Date: Thu, 15 Oct 2015 12:55:08 -0400 From: Christopher Sean Hilton <chris@vindaloo.com> To: Arthur Chance <freebsd@qeng-ho.org> Cc: freebsd-questions@freebsd.org Subject: Re: Unbound as local DNS cacher, overwrite some domains Message-ID: <20151015165508.GA80612@kessel.vindaloo.com> In-Reply-To: <561CE384.6040304@qeng-ho.org> References: <561CD9FD.6020204@itsacon.net> <561CE384.6040304@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Oct 13, 2015 at 11:57:08AM +0100, Arthur Chance wrote:
> On 13/10/2015 11:16, B.J.Scharp wrote:
> >Hello,
> >
> >I have a setup where there are several machines on a LAN that have both
> >internal and external addresses. I would like to use Unbound as a local
> >DNS cacher that provides the internal address when queried, while the
> >external (authoritive) DNS gives the external address.
> >
[ ...snip... ]
>=20
> Take a look at the local-zone, local-data and local-data-ptr directives. =
You
> can totally override a zone or simply make changes and additions to one
> depending on the type specified in local-zone.
>=20
I use unbound and nsd like this on a traveling vpn router that I
bring to hotel rooms. I looked at local-zone, local-data, and
local-data-ptr but even with an emacs macro to convert the zone file
I found that the configuration didn't scale for me. If you can keep
all your hosts in a hosts file then those directives will probably
work but if you are using DNS because you really need it then you
probably want a different solution.
My traveling router connects to the local Ethernet. It uses an old
Apple Airport Express to provide a low power 5GHz WiFi network
piggybacked onto the provided connection. When I'm in the hotel All my
devices funnel through the one connection. The router runs OpenBSD so
the unbound and nsd are both built in. If nsd isn't stock on FreeBSD
you can probably add it from ports. The router provides the LAN:
10.17.98.0/24. It VPN's back to a greater LAN of 10.17.96.0/23. It
also provides an IPv6 LAN of 2001:db8:fade:cafe::/64.
In this configuration nsd runs as an authoritative server. It only
listens to the loopback interface at port 5300. Nsd's configuration is
straightforward. The man pages lead me right to the what I needed and
testing was drop dead simple.
The unbound configuration was a little tougher. For reasons I don't
understand, unbound won't query on the loopback interface by
default. I'm sure that there's a good reason for this but I don't
claim to understand it. Now that I have it working, the config looks
like this:
# $OpenBSD: unbound.conf,v 1.4 2014/04/02 21:43:30 millert Exp $
server:
interface: 0.0.0.0
interface: ::
do-ip6: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.17.98.0/24 allow
access-control: 2001:db8:fade:cafe::/64 allow
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
## Reverse dns is tricky for unbound on RFC1918 space. I tried
## private-address but a transparent local zone worked better.
##
## private-address: 10.17.96.0/22
local-zone: "17.10.in-addr.arpa." transparent
forward-zone:
name: "17.10.in-addr.arpa."
forward-addr: 127.0.0.1@5300
forward-zone:
name: "example.com."
forward-addr: 127.0.0.1@5300
## forward-zone:
## name: "." # use for ALL queries
## forward-addr: 8.8.8.8
## forward-addr: 8.8.4.4
## forward-first: yes # try direct if forwar=
der fails
## End of file: unbound.conf
That's pretty much it. When I first did this I bitched that it was a
lot of work to do something that named did by default. But since then, I
appreciate the separation of concerns you get with this design.=20
-- Chris
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWH9psAAoJEE2ar4QHIpj4+44P/1B0qC1egD4nHCBfXI/tHUUp
jJqLNIbKg/6U286BBuYg7UaC8Yxq2bArS0oi80bo+VQzIXLQ05wwsSt8qXsNs90n
Bbyj/+UcZUm2+3cVycvg96vGsvxj+bDhv3T5z4aaIr7ySfdxeI4ZYJCpHJ6RhOfN
QUqi86q5ouUIskTOTu81TQrBoDEcLsETtSAQlc0bU/Fj/bdYaicTF6lC0Pl88puJ
acOhIv6u8JhrWMb3eabBupQN2lKuyA44F1WvGnMufQc+nm7rlRedcwAfUt7uT2V9
h6IyB71iVhfOqsp+myU5IWQfPLEboJB77WrgDSZ8w32Q6mVNa9B69K+bANhQWcOF
P/UKz2mmDOC/oO4uIUst0kQp7Aue43tkD8MTCbL1t60OskNpP4unqwaSkcP6lQ7h
+lL+1AhdVxi/gBTuxWu0SzqLY/XXHHyBiL/jb9GZRq1hGfH5ZbGAMBKOtcdZPiQV
EWUvx93i9iYD4Wy8G2QGWjWOppSV/06vINqG7Izy2FJ/AtHxe4Hrndr29qZbSaGo
eKWulw6oRMhaV7nvPKSHDIOpA6Gds+ITJI2jXsbac6uhYz27hQxyySvROy0+sLum
ChF0dKdvB5+t0SvP2hcrCSrLr9Zm+lz4+If3Hs3JafdzAMJYVFn9vP9dlKgBzAai
YPIF2953NYfm9FxIAg5b
=dw9h
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151015165508.GA80612>