Unbound and RFC6761 (Special-Use Domain Names)

Started by beachfork, January 13, 2023, 03:22:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2023, 03:22:48 PM
Hi!

I'm trying to configure Unbound so Special-Use Domain Names never leave my local network, on the default install, queries like "example.home.arpa" are being forwarded outside my network. According to the RFC6761 there's a list of domains that the resolver should only reply internally and never forward them.

https://datatracker.ietf.org/doc/rfc6761/
https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml

What I'm trying to do is, add a rfc6761.conf over at "/usr/local/etc/unbound.opnsense.d", but when I restart Unbound it doesn't start and no errors show up at the logs. Small example of the file:
Code Select
local-zone: "home.arpa" always_nxdomain

Maybe there's another method for achieving this? Thanks for any input!
January 13, 2023, 04:11:38 PM #1 Last Edit: January 13, 2023, 04:13:44 PM by Fright
Hi!
local-zone is the server option. so it should be like:
Code Select

server:
local-zone: "home.arpa" always_nxdomain

i think.
BUT unbound honours rfc6761 by default afaik (see full local-zone description at https://nlnetlabs.nl/documentation/unbound/unbound.conf/)
https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-compliance.html
are you sure that rfc6761-names requests that are forwarded, and not, for example, requests with the attached local domain of the host (like "15.home.arpa.foo.bar.")?


January 13, 2023, 04:18:23 PM #2 Last Edit: January 13, 2023, 04:21:31 PM by beachfork
Hi! Thanks for the reply!

You're correct, Unbound is only relaying domains that are on my local domain (home.arpa). But if I try to query for example "test.home.arpa" it forwards it outside my network.

I would like for both "home.arpa" and "*.home.arpa" to never be relayed. On a side note, I'm using Unbound as a DoT forwarder, not on recursive mode.

EDIT: Fixed it! Appending the "server:" header as you've mentioned, fixed my .conf file! Thank you very much for the help!
January 13, 2023, 06:03:38 PM #3
glad it worked!
although i still think this configuration is redundant: unbond should do it OOTB. quickly checked: unbound in dot-forwarder mode (queries/replies logging enabled, log level 3). rfc6761 nslookups are NOT forwarded

ps
Quoteno errors show up at the logs
still an issue, yes. it may still be worth making a pr for start command output redirect..
Print
Go Up Pages1
User actions