Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jun 2019 20:42:38 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 238819] local-unbound: Improve default configuration
Message-ID:  <bug-238819-227-7k4Ytg8TVj@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-238819-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-238819-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238819

Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Open                        |Closed
         Resolution|---                         |Works As Intended

--- Comment #1 from Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org> ---
(In reply to tschweikle from comment #0)
> Missing are:
> - allow localhost to query

This is the built-in default.

> - allow private addresses
> - allow private addresses reverse lookup

This is what =E2=80=9Cunblock-lan-zones=E2=80=9D and =E2=80=9Cinsecure-lan-=
zones=E2=80=9D are for.

> - dont cache failed requests to forwarders (may lead to problems if your
> printer was turned of, you tried to print, and then you notice it is turn=
ed
> of. You turn it on and then: printing just fails, because unbound did cac=
he
> the "notfound").

Unless your printer is also your DNS server, it being off will in no way af=
fect
Unbound's behavior.

Since you're running FreeBSD 12, I recommend switching to DNS over TLS, as
described here:

https://blog.des.no/2018/10/dns-over-tls-in-freebsd-12/

If you have a local DNS server that serves private zones, you will need to =
add
an exception for those zones. Put something like this in
/var/unbound/conf.d/private-zones.conf, then run `local-unbound-control
reload`:

forward-zone:
        # Replace "example.local" with the name of your zone and
        # "172.16.0.1" with the IP address of your local DNS server.
        name: example.local.
        forward-addr: 172.16.0.1
        # Allow your zone to contain RFC 1918 addresses.
        private-domain: "example.local."
        # Ignore DNSSEC errors for your zone.
        domain-insecure: "example.local."
        # Do not use TLS for this forwarder.
        forward-tls-upstream: no
        # Fall back to the main forwarder if this one fails.
        # This is rarely needed, but it doesn't hurt.
        forward-first: yes

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238819-227-7k4Ytg8TVj>