0

I'm using Unbound on an internal network What I want it to do is as follows:

  1. If a local_zone matches, return from there
  2. If not and it matches the internal domain name, then try forwarding to Consul on 127.0.0.1:8600
  3. If not, then forward to Cloudflare on 1.0.0.1:853 (DNS-over-TLS)

For example if example.com is the internal domain name, if I try to resolve foo.example.com it should try steps #1, #2, and finally 3 if it doesn't match:

  1. foo.example.com can't be found in any local_zones, move on
  2. foo.example.com can't be resolved by Consul, move on
  3. foo.example.com was resolved by Cloudflare, return result

My problem is that step 3 is not performed correctly. For example, the above demonstration currently looks like this:

  1. foo.example.com can't be found in any local_zones, move on
  2. foo.example.com can't be resolved by Consul, return failure

In step #2 there it should not return a failure - instead it should fallback to trying Cloudflare.

How can I get unbound to fallback to forwarding to another DNS server if resolution fails when forwarding to a given server?

My current config is as follows:


# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:
    interface: 0.0.0.0
    interface: ::0

    ip-freebind: yes

    # Access control - default is to deny everything apparently

    # The local network
    access-control: 172.16.230.0/24 allow
    # The docker interface
    access-control: 172.17.0.1/16 allow

    username: "unbound"

    harden-algo-downgrade: yes
    unwanted-reply-threshold: 10000000

    private-domain: "example.com"

    prefetch: yes

    # Service expired cached responses, but only after a failed 
    # attempt to fetch from upstream, and 10 seconds after 
    # expiration. Retry every 10s to see if we can get a
    # response from upstream.
    serve-expired: yes
    serve-expired-ttl: 10
    serve-expired-ttl-reset: yes

    local-zone: "example.com." transparent
    local-data: "foo.example.com.   IN A 172.16.230.100"
    local-data: "bar.example.com.   IN A 172.16.230.101"

    local-data-ptr: "172.16.230.100 foo.example.com."
    local-data-ptr: "172.16.230.101 bar.example.com."

    fast-server-permil: 500

# Forward to consul
stub-zone:
    name: "example.com."
    stub-addr: 127.0.0.1@8600
    stub-first: yes

forward-zone:
    name: "."
    # Cloudflare DNS
    forward-addr: 1.0.0.1@853
    # DNSlify - ref https://www.dnslify.com/services/resolver/
    forward-addr: 185.235.81.1@853
    forward-ssl-upstream: yes
starbeamrainbowlabs
  • 353
  • 1
  • 7
  • 16
  • Hi @starbeamrainbowlabs, did you find a solution? I'm looking for something very similar to be able to administer certain LANs both remotely and on premise. I had tried with a conditional view, but I cannot make unbound use the assigned IP address to actually use the specific view. – zenlord Jan 30 '23 at 16:08
  • @zenlord, no I did not find a solution to this issue as far as I'm aware. – starbeamrainbowlabs Jan 31 '23 at 17:19

0 Answers0