default local DNS caching name server

Paul Wouters paul at nohats.ca
Sat Apr 12 15:11:34 UTC 2014


On Sat, 12 Apr 2014, Reindl Harald wrote:

> "we" should not do anything - because "we" don't have a clue about the
> network of the enduser

We know and handle a lot more than you think already using unbound with
dnssec-trigger and VPNs. Why don't you give it a shot and give us some
feedback on how it works for you on your laptop?

> if the roadrunner has the VPN client directly on his machine, well
> then he needs to make a decision:

They needs to make no decision, it has been automated already:

https://github.com/libreswan/libreswan/blob/master/programs/_updown.netkey/_updown.netkey.in

if [ -n "$(pidof unbound)" ]; then
 	echo "updating local nameserver for ${PLUTO_PEER_DOMAIN_INFO} with ${PLUTO_PEER_DNS_INFO}"
 	/usr/sbin/unbound-control forward_add ${PLUTO_PEER_DOMAIN_INFO} ${PLUTO_PEER_DNS_INFO}
 	/usr/sbin/unbound-control flush_zone ${PLUTO_PEER_DOMAIN_INFO}
 	/usr/sbin/unbound-control flush_requestlist
 	return 0
fi


[...]

if [ -n "$(pidof unbound)" ]; then
 	echo "flushing local nameserver of ${PLUTO_PEER_DOMAIN_INFO}"
 	/usr/sbin/unbound-control forward_remove ${PLUTO_PEER_DOMAIN_INFO}
 	/usr/sbin/unbound-control flush_zone ${PLUTO_PEER_DOMAIN_INFO}
 	/usr/sbin/unbound-control flush_requestlist
 	return 0
fi

It even has fallbacks for when not running unbound to do this via
editing /etc/resolv.conf - obviously not as preferred as running
unbound, but still supported.

Paul


More information about the devel mailing list