: include: /var/unbound/forward.conf

local-zone: "facebook.com" static

"service local_unbound onestart" command got no errors but issuing drill 
or host commands for facebook still brought up info when I expected to 

After a lot of trial and error I finally decided to start over again. I 
deleted all the files in /var/unbound and issued the
"service local_unbound onestart" command which I expected would rebuild 
all the needed files anew. But this time it issued error messages about 
being unable to create some files.

I am now dead in space with the only option being to install a fresh 
copy of 11.1.

Is the built in version of unbound only usable as an local caching 
resolver? Meaning it will not process local-zone: statements in the 
/ver/unbound/unbound.conf file?

How do I get unbound to re-init itself cleanly?

When does unbound get control? Is it after the firewall does its NATing 
and released the packet to the public interface?

talks about DNSSEC, but is not very clear in meaning.

I issued "drill -S FreeBSD.org" which I assume the provided dns ip 
address in /etc/resolv.conf are being used, resulted in this.

DNSSEC Trust tree:
freebsd.org. (A)
You have not provided any trusted keys.
;; Chase successful

Is this good or bad and does it have any bearing on the host built in 

More information about the freebsd-questions mailing list