How to get Unbound to selectively add or override DNS records

April 20, 2016

Suppose, not entirely hypothetically, that you're using Unbound and you have a situation where you want to shim some local information into the normal DNS data (either adding records that don't exist naturally or overriding some that do). You don't want to totally overwrite a zone, just add some things. The good news is that Unbound can actually do this, and in a relatively straightforward way (unlike, say, Bind, where if this is possible at all it's not obvious).

You basically have two options, depending on what you want to do with the names you're overriding. I'll illustrate both of these:

local-zone: example.org typetransparent
local-data: "server.example.org A 8.8.8.8"

Here we have added or overridden an A record for server.example.org. Any other DNS records for server.example.org will be returned as-is, such as MX records.

local-zone: example.com transparent
local-data: "server.example.com A 9.9.9.9"

We've supplied our own A record for server.example.com, but we've also effectively deleted all other DNS records for it. If it has an MX record or a TXT record or what have you, those records will not be visible. For any names in transparent local-data zones, you are in complete control of all records returned; either they're in your local-data stanzas, or they don't exist.

Note that if you just give local-data for something without a local-zone directive, Unbound silently makes it into such a transparent local zone.

Transparent local zones have one gotcha, which I will now illustrate:

local-zone: example.net transparent
local-data: "example.net A 7.7.7.7"

Because this is a transparent zone and we haven't listed any NS records for example.net as part of our local data, people will not be able to look up any names inside the zone even though we don't explicitly block or override them. Of course if we did list some additional names inside example.net as local-data, people would be able to look up them (and only them). This can be a bit puzzling until you work out what's going on.

(Since transparent local zones are the default, note that this happens if you leave out the local-zone or get the name wrong by mistake or accident.)

As far as I know, there's no way to use a typetransparent zone but delete certain record types for some names, which you'd use so you can do things like remove all MX entries for some host names. However, Unbound's idea of 'zones' don't have to map to actual DNS zones, so you can do this:

local-zone: example.org typetransparent
local-data: "server.example.org A 8.8.8.8"
# but:
local-zone: www.example.org transparent
local-data: "www.example.org A 8.8.8.8"

By claiming www.example.org as a separate transparent local zone, this allows us to delete all records for it but the A record that we supply; this would remove, say, MX entries. Since I just tried this out, note that a transparent local zone with no data naturally doesn't blank out anything, so if you want to totally delete a name's records you need to supply some dummy record (eg a TXT record).

(We've turned out to not need to do this right now, but since I worked out how to do it I want to write it down before I forget.)


Comments on this page:

unlike, say, Bind, where if this is possible at all it's not obvious

Response Policy Zones (RPZ) is bind's way to do this, e.g. http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/

Written on 20 April 2016.
« Today's odd spammer behavior for sender addresses
A brief review of the HP three button USB optical mouse »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Apr 20 00:30:37 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.