Date: Sun, 15 Oct 2017 11:39:50 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( Message-ID: <b0b0d170-a6f0-449a-fd67-bafd6dffb9f2@FreeBSD.org> In-Reply-To: <20171015011032.735852a9@gumby.homeunix.com> References: <4172.1507827505@segfault.tristatelogic.com> <b1f2d83e-d09f-42ad-f03d-26b6995c141f@columbus.rr.com> <20171014224323.1ed35da3@gumby.homeunix.com> <64e5525d-fd1c-6e9b-526c-0d9c4e8f788c@cyberleo.net> <20171015011032.735852a9@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf
Content-Type: multipart/mixed; boundary="O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <b0b0d170-a6f0-449a-fd67-bafd6dffb9f2@FreeBSD.org>
Subject: Re: Unbound(8) caching resolver no workie on fresh install :-(
References: <4172.1507827505@segfault.tristatelogic.com>
<b1f2d83e-d09f-42ad-f03d-26b6995c141f@columbus.rr.com>
<20171014224323.1ed35da3@gumby.homeunix.com>
<64e5525d-fd1c-6e9b-526c-0d9c4e8f788c@cyberleo.net>
<20171015011032.735852a9@gumby.homeunix.com>
In-Reply-To: <20171015011032.735852a9@gumby.homeunix.com>
--O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
On 15/10/2017 01:10, RW via freebsd-questions wrote:
> On Sat, 14 Oct 2017 18:08:27 -0500
> CyberLeo Kitsana wrote:
>=20
>> On 10/14/2017 04:43 PM, RW via freebsd-questions wrote:
>=20
>> FreeBSD's local_unbound setup will, by default, forward to the
>> nameservers provided by DHCP or hardcoded in the config files, rather
>> than doing full lookups by itself.
>=20
> But is it possible to force recursion (for the reason below).
> Matthew Seaman implied that it wasn't. =20
I didn't say it was impossible. I said that there wasn't a simple flag
you could set to enforce that behaviour.
The way you prevent local_unbound from using forwarders is to not have
any forwarders configured anywhere local_unbound can find them.
Basically that means:
* no local_unbound_forwarders setting in /etc/rc.conf
* no nameserver lines in /etc/resolv.conf
* if you need to use DHCP, then you'ld need to add settings to
/etc/dhclient.conf to supersede the supplied DNS servers with
an empty list.
> The reason I ask is that I'm still using DJB dnscache, and should
> probably be using something more modern; and something in base would be=
> preferable.
Something that supports DNSSEC would be preferable, although that does
presuppose that the rest of the internet gets off its collective
backside and implements DNSSEC routinely. How short memories are --
remember the fuss over the Kaminsky attack? That was never actually
"solved" by the work-arounds given in the security advisories at the
time, just made significantly less likely to succeed. The real fix was
always enabling DNSSEC everywhere. Does _your_ bank use DNSSEC?
Hey, at least you could be assured that no-one is spoofing freebsd.org...=
>>> There's also the issue that mail servers should avoid using shared
>>> caches because of per IP address limits on blocklists.
Anyone operating a mail server at reasonable scale has no excuse for not
paying for the service that blocklist providers provide, in which case,
the same per-IP limits will not apply.
Cheers,
Matthew
--O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1--
--HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJZ4zr9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATXKgQAK+8//kNNyQv8KS1dvmRu5Ny
xgFDfWcOxLO15MD1ngStBN08cS2N8SFHfrydaU3UQj46RJ5yTVqWjX5Ocl1AJtIA
CWd4bJCcyeadsIGZZt01fVpbunp7Y051/Qg3lAIMPiqFksGBO9R0Knqg/WYsiBdK
hEAwBEoOj6BFEj9i0SDVgYvvYuAEJhaNheNniJSkABQ1zy2Jh0m0/2pKjcLGKlq0
kuoNpttxldHff/CihAppz7WY6PcD/IbpADk5FG58ZNLHV7av5SKlO16V49nCuGKn
7TNXWLOlx9zOTrwO0ADZAF13xOeNKXeLpql2rhFddfcFCxZSzVattwKc5rWLWnxp
vBN+BtR/a+fLb7EBJ26LUMEBLAT8vr+PcCQYNAug0loJCy7ddfihYznt5zjH1BwY
7rUfl3s8eYFvNakzpy8USGANyyuLwc2PFxr2yrQZ/hz6cF/g54yu/WHP1z+FsiMZ
7Ji827bdymVjQuzyKl44ZdZbe0/XoY7QrPUwMvotAbeb8T7AZAJdvmwnjiHkVsda
AsGvwyuNCP/gSyiuOltvOiDbOrxIyGlfDCANaUrRjeMB6Kroa1otpIgQ3RBVQNn8
AqtTCrC3V6HpHhiYz1Yyb5N6c9i9k80uXopclBAjaANXcUPObWcYFRE4zmZ3OM5+
UWOuQgDDR4Ypk/ZBK7cR
=JRVw
-----END PGP SIGNATURE-----
--HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b0b0d170-a6f0-449a-fd67-bafd6dffb9f2>