Open presci opened 11 months ago
gthess
commented
11 months ago I could not reproduce this. I also don't see a reason for that behavior in the code either. Are you sure that you are editing a configuration file that is read by the running Unbound? If so, maybe you have conflicting configuration later on in the file?
presci
commented
11 months ago Here is my unbound.conf ` server: interface: 0.0.0.0
access-control: 192.168.0.0/24 allow
access-control: 127.0.0.1 allow
access-control: ::1 allow
access-control: 0.0.0.0/0 deny
access-control: ::/0 deny
pidfile: "/var/run/unbound.pid"
use-syslog: yes
verbosity: 1
log-queries: yes
log-replies: yes
local-zone: "adserver.example.com" always_nxdomain
local-zone: "adserver1.example.com" always_nxdomain
local-zone: "adserver2.example.com" always_nxdomain
local-zone: "adserver3.example.com" always_nxdomain
local-zone: "1-23a.com" always_nxdomain
local-zone: "1-23b.com" always_nxdomain
local-zone: "1f23b.com" always_nxdomain
local-zone: "12g3.com" always_nxdomain
local-zone: "1g23.com" always_nxdomain
local-zone: "1234.com" always_nxdomain
local-zone: "123a.com" always_nxdomain
local-zone: "12322.com" always_nxdomain` @gthess
gthess
commented
11 months ago I still can't reproduce it. I get NXDOMAIN on all those local zones.
Could you try unbound-control list_local_zones on a running Unbound instance and see if you get all your zones (and some more from default configuration) back?
You would need:
remote-control:
control-enable: yesin your configuration. If you get an error that remote control is not setup you could run unbound-control-setup to generate the appropriate default keys.
Unbound local-zone & local-data doesn't work if the domain starts with number While I was in the process of setting up a blocklist on Unbound, I encountered an error. It seems that Unbound disregards the configuration once it encounters a local-zone starting with two numbers. Here is an example:
To reproduce Steps to reproduce the behavior:
local-zone: "yahoo.com" always_nxdomainafter the non working domain list. It would be ignored;; ANSWER SECTION:
;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1700198534 1800 900 604800 86400
$> drill 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5108 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. IN A
;; ANSWER SECTION: 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. 300 IN A 104.21.8.115 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. 300 IN A 172.67.188.115
Version 1.18.0
Configure line: --with-libexpat=/usr/local --with-ssl=/usr --enable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=aarch64-portbld-freebsd13.2 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1t-freebsd 7 Feb 2023 Linked modules: dns64 dynlib respip validator iterator DNSCrypt feature available
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues