NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.15k stars 360 forks source link

Need a way to attempt forward lookup if recursive lookup fails #51

Open offsides opened 5 years ago

offsides commented 5 years ago

I need a way to specify that queries should be sent to a forwarder for additional lookup if and only if the recursive lookup fails. I maintain a separate DNS server that does recursive lookups to the Internet (for testing and other diagnostic reasons, among other things) other than a few specific internal zones, but it appears that AT&T's DNS servers don't accept queries from just anyone, so any lookup of a domain for which their DNS servers are authoritative will fail with a timeout. Therefore, I want to have the DNS server forward the requests for those domains (and any others that act the same way) to the standard corporate DNS servers which are able to resolve those domains. I know I can manually add domains as I find them, but that's a bit of a pain and not something I'd like to do if possible.

Basically, I'm looking for something like a "forward-last" option as opposed to the "forward-first" one, where forwarding is used as the option of last resort before returning a failure. Is that something that can be done already, and if so in what version (I'm currently using 1.6.6)? If not, is that something that could be added?

brianjmurrell commented 8 months ago

This would also be useful for a portable (a.k.a. travel) router that can be exposed to all manner of captive portals and walled gardens, etc.

Indeed there are networks out there, in hotels and coffee shops and whatnot that even once logged on (and T&Cs accepted, etc.) to their networks, provide a general Internet experience but only allow DNS queries to their own DNS servers and block queries to the Internet.

But since many other such networks fully allow recursion it would be good to be able use it when you can, to preserve some amount of privacy, while not being completely crippled when one does come across one of the more difficult networks as described above.

As an aside, even in such a hostile network that doesn't allow DNS queries outside of their own servers, I would very quickly restore privacy by starting up a VPN to my home network and then adding a forward-first:, . zone forward to unbound to forward all queries to my own server over the VPN connection. So really, the only query that would go to the captive DNS systems would be the one to get the IP address of my VPN (assuming even it's not baked into the /etc/hosts file on the portable router) endpoint. Thereafter, my VPN's DNS resolver would be used.