Networking - DNS - Unbound - Local Zones

A number of locally served zones can be configured: 

local-zone: <zone> <type>
local-data: "<resource record string>"

NOTE: The local-zone type can be:

  • deny serves local data (if any), else, drops queries.
  • refuse serves local data (if any), else, replies with error.
  • static serves local data, else, nxdomain or nodata answer.
  • transparent gives local data, but resolves normally for other names.
  • redirect serves the zone data for any subdomain in the zone.
  • nodefault can be used to normally resolve AS112 zones.
  • typetransparent resolves normally for other types and other names.
  • inform acts like transparent, but logs client IP address.
  • inform_deny drops queries and logs client IP address.
  • inform_redirect redirects queries and logs client IP address
  • always_transparent resolve in that way but ignore local data for that name.
  • always_refuse resolve in that way but ignore local data for that name.
  • always_nxdomain resolve in that way but ignore local data for that name.
  • noview breaks out of that view towards global local-zones.

NOTE: If you configure local-data without specifying local-zone, by default a transparent local-zone is created for the data.

Example

Suppose you have a printer in your LAN.

You can connect to that printer by using its known IP address, like, for example, 192.168.1.100.

However, wouldn't you rather give a human readable name to that printer?

NOTE: Unbound is not an authoritative server, so it cannot manage a full zone with all its bells and whistles directly.

However, it is able to manage a small home LAN.

/etc/unbound/unbound.conf.d/local_names.conf
private-address: 192.168.1.0/24
local-zone: "sharewiz.net." static
        local-data: "gateway.sharewiz.net. IN A 192.168.1.1"
        local-data: "server1.sharewiz.net. IN A 192.168.1.2"
        local-data: "computer.sharewiz.net. IN A 192.168.1.69"
        local-data: "printer.sharewiz.net. IN A 192.168.1.100"
        local-data-ptr: "192.168.1.1 gateway.sharewiz.net"
        local-data-ptr: "192.168.1.2 server1.sharewiz.net"
        local-data-ptr: "192.168.1.69 computer.sharewiz.net"
        local-data-ptr: "192.168.1.100 printer.sharewiz.net"

NOTE: This assumes that the LAN is using 192.168.1.0/24 as the network.

The private-address directive prevents addresses in your LAN from being returned for public Internet names. This step prevents DNS rebinding attacks.

The local-zone directive defines all domains under sharewiz.net as local. The static word means that the static entries defined in the configuration file are used as DNS entries. Each of the local-data entries assigns a name to an address. For example, 192.168.1.100 would be assigned the name printer.sharewiz.net. If you queried the Unbound server for a name in the sharewiz.net zone that did not exist, it would be answered with a NXDOMAIN message. Alternatively, transparent could be used instead of static. A transparent local zone is one in which the server tries to resolve the name of a host by other means if it has no static entry for it in its configuration.

The local-data-ptr entries are optional and define reverse DNS information. Reverse DNS is, as the expression implies, the opposite of DNS. A reverse DNS query asks “What is the name of the host with the address 192.168.1.100?”