On Sat, Jul 17, 2021 at 11:20 AM Theo de Raadt <dera...@openbsd.org> wrote: > > Instead, we are focusing on 99% of the use cases.
I hardly think that wanting to override your ISP's name servers is outside of the 99% use cases. Of course it wouldn't be the first time I am wrong. > You might want to look into using unwind(8) instead of unbound(8), > because resolv(8) treats it as highest priority. On Sat, Jul 17, 2021 at 5:13 PM Stuart Henderson <s...@spacehopper.org> wrote: > > The workaround I found is resolvd_flags=NO in rc.conf.local > > eliminating the prepending of the ISP nameservers. > > That's one workaround. Another is to run unwind with an explicit > configuration directing traffic to your local resolver. The more I read about unwind the more I like it but it just doesn't seem like the right option in this particular case (but sure for anything that's mobile), this being a stable firewall system and needing the features that unbound, which I've been using on many systems (both Linux and OpenBSD since before it was in base), provides. Although I don't have a static IP to the world, the DHCP assigned IP changes less than once a year, static enough for my use. The dhclient supersede worked well for years, hopefully the resolvd_flags=NO will as well. Yes, starting unwind also works, but using unwind to talk to unbound which is already running and can already be queried on it's own seems a bit overkill (a resolving DNS server to query another resolving DNS server on the same system?). Basically my unbound instance is the only DNS server useful for this firewall's tasks, so any kind of auto switching has no problem to solve. And I'm sure in the future I will need to eat these words :-) Thanks! Chris
