On Wed, 26 Jul 2017, Amelia A Lewis wrote:
do-not-query-localhost: no
That seems like one of those awkwardly-phrased directives.
The manual says that the default is to assume that
do-not-query-address: localhost
i.e. 'localhost' is added to the do-not-query-address list by default.
This list are those IP addresses that one is not allowed to query, or as
the manual says,
Do not query the given IP address.
I am assuming that the manual writer really wanted to say
Do not send a DNS query to the given IP address
And yet my configuration file says I want to do just that. It should be
rejected when the file is read.
Besides, if I did not want a DNS query to be processed on 127.0.0.1, I
would simply NOT have NSD sitting listening on that address in the first
place. I do not go looking for trouble. It's like, if you do not want SSH
to be usable into an IP, do not run the daemon to listen on that IP!
So, in my case, I was using the default which is yes
do-not-query-localhost: yes
I would also think that having an explicit configuration item
stub-zone:
name: "turkeys.com.au."
stub-addr: 127.0.0.1@8053
which violated that earlier rule would constitute a configuration-time
error, and one that at the very least should be detected at startup. I
would think that detecting, and misleadingly reporting, an error at
run-time is counter-productive It should be able to be detected as a
configuration conflict.
Consider this example (with the default localhost on the banned list)
nslookup roasted.turkeys.com.au
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find roasted.turkeys.com.au: NXDOMA
At runtime, the message returned is is that server cannot find the domain,
when I know full well that a request sent to 127.0.0.1 on that port can be
processed perfectly well all the time. NSD just loves it. It is UNBOUND
that is refusing to send it off, and yet replying that it cannot find it!\
There is no error logged in /var/log/daemon or anywhere else either.
'nslookup' and even 'dig' should be saying something at least like
DNS processing server is in the banned list
Just my 2c. Something seems very weird.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
