Unbound(8) caching resolver no workie on fresh install :-(

Matthew Seaman matthew at FreeBSD.org
Sun Oct 15 10:40:05 UTC 2017


On 15/10/2017 01:10, RW via freebsd-questions wrote:
> On Sat, 14 Oct 2017 18:08:27 -0500
> CyberLeo Kitsana wrote:
> 
>> On 10/14/2017 04:43 PM, RW via freebsd-questions wrote:
> 
>> FreeBSD's local_unbound setup will, by default, forward to the
>> nameservers provided by DHCP or hardcoded in the config files, rather
>> than doing full lookups by itself.
> 
> But is it possible to force recursion (for the reason below).
> Matthew Seaman implied that it wasn't.  

I didn't say it was impossible.  I said that there wasn't a simple flag
you could set to enforce that behaviour.

The way you prevent local_unbound from using forwarders is to not have
any forwarders configured anywhere local_unbound can find them.
Basically that means:

   * no local_unbound_forwarders setting in /etc/rc.conf
   * no nameserver lines in /etc/resolv.conf
   * if you need to use DHCP, then you'ld need to add settings to
     /etc/dhclient.conf to supersede the supplied DNS servers with
     an empty list.

> The reason I ask is that I'm still using DJB dnscache, and should
> probably be using something more modern; and something in base would be
> preferable.

Something that supports DNSSEC would be preferable, although that does
presuppose that the rest of the internet gets off its collective
backside and implements DNSSEC routinely.  How short memories are --
remember the fuss over the Kaminsky attack?  That was never actually
"solved" by the work-arounds given in the security advisories at the
time, just made significantly less likely to succeed.  The real fix was
always enabling DNSSEC everywhere.  Does _your_ bank use DNSSEC?

Hey, at least you could be assured that no-one is spoofing freebsd.org...

>>> There's also the issue that mail servers should avoid using shared
>>> caches because of per IP address limits on blocklists.

Anyone operating a mail server at reasonable scale has no excuse for not
paying for the service that blocklist providers provide, in which case,
the same per-IP limits will not apply.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20171015/43189bc9/attachment.sig>


More information about the freebsd-questions mailing list