Solved Unbound for entire LAN?

M

mefizto

Greetings all,

I have the following network configuration: Internet -> firewall/router -> switch -> several computers on the same sub-net. I have successfully configured dns/unbound on one of the computers.

I have reviewed theunbound(8), but cannot discern whether it is possible to configure the other computers to use dns/unbound. I am also probably not using correct keywords because a search is not answering my question.

Any help would be appreciated.

Kindest regards,

M
 
Well, just check nsd(8) which is mentioned in the manual pages you already found. You'll notice that you can configure it to bind to all network interfaces instead of only the local ones, which implies that remote clients should be able to use it as well.

Of course it's even easier according to unbound.conf(5); notice how it mentions that you can make Unbound answer queries for your local subnet? That also answers it.
 
Hi ShellLuser,

thank you for your help. Let me make sure that I understand it.

Let us say that my LAN is on 172.16.0.X sub-net. I use one of the sub-net address in the unbound.conf(8), e.g.,
Code: 
interface: 172.16.0.24
, and enter the interface address to the /etc/resolve for each of the computers.

If that is correct, I am still unsure about the purpose of the access-control directive. As I read it, the directive is used to affect, e.g., allow, deny, etc., a block of addresses. But it would appear that if the computers with the addresses within the block of addresses do not have the interface address in the /etc/resolve, the computers cannot connect anyways.

Or am I reading it incorrectly and in addition to specifying the interface, I also have to allow the computers to use the interface?

Kindest regards,

M
 
The interface keyword only binds unbound to that particular IP address on that particular server (assuming that that IP address is actually present on that server ..). It doesn't control access to that unbound process, it just determines 'where it lives and listens'. To actually make unbound work as a resolver for other machines, the network of those other machines must be 'allowed' to not only connect to the machine where unbound lives and listens (i.e. 172.16.0.24) but also to actually query the unbound process on that server. So adding
Code: 
access-control: 172.16.0.0/24 allow
to unbound.conf should make that work. Assuming that connectivity between the hosts is allowed and assuming that the server that runs unbound actually has Internet access to act as a resolver, i.e. is not impeded by firewalls or filters, placing unbound's server IP address in the other hosts' /etc/resolv.conf (with the correct syntax) should give you a working central resolver.
 
mefizto said:
If that is correct, I am still unsure about the purpose of the access-control directive. As I read it, the directive is used to affect, e.g., allow, deny, etc., a block of addresses. But it would appear that if the computers with the addresses within the block of addresses do not have the interface address in the /etc/resolve, the computers cannot connect anyways.
Click to expand...
One is a server setting, the other a client setting. If you don't configure a client to use your DNS service how is the client supposed to find it?
 
Hi DutchDaemon,

thank you for the clear explanation; so my latter understanding was correct.

Hi SirDice,

in view of DutchDaemon's explanation, there are two concepts here, one is to enable the clients to find the server, which is accomplished by correct entry in the /etc/resolve, the other is server's permission for the clients to access the server, which is accomplished by the access-control directive.

At least this is my current understanding.

Kindest regards,
M
 
You must log in or register to reply here.
Back
Top