Discussion:
[Unbound-users] return refused for any query except for explicitly configured local, stub or forwarded zones
Mikolaj Kucharski
2015-06-16 08:58:07 UTC
Permalink
Hi,

I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.

For example, here is config which allows to resolve "home.lan." and
"example.com." zones but for anything else returns SERVFAIL. Below
behaviour is expected, but I would like for root zone (catch all in this
case) REFUSED to be returned by Unbound. Is that possible?

I did try config with `local-zone: "." refuse' but that results with
queries for stub-zone or forward-zone giving REFUSED.

Sample unbound.conf (tests done on version 1.5.2):

server:
interface: 127.0.0.1
interface: ::1
port: 53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: no
hide-version: no
use-syslog: no

# XXX stub and forward zone queries result with REFUSED
#local-zone: "." refuse

local-zone: "home.lan." static
local-data: "box1.home.lan. 60 A 172.16.0.52"
local-zone: "0.16.172.in-addr.arpa." static
local-data-ptr: "172.16.0.52 60 box1.home.lan."

stub-zone:
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53

# XXX SERVFAILs
forward-zone:
name: "."


Queries and their statuses:


# good, proper answer
$ dig +noall +comments @127.0.0.1 example.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


# good, proper answer
$ dig +noall +comments @127.0.0.1 box1.home.lan.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


# bad, SERVFAIL, but I would like REFUSED
$ dig +noall +comments @127.0.0.1 google.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
--
best regards
q#
Paul Wouters
2015-06-16 12:21:02 UTC
Permalink
A hack is to use the dnssec-trigger trick

Inbound-control forward_add . 127.0.0.127



Sent from my iPhone
Post by Mikolaj Kucharski
Hi,
I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.
For example, here is config which allows to resolve "home.lan." and
"example.com." zones but for anything else returns SERVFAIL. Below
behaviour is expected, but I would like for root zone (catch all in this
case) REFUSED to be returned by Unbound. Is that possible?
I did try config with `local-zone: "." refuse' but that results with
queries for stub-zone or forward-zone giving REFUSED.
interface: 127.0.0.1
interface: ::1
port: 53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: no
hide-version: no
use-syslog: no
# XXX stub and forward zone queries result with REFUSED
#local-zone: "." refuse
local-zone: "home.lan." static
local-data: "box1.home.lan. 60 A 172.16.0.52"
local-zone: "0.16.172.in-addr.arpa." static
local-data-ptr: "172.16.0.52 60 box1.home.lan."
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53
# XXX SERVFAILs
name: "."
# good, proper answer
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
# good, proper answer
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
# bad, SERVFAIL, but I would like REFUSED
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
--
best regards
q#
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Daisuke HIGASHI
2015-06-16 12:52:06 UTC
Permalink
Hi,

"transparent" local-zones will do the trick:

# ---
server:
# <snip>

# refuse all queries for any zone
local-zone: "." refuse
# ...except example.com
local-zone: "example.com" transparent

# example.com stub zone
stub-zone:
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53

# disables root hints; this prevents query for root servers
stub-zone:
name: "."

# ---

--
Post by Mikolaj Kucharski
Hi,
I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.
Mikolaj Kucharski
2015-06-16 16:08:50 UTC
Permalink
Hi Daisuke,
Post by Daisuke HIGASHI
Hi,
That makes it work the way I would like to. Thank you!
Post by Daisuke HIGASHI
# ---
# <snip>
# refuse all queries for any zone
local-zone: "." refuse
# ...except example.com
local-zone: "example.com" transparent
# example.com stub zone
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53
# disables root hints; this prevents query for root servers
name: "."
# ---
--
best regards
q#
Loading...