From owner-freebsd-questions@freebsd.org Mon Aug 28 14:52:53 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEF2FE0EB4E for ; Mon, 28 Aug 2017 14:52:53 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A6AF37DD8D for ; Mon, 28 Aug 2017 14:52:53 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x235.google.com with SMTP id s101so2347785ioe.0 for ; Mon, 28 Aug 2017 07:52:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=UvKWdPtNkTRm7gJjHQUA00mgCBtly8NWBRXE+GmtrWs=; b=uVIvEVDJ0mwRu+YhV9swUOM5DOMJEdx+1gp8RXg4b4lkXknjc8PzHdirtSPfHtD4G5 HDdZB5Zi7WnTl9qf4LWFyOj9A/CBTWXtFr1tIy04IMADXG7j8jZywDp3Ei+NF11tvhmt o/HQO1kQnVwGEjgmOooOJS05iDrPrmFLJwA9tZqu0k398F9ifRFpZjn0tGcYaYLS5iih TOarGLk/YKdDxg46A+KNs5ph9KZdDJbikydeHBtytsK4kU9p+S38QIutiWqSG7DABwNZ c84MWD0kN/+6I+dLu7E1sAgU/uUC0MMIkE2xW8KxXPVXiJo6pYcll7rVkT4UiZXKWNHj OfzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=UvKWdPtNkTRm7gJjHQUA00mgCBtly8NWBRXE+GmtrWs=; b=V0Jxcp673isnyFVASbYE7KDsXolG3BuxW9NkorSlWHQZYYE0icJh5U1x0IP5ULmD9P 4HjMNtVpCwwC9GCCWVLXSy4D//KP0Jj7ijLoAX0XardYwdBiKoALHOnpV7eN5J3aHhto cP4TNItb6iwHIeiQmHZek7uzZV2vdI1yFCUJUXYidJNh75t2rxe+C8c9oG6EnmN9Q9KT Xn4w6Gu+oIGGpVqzwgxVLSPO2KsIDgDe3yCTsCyVhek3GU90wPWltuw+uyMsidg4sT+H IdnpcXgCw/7tDmuCphstQ0J9ObMKq8trHUyLYMGzqzixXgyXOvzETX+86zWm/E7tbhYi cCUQ== X-Gm-Message-State: AHYfb5i30yXSngkyzEmbCjr1OdI7b7/cOfGWxhuZedlmz0mQglHlhTzF Wz0OD5gpM0u1juhj X-Received: by 10.107.189.194 with SMTP id n185mr963128iof.12.1503931972789; Mon, 28 Aug 2017 07:52:52 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-147.neo.res.rr.com. [74.141.88.147]) by smtp.googlemail.com with ESMTPSA id e81sm225058iod.71.2017.08.28.07.52.52 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 28 Aug 2017 07:52:52 -0700 (PDT) Message-ID: <59A42E40.5010508@gmail.com> Date: Mon, 28 Aug 2017 10:52:48 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: unbound with local-zone: option Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2017 14:52:54 -0000 Host is running release 11.1 and I enabled the built in unbound. Have public internet provided by time warner and using their dns servers. Also have LAN behind host. The goal is to deny access to facebook.com at the local host level for all LAN devices. The first "service local_unbound onestart" command auto created all kinds of files in /var/unbound and /etc. I added this line into the /var/ubound/unbound.con file Before the first include: statement IE: include: /var/unbound/forward.conf local-zone: "facebook.com" static "service local_unbound onestart" command got no errors but issuing drill or host commands for facebook still brought up info when I expected to get NXDOMAIN. After a lot of trial and error I finally decided to start over again. I deleted all the files in /var/unbound and issued the "service local_unbound onestart" command which I expected would rebuild all the needed files anew. But this time it issued error messages about being unable to create some files. I am now dead in space with the only option being to install a fresh copy of 11.1. Questions. Is the built in version of unbound only usable as an local caching resolver? Meaning it will not process local-zone: statements in the /ver/unbound/unbound.conf file? How do I get unbound to re-init itself cleanly? When does unbound get control? Is it after the firewall does its NATing and released the packet to the public interface? https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html talks about DNSSEC, but is not very clear in meaning. I issued "drill -S FreeBSD.org" which I assume the provided dns ip address in /etc/resolv.conf are being used, resulted in this. DNSSEC Trust tree: freebsd.org. (A) You have not provided any trusted keys. ;; Chase successful Is this good or bad and does it have any bearing on the host built in unbound?