Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic question about using Unbound to always_nxdomain

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 876 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      swills1
      last edited by swills1

      Hello,

      This is a very basic question, I know.

      I have Unbound on a VM and a stub zone pointed at a BIND Authoritative server. Since the Unbound host is a Linux VM (Fedora Server) - I have the freedom to do certain things. One thing I have done is create a zone file to block specific DNS hosts on my network. My zone file kind of looks like;

      server:
local-zone: "zyrtec.1.p2l.info" always_nxdomain

      I also have Unbound on my PFSense appliance se with a Domain Override which is also pointed at my BIND server for my local "domain". It works great. (Tested by spinning up a VM and pointing the DNS at the PFSense appliance in systemd-networkd.

      My questions are;

      1. How can I do the equivelant of local-zone: "zyrtec.1.p2l.info" always_nxdomain in pfsense?
      2. Does pfsense create a zone file for these entries, and if so - where is it? I have written a Python library that automates creating that zone file.

      Thank you.

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @swills1
        last edited by

        @swills1 if you click the Display Custom Options button you can paste that right in the field. :)

        Don’t know about the details; never looked. It gets written into the config file and anything else will likely get overwritten anyway.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 1
        • S Offline
          swills1 @SteveITS
          last edited by

          @steveits where is the config?

          Thanks!

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Rebel Alliance @swills1
            last edited by

            @swills1 here:
            0605639e-8258-4d11-bb35-1349c16ea8e6-image.png

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
            Upvote 👍 helpful posts!

            S 1 Reply Last reply Reply Quote 1
            • S Offline
              swills1 @SteveITS
              last edited by swills1

              @steveits Thanks. I meant where is the file in the file system. You've given me enough to go on though. Thanks again.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @swills1
                last edited by

                @swills1

                unbound doesn't have zone files like 'bind' has.
                Its (only) a resolver, not really a authoritative DNS server.
                Just one config file : /var/unbound/unbound.conf although this file can pull in other files.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  swills1 @Gertjan
                  last edited by swills1

                  @gertjan I'm talking about config files.

                  I mentioned BIND above and stub zones. I think context let's you know I know what an Authoritative server is. I also talk about using Unbound and BIND in conjunction. Indicating I know they each serve a different purpose. Otherwose, why would I have both? :) Also, talking about nxdomain typically let's you know a person knows what recursive DNS is.

                  I Googled where the config was earlier for pfsense. When installing Unbound on an actual full OS - you get a directory and the config looks for *.conf in that directory.

                  My overall issue was just needing to know where the config was in regard to pfsense because I knew it wasn't going to be /etc/unbound. And knowing how pfsense handled config entries out of the box. Whether it used a separate config, the main config, or something else.

                  Thanks for the reply. Appreciate your time.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.