On 8/7/22 09:50, Linkcheck wrote: > On 07/08/2022 1:12 pm, Rob McGee wrote: >> dig 2.0.0.127.zen.spamhaus.org. any > > ANY has to be after DIG, not at the end, but... > > ================ > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> any 2.0.0.127.zen.spamhaus.org. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18750 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;2.0.0.127.zen.spamhaus.org. IN ANY > > ;; ANSWER SECTION: > 2.0.0.127.zen.spamhaus.org. 3579 IN A 127.255.255.254 > > ;; Query time: 1 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sun Aug 07 14:34:59 BST 2022 > ;; MSG SIZE rcvd: 71 > ================ > > And I use a local copy of Unbound for all DNS work.
You need to check the following: 1. Unbound MUST be operating as a recursive resolver, NOT a stub resolver. That means that it is making requests from upstream nameservers directly, rather than via an upstream recursive resolver. In the case of Unbound, this means that all forward-zone: directives in the configuration file must be removed, unless they are restricted (via name:) to zones that are not a suffix of zen.spamhaus.org. 2. Your instance of Unbound MUST NOT be accessible from the Internet. That is, unauthorized users must not be able to submit DNS queries to it. If they can, I suspect it would be considered a public recursive resolver and blocked. Can you provide your `unbound.conf` as well as all of the files it includes? -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
