Unbound(8) caching resolver no workie on fresh install :-(
matthew at FreeBSD.org
Sun Oct 15 10:40:05 UTC 2017
On 15/10/2017 01:10, RW via freebsd-questions wrote:
> On Sat, 14 Oct 2017 18:08:27 -0500
> CyberLeo Kitsana wrote:
>> On 10/14/2017 04:43 PM, RW via freebsd-questions wrote:
>> FreeBSD's local_unbound setup will, by default, forward to the
>> nameservers provided by DHCP or hardcoded in the config files, rather
>> than doing full lookups by itself.
> But is it possible to force recursion (for the reason below).
> Matthew Seaman implied that it wasn't.
I didn't say it was impossible. I said that there wasn't a simple flag
you could set to enforce that behaviour.
The way you prevent local_unbound from using forwarders is to not have
any forwarders configured anywhere local_unbound can find them.
Basically that means:
* no local_unbound_forwarders setting in /etc/rc.conf
* no nameserver lines in /etc/resolv.conf
* if you need to use DHCP, then you'ld need to add settings to
/etc/dhclient.conf to supersede the supplied DNS servers with
an empty list.
> The reason I ask is that I'm still using DJB dnscache, and should
> probably be using something more modern; and something in base would be
Something that supports DNSSEC would be preferable, although that does
presuppose that the rest of the internet gets off its collective
backside and implements DNSSEC routinely. How short memories are --
remember the fuss over the Kaminsky attack? That was never actually
"solved" by the work-arounds given in the security advisories at the
time, just made significantly less likely to succeed. The real fix was
always enabling DNSSEC everywhere. Does _your_ bank use DNSSEC?
Hey, at least you could be assured that no-one is spoofing freebsd.org...
>>> There's also the issue that mail servers should avoid using shared
>>> caches because of per IP address limits on blocklists.
Anyone operating a mail server at reasonable scale has no excuse for not
paying for the service that blocklist providers provide, in which case,
the same per-IP limits will not apply.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 931 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions