A records, PTR records, and TTL setting

Jon Murphy jcmurphy26 at gmail.com
Mon Jan 8 22:29:59 UTC 2024 

Hello?  Can someone assist?

Or did I make everyone mad? (Sorry if I did!)

Jon


> On Jan 1, 2024, at 1:57 PM, Jon Murphy <jcmurphy26 at gmail.com> wrote:
> 
> Happy New Year to everyone.  Hope you all had fun over the holidays.
> 
> Sorry for my late response - I spent most of the holidays with family and away from the computer.  (I tried to stay away from devices as best I could!)
> 
> I’ve been reading and re-reading the responses and trying to understand all of the comments.  And I am fairly sure I’ve caused most of the confusion with my poor questions and lack of details.  I owe you all an apology for that!
> 
> ———
> 
> First: Here is one response that was not sent to the mailing list:
> 
>> On Dec 24, 2023, at 4:46 PM, Jon Murphy <jcmurphy26 at gmail.com> wrote:
>> 
>> Steven,
>> I am using an unbound system setup by someone else.  For the outside world, it is set-up for DNSSEC (recursive) and DoT.  And I am using (really experimenting!) with RPZ also.  So I am modifying someone else’s work while trying to learn unbound.
>> Does that help?
>> 
>> Jon
> 
> So I am experimenting with an Unbound set-up that already exists and for the most part works very well!
> 
> ———
> 
> Second: And since this is already set-up, the lines below is the current `unbound.conf` created by someone else.  This is just for reference.
> 
> ```
> server:
> 	chroot: ""
> 	directory: "/etc/unbound"
> 	username: "nobody"
> 	do-ip6: no
> 	include: "/etc/unbound/tuning.conf"
> 	use-syslog: yes
> 	log-time-ascii: yes
> 	statistics-interval: 86400
> 	extended-statistics: yes
> 	prefetch: yes
> 	prefetch-key: yes
> 	hide-identity: yes
> 	hide-version: yes
> 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
> 	val-log-level: 1
> 	log-servfail: yes
> 	harden-large-queries: yes
> 	harden-referral-path: yes
> 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
> 	unwanted-reply-threshold: 1000000
> 	interface-automatic: yes
> 	interface: 0.0.0.0
> 	access-control: 0.0.0.0/0 allow
> 	infra-keep-probing: yes
> 	root-hints: "/etc/unbound/root.hints"
> 	include: "/etc/unbound/dhcp-leases.conf"
> 	include: "/etc/unbound/hosts.conf"
> 	include: "/etc/unbound/forward.conf"
> remote-control:
> 	control-enable: yes
> 	control-use-cert: no
> 	control-interface: 127.0.0.1
> include: "/etc/unbound/local.d/*.conf"
> ```
> 
> ———
> 
> Third:  And probably the most important items I left off (sorry again!)
> 
> I am experimenting with the bridge between ISC-DHCP and unbound.  What I see coming out of ISC-DHCP is an IP address and the device hostname.  And I am sending it to unbound mostly as-is (expect for some error checking).
> 
> So ISC-DHCP sends out a dhcp event with:
>  192.168.60.175 and deb12dell
> 
> And I add some text and send this to unbound via `unbound-control local_data`:
>  deb12dell.localdomain. 60 IN A 192.168.60.175
>  175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
> 
> 
> A few moments later, ISC-DHCP sends out a 2nd set of IP/Hostnames with:
>  192.168.65.180 and deb12dell
> 
> 
> And I add some text and send this to unbound via `unbound-control local_data`:
>  deb12dell.localdomain. 60 IN A 192.168.65.180
>  180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
> 
> 
> Again I am sorry for not including the needed details.  I am not looking for guidance on the ISC-DHCP side.
> 
> 
> And back to my original post:
> 
>> So my question is:
>> - should there only be one A Record per device?
>> - or maybe only one PTR Record per device?
> 
> 
> Does the above help?
> 
> Best regards!
> Jon
> 
> 
> 
>> On Dec 24, 2023, at 7:33 PM, marki via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>> 
>> You don't add devices. DNS does not know what a "device" is. It's like a phonebook, it assigns names to numbers and doesn't care if some live in the same house or not.
>> 
>> What is the proper way? I explained it. Usually, the proper way is to avoid assigning different IP addresses to the same name.
>> 
>> In your specific case, use names like
>> Deb12dell-eth0 <-> ip1
>> Deb12dell-eth1 <-> ip2
>> Make the names unique.
>> 
>> I think DNS may be treated in networking forums.  Unbound is an implementation of a dns server, besides bind and many others. Once you know what you want to do with DNS, only then can you choose what server you want to use, and then find out how to configure it. You may be doing this the wrong way by trying to configure a server without understanding the protocol.
>> 
>> 
>> On December 25, 2023 2:05:27 AM GMT+01:00, Jon Murphy <jcmurphy26 at gmail.com> wrote:
>> Comments below...
>> 
>> Jon
>> 
>> 
>>> On Dec 24, 2023, at 5:44 PM, marki via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>>> 
>>> IMHO these are not issues concerning unbound but rather understanding of DNS in general. So maybe this is not the right forum.
>> 
>> This is my first time experimenting with DNS (though I have been experimenting with RPZ).. 
>> 
>> What is the right forum?
>> 
>> 
>>> To answer your question, what you are suggesting is not normally done.
>> 
>> That is the main thing I want to know!  What is normally done!
>> 
>>> But it doesn't necessarily generate errors. You need to know what you are doing / what goal you want to achieve.
>> 
>> I am trying to add devices (clients) to unbound DNS.  Most have one network interface and a few have two interfaces.
>> 
>>> 
>>> If you are declaring two identical A records pointing to different IP addresses, then the resolved IP will randomly be chosen between all entries. It can be used as a load-balancer for the poor.
>> 
>> That makes sense!  I had not heard this before (and I had not considered it).  This helps - Thank you!
>> 
>>> 
>>> Usually you have one IP (and one name) per interface. It doesn't matter what "device" that interface belongs to.
>>> 
>>> Very often people use "service names" to point to some IP and then the name of the actual host the IP is assigned to is used in the reverse lookup.
>>> 
>>> I.e. 
>>> accounting CNAME acc01prd
>>> acc01prd IP 1.2.3.4
>>> 1.2.3.4 PTR acc01prd
>>> 
>> 
>> So when loading the up `unbound-control list_local_data` or even writing line(s) to "/etc/unbound/dhcp-leases.conf", what is the proper way to add the 1st network interface and the 2nd network interface.
>> 
>> This is my current items:
>>  deb12dell.localdomain. 60 IN A 192.168.60.175
>>  175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>> 
>>  deb12dell.localdomain. 60 IN A 192.168.65.180
>>  180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>> 
>> What would the the proper way?  
>> 
>> Can CNAMES be added to a "/etc/unbound/dhcp-leases.conf" file?
>> 
>> 
>>> So you don't use the cryptic hostname to access the service, but if you do a reverse lookup you find out where the IP is hosted.
>>> 
>>> But it all depends on what you want to accomplish.
>> 
>> Thank you!  The above does help!
>> 
>

More information about the Unbound-users mailing list