Mikolaj Kucharski
2015-06-16 08:58:07 UTC
Hi,
I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.
For example, here is config which allows to resolve "home.lan." and
"example.com." zones but for anything else returns SERVFAIL. Below
behaviour is expected, but I would like for root zone (catch all in this
case) REFUSED to be returned by Unbound. Is that possible?
I did try config with `local-zone: "." refuse' but that results with
queries for stub-zone or forward-zone giving REFUSED.
Sample unbound.conf (tests done on version 1.5.2):
server:
interface: 127.0.0.1
interface: ::1
port: 53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: no
hide-version: no
use-syslog: no
# XXX stub and forward zone queries result with REFUSED
#local-zone: "." refuse
local-zone: "home.lan." static
local-data: "box1.home.lan. 60 A 172.16.0.52"
local-zone: "0.16.172.in-addr.arpa." static
local-data-ptr: "172.16.0.52 60 box1.home.lan."
stub-zone:
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53
# XXX SERVFAILs
forward-zone:
name: "."
Queries and their statuses:
# good, proper answer
$ dig +noall +comments @127.0.0.1 example.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
# good, proper answer
$ dig +noall +comments @127.0.0.1 box1.home.lan.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
# bad, SERVFAIL, but I would like REFUSED
$ dig +noall +comments @127.0.0.1 google.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
I'm wondering is it possible to configure Unbound in such a way that
it will return REFUSED for any query, except zones which are explicitly
configured in the config file.
For example, here is config which allows to resolve "home.lan." and
"example.com." zones but for anything else returns SERVFAIL. Below
behaviour is expected, but I would like for root zone (catch all in this
case) REFUSED to be returned by Unbound. Is that possible?
I did try config with `local-zone: "." refuse' but that results with
queries for stub-zone or forward-zone giving REFUSED.
Sample unbound.conf (tests done on version 1.5.2):
server:
interface: 127.0.0.1
interface: ::1
port: 53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: no
hide-version: no
use-syslog: no
# XXX stub and forward zone queries result with REFUSED
#local-zone: "." refuse
local-zone: "home.lan." static
local-data: "box1.home.lan. 60 A 172.16.0.52"
local-zone: "0.16.172.in-addr.arpa." static
local-data-ptr: "172.16.0.52 60 box1.home.lan."
stub-zone:
name: "example.com."
stub-addr: 199.43.132.53
stub-addr: 199.43.133.53
# XXX SERVFAILs
forward-zone:
name: "."
Queries and their statuses:
# good, proper answer
$ dig +noall +comments @127.0.0.1 example.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
# good, proper answer
$ dig +noall +comments @127.0.0.1 box1.home.lan.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
# bad, SERVFAIL, but I would like REFUSED
$ dig +noall +comments @127.0.0.1 google.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
--
best regards
q#
best regards
q#