From owner-freebsd-questions@freebsd.org Sun Oct 15 10:40:05 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D21D1E3FB96 for ; Sun, 15 Oct 2017 10:40:05 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F4C97203C for ; Sun, 15 Oct 2017 10:40:05 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:f409:3ef9:a8e6:69bb]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 91FECC720 for ; Sun, 15 Oct 2017 10:40:02 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( To: freebsd-questions@freebsd.org References: <4172.1507827505@segfault.tristatelogic.com> <20171014224323.1ed35da3@gumby.homeunix.com> <64e5525d-fd1c-6e9b-526c-0d9c4e8f788c@cyberleo.net> <20171015011032.735852a9@gumby.homeunix.com> From: Matthew Seaman Message-ID: Date: Sun, 15 Oct 2017 11:39:50 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171015011032.735852a9@gumby.homeunix.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2017 10:40:05 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf Content-Type: multipart/mixed; boundary="O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( References: <4172.1507827505@segfault.tristatelogic.com> <20171014224323.1ed35da3@gumby.homeunix.com> <64e5525d-fd1c-6e9b-526c-0d9c4e8f788c@cyberleo.net> <20171015011032.735852a9@gumby.homeunix.com> In-Reply-To: <20171015011032.735852a9@gumby.homeunix.com> --O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 15/10/2017 01:10, RW via freebsd-questions wrote: > On Sat, 14 Oct 2017 18:08:27 -0500 > CyberLeo Kitsana wrote: >=20 >> On 10/14/2017 04:43 PM, RW via freebsd-questions wrote: >=20 >> FreeBSD's local_unbound setup will, by default, forward to the >> nameservers provided by DHCP or hardcoded in the config files, rather >> than doing full lookups by itself. >=20 > But is it possible to force recursion (for the reason below). > Matthew Seaman implied that it wasn't. =20 I didn't say it was impossible. I said that there wasn't a simple flag you could set to enforce that behaviour. The way you prevent local_unbound from using forwarders is to not have any forwarders configured anywhere local_unbound can find them. Basically that means: * no local_unbound_forwarders setting in /etc/rc.conf * no nameserver lines in /etc/resolv.conf * if you need to use DHCP, then you'ld need to add settings to /etc/dhclient.conf to supersede the supplied DNS servers with an empty list. > The reason I ask is that I'm still using DJB dnscache, and should > probably be using something more modern; and something in base would be= > preferable. Something that supports DNSSEC would be preferable, although that does presuppose that the rest of the internet gets off its collective backside and implements DNSSEC routinely. How short memories are -- remember the fuss over the Kaminsky attack? That was never actually "solved" by the work-arounds given in the security advisories at the time, just made significantly less likely to succeed. The real fix was always enabling DNSSEC everywhere. Does _your_ bank use DNSSEC? Hey, at least you could be assured that no-one is spoofing freebsd.org...= >>> There's also the issue that mail servers should avoid using shared >>> caches because of per IP address limits on blocklists. Anyone operating a mail server at reasonable scale has no excuse for not paying for the service that blocklist providers provide, in which case, the same per-IP limits will not apply. Cheers, Matthew --O12cBooc5gqMDKqgQKvVkMtRRAEAOFDp1-- --HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZ4zr9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATXKgQAK+8//kNNyQv8KS1dvmRu5Ny xgFDfWcOxLO15MD1ngStBN08cS2N8SFHfrydaU3UQj46RJ5yTVqWjX5Ocl1AJtIA CWd4bJCcyeadsIGZZt01fVpbunp7Y051/Qg3lAIMPiqFksGBO9R0Knqg/WYsiBdK hEAwBEoOj6BFEj9i0SDVgYvvYuAEJhaNheNniJSkABQ1zy2Jh0m0/2pKjcLGKlq0 kuoNpttxldHff/CihAppz7WY6PcD/IbpADk5FG58ZNLHV7av5SKlO16V49nCuGKn 7TNXWLOlx9zOTrwO0ADZAF13xOeNKXeLpql2rhFddfcFCxZSzVattwKc5rWLWnxp vBN+BtR/a+fLb7EBJ26LUMEBLAT8vr+PcCQYNAug0loJCy7ddfihYznt5zjH1BwY 7rUfl3s8eYFvNakzpy8USGANyyuLwc2PFxr2yrQZ/hz6cF/g54yu/WHP1z+FsiMZ 7Ji827bdymVjQuzyKl44ZdZbe0/XoY7QrPUwMvotAbeb8T7AZAJdvmwnjiHkVsda AsGvwyuNCP/gSyiuOltvOiDbOrxIyGlfDCANaUrRjeMB6Kroa1otpIgQ3RBVQNn8 AqtTCrC3V6HpHhiYz1Yyb5N6c9i9k80uXopclBAjaANXcUPObWcYFRE4zmZ3OM5+ UWOuQgDDR4Ypk/ZBK7cR =JRVw -----END PGP SIGNATURE----- --HaRIVbj62gB6Jojm26ouBI7EmiMtw4rnf--