Text only | Text with Images

OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: beachfork on January 13, 2023, 03:22:48 PM

Title: Unbound and RFC6761 (Special-Use Domain Names)
Post by: beachfork on January 13, 2023, 03:22:48 PM
Hi!

I'm trying to configure Unbound so Special-Use Domain Names never leave my local network, on the default install, queries like "example.home.arpa" are being forwarded outside my network. According to the RFC6761 there's a list of domains that the resolver should only reply internally and never forward them.

https://datatracker.ietf.org/doc/rfc6761/ (https://datatracker.ietf.org/doc/rfc6761/)
https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml (https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml)

What I'm trying to do is, add a rfc6761.conf over at "/usr/local/etc/unbound.opnsense.d", but when I restart Unbound it doesn't start and no errors show up at the logs. Small example of the file:
Code Select
local-zone: "home.arpa" always_nxdomain

Maybe there's another method for achieving this? Thanks for any input!
Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: Fright on January 13, 2023, 04:11:38 PM
Hi!
local-zone is the server option. so it should be like:
Code Select

server:
local-zone: "home.arpa" always_nxdomain

i think.
BUT unbound honours rfc6761 by default afaik (see full local-zone description at https://nlnetlabs.nl/documentation/unbound/unbound.conf/)
https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-compliance.html
are you sure that rfc6761-names requests that are forwarded, and not, for example, requests with the attached local domain of the host (like "15.home.arpa.foo.bar.")?


Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: beachfork on January 13, 2023, 04:18:23 PM
Hi! Thanks for the reply!

You're correct, Unbound is only relaying domains that are on my local domain (home.arpa). But if I try to query for example "test.home.arpa" it forwards it outside my network.

I would like for both "home.arpa" and "*.home.arpa" to never be relayed. On a side note, I'm using Unbound as a DoT forwarder, not on recursive mode.

EDIT: Fixed it! Appending the "server:" header as you've mentioned, fixed my .conf file! Thank you very much for the help!
Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: Fright on January 13, 2023, 06:03:38 PM
glad it worked!
although i still think this configuration is redundant: unbond should do it OOTB. quickly checked: unbound in dot-forwarder mode (queries/replies logging enabled, log level 3). rfc6761 nslookups are NOT forwarded

ps
Quoteno errors show up at the logs
still an issue, yes. it may still be worth making a pr for start command output redirect..
Text only | Text with Images