It worked after appending do-not-query-localhost: no
On July 29, 2019 12:44:45 AM GMT+03:00, Flipchan <flipc...@riseup.net> wrote: >Config file > >ns0# cat /var/unbound/etc/unbound.conf > ># $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > >server: > interface: 127.0.0.1 > #interface: ::1 > do-ip6: no > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.0.0/16 allow > > access-control: ::0/0 refuse > access-control: ::1 allow > > hide-identity: yes > hide-version: yes > > >remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > ># Use an upstream forwarder (recursive resolver) for specific zones. ># > >forward-zone: > name: "testing." > forward-addr: 127.0.0.1@5353 # to nsd daemon > >forward-zone: > name: "." # use for ALL queries > forward-addr: 1.1.1.1 > forward-addr: 74.82.42.42 > forward-addr: 2001:470:20::2 > forward-addr: 208.67.222.222 > forward-first: yes > >-- >Sincerely flipchan > >On July 28, 2019 6:21:49 PM GMT+03:00, Flipchan <flipc...@riseup.net> >wrote: >>Thanks for the configs ! >> >>https://jonwillia.ms/2018/09/23/anycast-dns-openbsd >>(github.com/bongozone/kibble) >> >>I have got it to work as only either only working with my internal >zone >>records or working with everything else >> >>Unbound ignores when i put a forward-zone: name: ".testing" when i >have >>another forward-zone: name: "." >> >>Does anyone know how this could be done ? I have nsd running the zone >>records for .testing and it works when i only have the .testing >>forward-zone in the unbound.conf , does anyone know what im doing >wrong >>? >> >> >> >>On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar >><vsan...@foretell.ca> wrote: >>> >>>Quoting Stuart Henderson <s...@spacehopper.org>: >>> >>>> No - you wouldn't do it with Unbound which is a *recursive* DNS >>>> server, you would use an authoritative one like NSD, PowerDNS, Knot > >> >>>> or BIND. All you would do with Unbound is use stub-zone to point it > >> >>>> at an authoritative server. >>>> >>>> -- >>>> Sent from a phone, apologies for poor formatting. >>>> On 26 July 2019 11:05:44 Flipchan <flipc...@riseup.net> wrote: >>>>> Can you link to any guides or pratical howtos on how to pratically > >> >>>>> do that with unbound ? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson >>>>> <s...@spacehopper.org> wrote: >>>>> On 2019-07-25, Flipchan <flipc...@riseup.net> wrote: >>>>> >>>>> Greetings everyone, >>>>> >>>>> Does anyone have a good solution for syncing unbound configuration >>>files? >>>>> >>>>> >>>>> i have the senario where i have two internal LAN's that in two >>>>> different offices that need to have the same internal >>>>> dns system for the local systems, and there is a lot of changes >>>>> being done in the internal zone records so i need >>>>> a good way to sync them(the ideal way where to have a similar >>>>> solution like mysql's master-master replication). >>>>> >>>>> Both dns resolvers are running unbound on openbsd 6.5 and right >now >> >>> >>>>> the configuration file is synced with ansible. >>>>> Does anyone have a good solution on replicating dns >records/configs >> >>> >>>>> for unbound. In the future it will be scaled >>>>> even more so right now is a good time to implement some >replication >> >>> >>>>> for the unbound configs. >>>>> >>>>> Does anyone have a solution for this? >>>>> >>>>> There is people changing the config files on both instances so the > >> >>>>> ideal way would be a replication real time sync function. >>>>> >>>>> Anyone got any ideas? >>>>> >>>>> >>>>> Thanks in advance >>>>> Ciao >>>>> flipchan >>>>> >>>>> >>>>> If multiple sites are updating records in the same internal zone >at >>>various >>>>> times, they would probably be better off with a normal >>>>> authoritative DNS server >>>>> serving that zone (with e.g. stub-zone to point unbound at it), >>>>> editing it in >>>>> one place, and using normal DNS replication (zone-transfer and >>>notify) >>>>> to push the updates. >>>>> >>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my >>brevity. >>> >>>I have two locations (foretell.ca and lab.foretell.ca) and for quite >a >> >>> >>>while used NSD and Unbound. But switched to the following approach >>>(however my use case is very simple and my networks are small, but it > >> >>>works well for me) >>> >>>My unbound.conf on four DNS servers have >>> >>>include: "/var/unbound/etc/zonedata" >>> >>>I then set up a simple zonedata file on one server with stuff such >as: >>> >>>local-zone: "foretell.ca." static >>>. >>>. >>>local-zone: "lab.foretell.ca." static >>>. >>>. >>>local-zone: "0.0.10.in-addr.arpa." static >>>. >>>. >>>local-zone: "3.72.10.in-addr.arpa." static >>>. >>>. >>>etc. etc. >>> >>>Changes to zonedata reflect changes at both locations. Then I just >>>have a rsync process running a few times a day that does the >>following: >>> >>>fr1s1.foretell.ca# more dnsupdate.sh >>>rsync -av zonedata 10.0.0.1:/var/unbound/etc/ >>>rsync -av zonedata 10.0.0.3:/var/unbound/etc/ >>>rsync -av zonedata 10.72.3.1:/var/unbound/etc/ >>>rsync -av zonedata 10.72.3.3:/var/unbound/etc/ >>>ssh 10.0.0.1 /etc/rc.d/unbound restart >>>ssh 10.0.0.3 /etc/rc.d/unbound restart >>>ssh 10.72.3.1 /etc/rc.d/unbound restart >>>ssh 10.72.3.3 /etc/rc.d/unbound restart >>> >>>Obviously I am not sure if this will scale for your requirements but > >>>mentioning this just in case it helps. >>> >>>Vijay >>> >>> >>>-- >>>ForeTell Technologies Limited >>>59 Flamingo Avenue >>>Winnipeg, MB, Canada >>>R3J 0X6 >> >>-- >>Sent from my Android device with K-9 Mail. Please excuse my brevity. > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
