is a very large local-data list a problem?

Spike spike at drba.org
Thu Dec 15 04:22:16 UTC 2016


thanks to all of you for the detailed answers and examples. I agree sending
a refuse is a better option and as a matter of fact it may have also
yielded the answer to something else entirely that I was using a python
script for (I mentioned this in another thread on caching). From the docs
it says

refuse
                 Send an error message reply, with rcode REFUSED.  If there
is
                 a match from local data, the query is answered.

So if I get that correctly I could have

local-zone: example.com refuse
local-data: ok.example.com A x.x.x.x

and all queries to all subdomains of example.com will be rejected except
for ok.example.com. Is that correct?

In which case, I have a diff question: is it possible to set it up so that
instead of setting an ip for the A the query is passed to the iterator? in
other words create a sort of whitelist, deny everything except these
subdomains?

thanks,

Spike

On Mon, Nov 28, 2016 at 8:46 AM Simon Deziel via Unbound-users <
unbound-users at unbound.net> wrote:

> On 2016-11-27 01:08 PM, Spike via Unbound-users wrote:
> > We've been using one of those ads blocklists that is basically a long
> > text file of local-data statements sending everything to 127.0.0.1.
>
> Memory-wise, I found that just using local-data with the implied
> transparent local-zone was best. With a ~12k hosts list:
>
> # local-data: "ads.com A 127.0.0.1"
> $ ps aux| grep unbound
> unbound 32557 1.5 0.2  58316 15964 ? Ss 11:27 0:00 /usr/sbin/unbound -d
>
> # local-zone: "ads.com" static
> $ ps aux| grep unbound
> unbound 32139 0.5 0.7 152840 63352 ? Ss 11:21 0:00 /usr/sbin/unbound -d
>
> # local-zone: "ads.com" refuse
> $ ps aux| grep unbound
> unbound 32247 2.3 0.7 152840 63432 ? Ss 11:22 0:00 /usr/sbin/unbound -d
>
>
> Setting a local-data with only the A record will return an empty AAAA.
>
> HTH,
> Simon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20161215/07ea9e4c/attachment.htm>


More information about the Unbound-users mailing list