Date: Mon, 28 Aug 2017 10:52:48 -0400 From: Ernie Luzar <luzar722@gmail.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: unbound with local-zone: option Message-ID: <59A42E40.5010508@gmail.com>
next in thread | raw e-mail | index | archive | help
Host is running release 11.1 and I enabled the built in unbound. Have public internet provided by time warner and using their dns servers. Also have LAN behind host. The goal is to deny access to facebook.com at the local host level for all LAN devices. The first "service local_unbound onestart" command auto created all kinds of files in /var/unbound and /etc. I added this line into the /var/ubound/unbound.con file Before the first include: statement IE: include: /var/unbound/forward.conf local-zone: "facebook.com" static "service local_unbound onestart" command got no errors but issuing drill or host commands for facebook still brought up info when I expected to get NXDOMAIN. After a lot of trial and error I finally decided to start over again. I deleted all the files in /var/unbound and issued the "service local_unbound onestart" command which I expected would rebuild all the needed files anew. But this time it issued error messages about being unable to create some files. I am now dead in space with the only option being to install a fresh copy of 11.1. Questions. Is the built in version of unbound only usable as an local caching resolver? Meaning it will not process local-zone: statements in the /ver/unbound/unbound.conf file? How do I get unbound to re-init itself cleanly? When does unbound get control? Is it after the firewall does its NATing and released the packet to the public interface? https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html talks about DNSSEC, but is not very clear in meaning. I issued "drill -S FreeBSD.org" which I assume the provided dns ip address in /etc/resolv.conf are being used, resulted in this. DNSSEC Trust tree: freebsd.org. (A) You have not provided any trusted keys. ;; Chase successful Is this good or bad and does it have any bearing on the host built in unbound?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59A42E40.5010508>