Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Local unbound with external DNS instead of local recursion

Local unbound with external DNS instead of local recursion

Scheduled Pinned Locked Moved Discuss
networkingunbound
2 Posts 2 Posters 800 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      H Offline
      hendrikvl
      wrote on last edited by girish
      #1

      I only recently discovered, that cloudron uses a local unbound installation as DNS recursor and ignores DNS servers that were in /etc/resolv.conf before installing cloudron. Using unbound to include the local cloudron network, seems a good idea, but I am wondering whether using root DNS servers is necessary. (This is at least what happens on my machine, when resolving external hostnames: unbound queries its way down from the root DNS servers)

      As an alternative to the root DNS servers I added a new config /etc/unbound/unbound.conf.d/forward.conf:

      forward-zone:
              name: "."
              forward-addr: 1.1.1.1
              forward-addr: 8.8.8.8
      

      (Cloudflare and Google DNS servers just as an illustration, I used the ones from my VPS hoster)

      Two questions/points for discussion on this:

      1. Do you see any problems how this could interact with the local name resolution in an unintended way?

      2. Would it be a good idea to generate such a config file as an optional step during the web-based Cloudron-setup?

      girishG 1 Reply Last reply
      2
      • H hendrikvl

        I only recently discovered, that cloudron uses a local unbound installation as DNS recursor and ignores DNS servers that were in /etc/resolv.conf before installing cloudron. Using unbound to include the local cloudron network, seems a good idea, but I am wondering whether using root DNS servers is necessary. (This is at least what happens on my machine, when resolving external hostnames: unbound queries its way down from the root DNS servers)

        As an alternative to the root DNS servers I added a new config /etc/unbound/unbound.conf.d/forward.conf:

        forward-zone:
                name: "."
                forward-addr: 1.1.1.1
                forward-addr: 8.8.8.8
        

        (Cloudflare and Google DNS servers just as an illustration, I used the ones from my VPS hoster)

        Two questions/points for discussion on this:

        1. Do you see any problems how this could interact with the local name resolution in an unintended way?

        2. Would it be a good idea to generate such a config file as an optional step during the web-based Cloudron-setup?

        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        @hendrikvl It's not a problem to have local network specific configuration in unbound. See https://docs.cloudron.io/networking/#private-dns .

        As for the motivation, we use unbound because the mail server needs to do DNSBL queries. Most of the DNSBL servers like Zen SpamHaus will not respond if the queries originate from Google/Cloudflare DNS. This forces us to run our own DNS server.

        The other motivation was also to log DNS lookups by apps to identify any malicious use but we never got around to this (this was initially designed for a setup where we expected all app packages to be done by 3rd party).

        Finally, the unbound server should not be used much at all because most of the apps should not be querying anything external.

        1 Reply Last reply
        1
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes


          • Login

          • Don't have an account? Register

          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search