FreeBSD - unbound

Mai 13, 2018 Kladde

a) local_unbound .. antwortet nur local.

b) dns/unbound .. aus den Ports installiert, antwortet auch extern.

a) local_unbound

anschalten

# sysrc local_unbound_enable=YES
# local_unbound_enable: NO -> YES

starten:

# service local_unbound start
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
original /etc/resolvconf.conf saved as /etc/resolvconf.conf.20180513.142650
original /etc/resolv.conf saved as /etc/resolv.conf.20180513.142650
Starting local_unbound.

testen

# drill google.com @::1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 58074
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.  IN  A

;; ANSWER SECTION:
google.com. 264 IN  A   172.217.23.174

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 14 msec
;; SERVER: ::1
;; WHEN: Sun May 13 14:36:19 2018
;; MSG SIZE  rcvd: 44

b) dns/unbound

installieren

# portmaster dns/unbound

# sysrc unbound_enable="YES"

# service unbound start

/usr/local/etc/unbound/unbound.conf

cat <<EOF> /usr/local/etc/unbound/unbound.conf

server:
      username: unbound
      directory: /usr/local/etc/unbound
      chroot: /usr/local/etc/unbound
      auto-trust-anchor-file: /usr/local/etc/unbound/root.key
      interface: 0.0.0.0
      # access-control: <IP des mailservers> allow
forward-zone:
      name: .
      # für zen.spamhaus unbedingt DNS des Serverstandortes als forwarder
      # forward-addr: x.x.x.x
EOF

testen

# drill 2.0.0.127.zen.spamhaus.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 62964
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; 2.0.0.127.zen.spamhaus.org.  IN  A

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 19  IN  A   127.0.0.4
2.0.0.127.zen.spamhaus.org. 19  IN  A   127.0.0.2
2.0.0.127.zen.spamhaus.org. 19  IN  A   127.0.0.10

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 2 msec
;; SERVER: 127.0.0.1
;; WHEN: ...
;; MSG SIZE  rcvd: 92

RBL läuft nicht, Lösungsansatz

das Problem steht im maillog:

.. mail postfix/smtpd[4387]: warning: x.xxx.xxx.xxx.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=x.xxx.xxx.xxx.zen.spamhaus.org type=A: Host not found, try again

Die IP des abfragenden Mailservers wird geblockt. Wenn man den Mailserver nicht bewegen möchte, hilft ein externer DNS-resolver (siehe b). Wenn auf dem Mailserver ein local_unbound läuft, kann die resolv.conf nicht bearbeitet werden, sondern:

cat <<EOF> /var/unbound/conf.d/spamhaus.conf

forward-zone:
    name: "spamhaus.org"
    # die IP des externen eigenen unbound-servers
    forward-addr: x.x.x.x
EOF

FreeBSD unbound