OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: beachfork on January 13, 2023, 03:22:48 pm

Title: Unbound and RFC6761 (Special-Use Domain Names)
Post by: beachfork on January 13, 2023, 03:22:48 pm

Hi!

I'm trying to configure Unbound so Special-Use Domain Names never leave my local network, on the default install, queries like "example.home.arpa" are being forwarded outside my network. According to the RFC6761 there's a list of domains that the resolver should only reply internally and never forward them.

https://datatracker.ietf.org/doc/rfc6761/ (https://datatracker.ietf.org/doc/rfc6761/)
https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml (https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml)

What I'm trying to do is, add a rfc6761.conf over at "/usr/local/etc/unbound.opnsense.d", but when I restart Unbound it doesn't start and no errors show up at the logs. Small example of the file:

Code: [Select]

local-zone: "home.arpa" always_nxdomain
Maybe there's another method for achieving this? Thanks for any input!

Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: Fright on January 13, 2023, 04:11:38 pm

Hi!
local-zone is the server option. so it should be like:

Code: [Select]

server:
local-zone: "home.arpa" always_nxdomain
i think.
BUT unbound honours rfc6761 by default afaik (see full local-zone description at https://nlnetlabs.nl/documentation/unbound/unbound.conf/)
https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-compliance.html
are you sure that rfc6761-names requests that are forwarded, and not, for example, requests with the attached local domain of the host (like "15.home.arpa.foo.bar.")?

Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: beachfork on January 13, 2023, 04:18:23 pm

Hi! Thanks for the reply!

You're correct, Unbound is only relaying domains that are on my local domain (home.arpa). But if I try to query for example "test.home.arpa" it forwards it outside my network.

I would like for both "home.arpa" and "*.home.arpa" to never be relayed. On a side note, I'm using Unbound as a DoT forwarder, not on recursive mode.

EDIT: Fixed it! Appending the "server:" header as you've mentioned, fixed my .conf file! Thank you very much for the help!

Title: Re: Unbound and RFC6761 (Special-Use Domain Names)
Post by: Fright on January 13, 2023, 06:03:38 pm

glad it worked!
although i still think this configuration is redundant: unbond should do it OOTB. quickly checked: unbound in dot-forwarder mode (queries/replies logging enabled, log level 3). rfc6761 nslookups are NOT forwarded

ps

Quote

no errors show up at the logs

still an issue, yes. it may still be worth making a pr for start command output redirect..