Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need a way to attempt forward lookup if recursive lookup fails #51

Open
offsides opened this issue Jul 29, 2019 · 1 comment
Open

Need a way to attempt forward lookup if recursive lookup fails #51

offsides opened this issue Jul 29, 2019 · 1 comment

Comments

@offsides
Copy link

I need a way to specify that queries should be sent to a forwarder for additional lookup if and only if the recursive lookup fails. I maintain a separate DNS server that does recursive lookups to the Internet (for testing and other diagnostic reasons, among other things) other than a few specific internal zones, but it appears that AT&T's DNS servers don't accept queries from just anyone, so any lookup of a domain for which their DNS servers are authoritative will fail with a timeout. Therefore, I want to have the DNS server forward the requests for those domains (and any others that act the same way) to the standard corporate DNS servers which are able to resolve those domains. I know I can manually add domains as I find them, but that's a bit of a pain and not something I'd like to do if possible.

Basically, I'm looking for something like a "forward-last" option as opposed to the "forward-first" one, where forwarding is used as the option of last resort before returning a failure. Is that something that can be done already, and if so in what version (I'm currently using 1.6.6)? If not, is that something that could be added?

@brianjmurrell
Copy link

This would also be useful for a portable (a.k.a. travel) router that can be exposed to all manner of captive portals and walled gardens, etc.

Indeed there are networks out there, in hotels and coffee shops and whatnot that even once logged on (and T&Cs accepted, etc.) to their networks, provide a general Internet experience but only allow DNS queries to their own DNS servers and block queries to the Internet.

But since many other such networks fully allow recursion it would be good to be able use it when you can, to preserve some amount of privacy, while not being completely crippled when one does come across one of the more difficult networks as described above.

As an aside, even in such a hostile network that doesn't allow DNS queries outside of their own servers, I would very quickly restore privacy by starting up a VPN to my home network and then adding a forward-first:, . zone forward to unbound to forward all queries to my own server over the VPN connection. So really, the only query that would go to the captive DNS systems would be the one to get the IP address of my VPN (assuming even it's not baked into the /etc/hosts file on the portable router) endpoint. Thereafter, my VPN's DNS resolver would be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants