It worked after appending
do-not-query-localhost: no
On July 29, 2019 12:44:45 AM GMT+03:00, Flipchan <flipchan@riseup.net> wrote:
>Config file
>
>ns0# cat /var/unbound/etc/unbound.conf
>
># $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>
>server:
> interface: 127.0.0.1
> #interface: ::1
> do-ip6: no
>
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: 192.168.0.0/16 allow
>
> access-control: ::0/0 refuse
> access-control: ::1 allow
>
> hide-identity: yes
> hide-version: yes
>
>
>remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
>
># Use an upstream forwarder (recursive resolver) for specific zones.
>#
>
>forward-zone:
> name: "testing."
> forward-addr: 127.0.0.1@5353 # to nsd daemon
>
>forward-zone:
> name: "." # use for ALL queries
> forward-addr: 1.1.1.1
> forward-addr: 74.82.42.42
> forward-addr: 2001:470:20::2
> forward-addr: 208.67.222.222
> forward-first: yes
>
>--
>Sincerely flipchan
>
>On July 28, 2019 6:21:49 PM GMT+03:00, Flipchan <flipchan@riseup.net>
>wrote:
>>Thanks for the configs !
>>
>>https://jonwillia.ms/2018/09/23/anycast-dns-openbsd
>>(github.com/bongozone/kibble)
>>
>>I have got it to work as only either only working with my internal
>zone
>>records or working with everything else
>>
>>Unbound ignores when i put a forward-zone: name: ".testing" when i
>have
>>another forward-zone: name: "."
>>
>>Does anyone know how this could be done ? I have nsd running the zone
>>records for .testing and it works when i only have the .testing
>>forward-zone in the unbound.conf , does anyone know what im doing
>wrong
>>?
>>
>>
>>
>>On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar
>><vsankar@foretell.ca> wrote:
>>>
>>>Quoting Stuart Henderson <stu@spacehopper.org>:
>>>
>>>> No - you wouldn't do it with Unbound which is a *recursive* DNS
>>>> server, you would use an authoritative one like NSD, PowerDNS, Knot
>
>>
>>>> or BIND. All you would do with Unbound is use stub-zone to point it
>
>>
>>>> at an authoritative server.
>>>>
>>>> --
>>>> Sent from a phone, apologies for poor formatting.
>>>> On 26 July 2019 11:05:44 Flipchan <flipchan@riseup.net> wrote:
>>>>> Can you link to any guides or pratical howtos on how to pratically
>
>>
>>>>> do that with unbound ?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson
>>>>> <stu@spacehopper.org> wrote:
>>>>> On 2019-07-25, Flipchan <flipchan@riseup.net> wrote:
>>>>>
>>>>> Greetings everyone,
>>>>>
>>>>> Does anyone have a good solution for syncing unbound configuration
>>>files?
>>>>>
>>>>>
>>>>> i have the senario where i have two internal LAN's that in two
>>>>> different offices that need to have the same internal
>>>>> dns system for the local systems, and there is a lot of changes
>>>>> being done in the internal zone records so i need
>>>>> a good way to sync them(the ideal way where to have a similar
>>>>> solution like mysql's master-master replication).
>>>>>
>>>>> Both dns resolvers are running unbound on openbsd 6.5 and right
>now
>>
>>>
>>>>> the configuration file is synced with ansible.
>>>>> Does anyone have a good solution on replicating dns
>records/configs
>>
>>>
>>>>> for unbound. In the future it will be scaled
>>>>> even more so right now is a good time to implement some
>replication
>>
>>>
>>>>> for the unbound configs.
>>>>>
>>>>> Does anyone have a solution for this?
>>>>>
>>>>> There is people changing the config files on both instances so the
>
>>
>>>>> ideal way would be a replication real time sync function.
>>>>>
>>>>> Anyone got any ideas?
>>>>>
>>>>>
>>>>> Thanks in advance
>>>>> Ciao
>>>>> flipchan
>>>>>
>>>>>
>>>>> If multiple sites are updating records in the same internal zone
>at
>>>various
>>>>> times, they would probably be better off with a normal
>>>>> authoritative DNS server
>>>>> serving that zone (with e.g. stub-zone to point unbound at it),
>>>>> editing it in
>>>>> one place, and using normal DNS replication (zone-transfer and
>>>notify)
>>>>> to push the updates.
>>>>>
>>>>>
>>>>> --
>>>>> Sent from my Android device with K-9 Mail. Please excuse my
>>brevity.
>>>
>>>I have two locations (foretell.ca and lab.foretell.ca) and for quite
>a
>>
>>>
>>>while used NSD and Unbound. But switched to the following approach
>>>(however my use case is very simple and my networks are small, but it
>
>>
>>>works well for me)
>>>
>>>My unbound.conf on four DNS servers have
>>>
>>>include: "/var/unbound/etc/zonedata"
>>>
>>>I then set up a simple zonedata file on one server with stuff such
>as:
>>>
>>>local-zone: "foretell.ca." static
>>>.
>>>.
>>>local-zone: "lab.foretell.ca." static
>>>.
>>>.
>>>local-zone: "0.0.10.in-addr.arpa." static
>>>.
>>>.
>>>local-zone: "3.72.10.in-addr.arpa." static
>>>.
>>>.
>>>etc. etc.
>>>
>>>Changes to zonedata reflect changes at both locations. Then I just
>>>have a rsync process running a few times a day that does the
>>following:
>>>
>>>fr1s1.foretell.ca# more dnsupdate.sh
>>>rsync -av zonedata 10.0.0.1:/var/unbound/etc/
>>>rsync -av zonedata 10.0.0.3:/var/unbound/etc/
>>>rsync -av zonedata 10.72.3.1:/var/unbound/etc/
>>>rsync -av zonedata 10.72.3.3:/var/unbound/etc/
>>>ssh 10.0.0.1 /etc/rc.d/unbound restart
>>>ssh 10.0.0.3 /etc/rc.d/unbound restart
>>>ssh 10.72.3.1 /etc/rc.d/unbound restart
>>>ssh 10.72.3.3 /etc/rc.d/unbound restart
>>>
>>>Obviously I am not sure if this will scale for your requirements but
>
>>>mentioning this just in case it helps.
>>>
>>>Vijay
>>>
>>>
>>>--
>>>ForeTell Technologies Limited
>>>59 Flamingo Avenue
>>>Winnipeg, MB, Canada
>>>R3J 0X6
>>
>>--
>>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>--
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
No comments:
Post a Comment