Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic question about using Unbound to always_nxdomain

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 857 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swills1
      last edited by swills1

      Hello,

      This is a very basic question, I know.

      I have Unbound on a VM and a stub zone pointed at a BIND Authoritative server. Since the Unbound host is a Linux VM (Fedora Server) - I have the freedom to do certain things. One thing I have done is create a zone file to block specific DNS hosts on my network. My zone file kind of looks like;

      server:
local-zone: "zyrtec.1.p2l.info" always_nxdomain

      I also have Unbound on my PFSense appliance se with a Domain Override which is also pointed at my BIND server for my local "domain". It works great. (Tested by spinning up a VM and pointing the DNS at the PFSense appliance in systemd-networkd.

      My questions are;

      1. How can I do the equivelant of local-zone: "zyrtec.1.p2l.info" always_nxdomain in pfsense?
      2. Does pfsense create a zone file for these entries, and if so - where is it? I have written a Python library that automates creating that zone file.

      Thank you.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @swills1
        last edited by

        @swills1 if you click the Display Custom Options button you can paste that right in the field. :)

        Don’t know about the details; never looked. It gets written into the config file and anything else will likely get overwritten anyway.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 1
        • S
          swills1 @SteveITS
          last edited by

          @steveits where is the config?

          Thanks!

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @swills1
            last edited by

            @swills1 here:
            0605639e-8258-4d11-bb35-1349c16ea8e6-image.png

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            S 1 Reply Last reply Reply Quote 1
            • S
              swills1 @SteveITS
              last edited by swills1

              @steveits Thanks. I meant where is the file in the file system. You've given me enough to go on though. Thanks again.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @swills1
                last edited by

                @swills1

                unbound doesn't have zone files like 'bind' has.
                Its (only) a resolver, not really a authoritative DNS server.
                Just one config file : /var/unbound/unbound.conf although this file can pull in other files.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                S 1 Reply Last reply Reply Quote 0
                • S
                  swills1 @Gertjan
                  last edited by swills1

                  @gertjan I'm talking about config files.

                  I mentioned BIND above and stub zones. I think context let's you know I know what an Authoritative server is. I also talk about using Unbound and BIND in conjunction. Indicating I know they each serve a different purpose. Otherwose, why would I have both? :) Also, talking about nxdomain typically let's you know a person knows what recursive DNS is.

                  I Googled where the config was earlier for pfsense. When installing Unbound on an actual full OS - you get a directory and the config looks for *.conf in that directory.

                  My overall issue was just needing to know where the config was in regard to pfsense because I knew it wasn't going to be /etc/unbound. And knowing how pfsense handled config entries out of the box. Whether it used a separate config, the main config, or something else.

                  Thanks for the reply. Appreciate your time.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.