unbound icon indicating copy to clipboard operation
unbound copied to clipboard
verified publisher icon NLnetLabs

[FR] negative local-data

Open hadmut opened this issue 2 months ago • 1 comments

Dear good fairy,

if I had a wish free, I'd ask for negative local-data entries, allowing to configure negative DNS replies (overriding other domains).

Given problem and example:

I have some double sided servers with two network interfaces each: one for the open internet, with ipv4 and ipv6, and one for the lan with ipv4 only. And a domain, let's call it example.com.

Since the servers give more access rights wenn accessed on the inner, the lan interface, I'd like to do something like

local-zone: "example.com" typetransparent local-data: "example.com. A 10.1.2.3" local-data: "www.example.com. A 10.1.2.3"

but not a transparent, since I this would cover other entries like TXT,MX, CAA, HTTPS.

problem:

When users from inside the LAN access the machine, they do get the A record with 10.1.2.3, but still the original AAAA for the outer ipv6 address.

So I'd need a method to override the AAAA with a negative "not found", but still let other records through.

regards

hadmut avatar Oct 16 '25 13:10 hadmut

For AAAA you are lucky. You can use:

server:
    module-config: "respip validator iterator"
    response-ip: ::/0 redirect

This will remove AAAA records from replies to clients.

gthess avatar Oct 17 '25 09:10 gthess