问题[unbound](server)

使用 ISP 的 DNS 服务器配置的 iRedMail 服务器。运行几年没有问题。从当前的 ISP 转移到 Starlink。Starlink 似乎使用 Cloudflare 的公共 DNS。目前让两个 ISP 并行运行，直到切换完成。同样，邮件服务器在旧版 ISP 上运行良好。

当我切换到 Starlink（包括适当的公共 DNS 更改）时，收到来自 Spamhaus 的错误 12.255.255.254，这表明他们不允许来自公共 DNS 服务器的查询。很公平。设置本地未绑定解析器以解决问题。不受约束的工作并用于所有网络客户端。当带有传统 ISP 网关的邮件服务器中用于 DNS 的未绑定服务器 IP 时，传入的邮件会流动。

使用 Starlink 网关时，邮件停止流动。在 Postfix 日志中看不到任何错误。邮件只是停止流动。尽管 Spamhaus 在使用传统网关时似乎很乐意使用 Unbound 服务器，但为了以防万一，我们还是测试了 Spamhaus 的响应。结果很有趣：

% dig +short @[address of Unbound server] 2.0.0.127.zen.spamhaus.org
127.0.0.2
127.0.0.10
127.0.0.4
%

那是对的。但是，以下内容不返回任何内容：

% dig +short @[address of Unbound server] 1.0.0.127.zen.spamhaus.org
% 

从 Spamhaus 文档中，它应该返回：

Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)

Spamhaus 文档还说“对“未列出”对象的查询必须始终返回 NXDOMAIN 才能使邮件过滤正常工作。” “检查‘列出’和‘未列出’查询的正确结果至关重要。”

有趣的是，当我使用旧版 ISP DNS 和网关时，我还得到：

% dig +short @[legacy ISP DNS IP] 1.0.0.127.zen.spamhaus.org
%

顺便说一句，外发邮件适用于所有 ISP 配置。只有传入的邮件有问题。还在 Starlink 后面运行一个运行良好的网络服务器。星链公网IP到现在已经两个月了。

这里到底发生了什么？会不会是 Unbound 服务器配置？我知道 Starlink 是 CGNAT，但这不应该导致这个问题。任何故障排除提示？真是难住了。将不胜感激任何帮助。

更新：

在我将所有内容都转到 Starlink 之后，我在被拒绝的消息中发现了许多看起来像这样的条目：

451 4.3.5 <mta-d-130-24.infusionmail.com>：Helo 命令被拒绝：服务器配置错误；[email protected] to=<mike@[我的公共邮件服务器名称]> proto=ESMTP helo=<mta-d-130-24.infusionmail.com> (总数: 1) 1 infusionmail.com (mailer@输液邮件.com)

更新 2：

按照以下建议设置 BIND9 服务器。同样，邮件在使用 BIND9 DNS 和传统 ISP 网关时会流动，但在使用 Starlink 网关时不会。

使用以下工具测试https://mxtoolbox.com/diagnostic.aspx

当电子邮件服务器在旧版 DSL 之后运行时通过所有测试。在 Starlink 后面运行时，获得：

3/19/2022 5:33:54 PM Connection attempt #1 - Unable to connect after 15 seconds. [15.05 sec]

LookupServer 15051ms

就像电子邮件服务器在 Starlink 后面的端口 25 上没有响应一样。我尝试删除 Postfix 中的所有垃圾邮件规则。还是没有反应。

几乎感觉像是防火墙问题，但我有从 Starlink 路由器转发的端口 25、587 和 993 端口，就像我为传统 DSL 路由器所做的那样。

从我的网络外部，我确定以下端口没有被阻止：

25:

% telnet [My public mail server name] 25
220 [My public mail server name] ESMTP Postfix

587：

% telnet [My public mail server name] 587
220 [My public mail server name] ESMTP Postfix

993：

% openssl s_client -connect [My public mail server name]:993 -crlf -quiet
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

这应该证明 Starlink 没有阻止我的任何端口。

我认为到目前为止最重要的一点是 HELO 命令被拒绝。不知道为什么当服务器在 Starlink 而不是传统 ISP 之后运行时它会被拒绝。嗯……

这可能是反向 DNS 问题吗？Starlink 在他们给我的 IP 地址上有一条 PTR 记录：

% host [Starlink public IP]
[Starlink public IP].in-addr.arpa domain name pointer customer.sttlwax1.pop.starlinkisp.net.

% dig +short customer.sttlwax1.pop.starlinkisp.net
% 

% dig +short mail.[my domain].com 
[Starlink public IP]

然后我检查了我的旧版 DSL：

% host [Legacy DSL public IP]
[Legacy DSL public IP].in-addr.arpa domain name pointer client-[Legacy DSL public IP].hostwindsdns.com.

% dig +short client-[Legacy DSL public IP].hostwindsdns.com
% 

% dig +short mail.[my domain].com 
[Legacy DSL public IP]

他们似乎表现相似并且有同样的问题。

我正在寻找一个选项，该选项将使从特定接口发送递归查询不受约束。

听力界面很简单，但是我找不到询问界面选项。

我的虚拟机上有 3 个接口，我不想从默认网关无限制地询问，有这样的选择吗？

谢谢。

设置起来似乎很简单，但我实际上无法让它工作..

设置：

$ docker run -it -p 53:5300/udp alpine /bin/sh

$ apk add bash nano wget ca-certificates bind-tools unbound
$ mkdir -p /var/log/unbound
$ touch /var/log/unbound/unbound.log
$ chown unbound /var/log/unbound/unbound.log

/etc/unbound/unbound.conf：

server:
        verbosity: 2
        interface: 0.0.0.0
        port: 5300
        logfile: "/var/log/unbound/unbound.log"
        root-hints: /usr/share/dns-root-hints/named.root
        trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
python:
remote-control:
        control-enable: yes
        control-interface: /run/unbound.control.sock

测试：

$ unbound
$ dig google.com @127.0.0.1 -p 5300

; <<>> DiG 9.16.6 <<>> google.com @127.0.0.1 -p 5300
;; global options: +cmd
;; connection timed out; no servers could be reached

/var/log/unbound/unbound.log：

[1610066128] unbound[72:0] notice: init module 0: validator
[1610066128] unbound[72:0] notice: init module 1: iterator
[1610066128] unbound[72:0] info: start of service (unbound 1.10.1).
## dig
[1610066668] unbound[72:0] info: resolving google.com. A IN
[1610066668] unbound[72:0] info: priming . IN NS
[1610066669] unbound[72:0] notice: sendto failed: Address not available
[1610066669] unbound[72:0] notice: remote address is 2001:500:2f::f port 53
[1610066669] unbound[72:0] info: error sending query to auth server 2001:500:2f::f port 53
[1610066669] unbound[72:0] notice: sendto failed: Address not available
[1610066669] unbound[72:0] notice: remote address is 2001:500:2d::d port 53
[1610066669] unbound[72:0] info: error sending query to auth server 2001:500:2d::d port 53
[1610066670] unbound[72:0] notice: sendto failed: Address not available
[1610066670] unbound[72:0] notice: remote address is 2001:7fd::1 port 53
[1610066670] unbound[72:0] info: error sending query to auth server 2001:7fd::1 port 53
[1610066670] unbound[72:0] notice: sendto failed: Address not available
[1610066670] unbound[72:0] notice: remote address is 2001:500:a8::e port 53
[1610066670] unbound[72:0] info: error sending query to auth server 2001:500:a8::e port 53
[1610066670] unbound[72:0] notice: sendto failed: Address not available
[1610066670] unbound[72:0] notice: remote address is 2001:500:2d::d port 53
[1610066670] unbound[72:0] info: error sending query to auth server 2001:500:2d::d port 53
[1610066672] unbound[72:0] notice: sendto failed: Address not available
[1610066672] unbound[72:0] notice: remote address is 2001:7fe::53 port 53
[1610066672] unbound[72:0] info: error sending query to auth server 2001:7fe::53 port 53
[1610066672] unbound[72:0] notice: sendto failed: Address not available
[1610066672] unbound[72:0] notice: remote address is 2001:500:1::53 port 53
[1610066672] unbound[72:0] info: error sending query to auth server 2001:500:1::53 port 53
[1610066672] unbound[72:0] notice: sendto failed: Address not available
[1610066672] unbound[72:0] notice: remote address is 2001:500:a8::e port 53
[1610066672] unbound[72:0] info: error sending query to auth server 2001:500:a8::e port 53
[1610066672] unbound[72:0] notice: sendto failed: Address not available
[1610066672] unbound[72:0] notice: remote address is 2001:500:2d::d port 53
[1610066672] unbound[72:0] info: error sending query to auth server 2001:500:2d::d port 53
[1610066676] unbound[72:0] notice: sendto failed: Address not available
[1610066676] unbound[72:0] notice: remote address is 2001:500:2f::f port 53
[1610066676] unbound[72:0] info: error sending query to auth server 2001:500:2f::f port 53
[1610066676] unbound[72:0] notice: sendto failed: Address not available
[1610066676] unbound[72:0] notice: remote address is 2001:500:200::b port 53
[1610066676] unbound[72:0] info: error sending query to auth server 2001:500:200::b port 53
[1610066676] unbound[72:0] notice: sendto failed: Address not available
[1610066676] unbound[72:0] notice: remote address is 2001:500:1::53 port 53
[1610066676] unbound[72:0] info: error sending query to auth server 2001:500:1::53 port 53
[1610066677] unbound[72:0] notice: sendto failed: Address not available
[1610066677] unbound[72:0] notice: remote address is 2001:500:200::b port 53
[1610066677] unbound[72:0] info: error sending query to auth server 2001:500:200::b port 53
[1610066678] unbound[72:0] notice: sendto failed: Address not available
[1610066678] unbound[72:0] notice: remote address is 2001:503:ba3e::2:30 port 53
[1610066678] unbound[72:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
[1610066678] unbound[72:0] notice: sendto failed: Address not available
[1610066678] unbound[72:0] notice: remote address is 2001:500:9f::42 port 53
[1610066678] unbound[72:0] info: error sending query to auth server 2001:500:9f::42 port 53
[1610066678] unbound[72:0] notice: sendto failed: Address not available
[1610066678] unbound[72:0] notice: remote address is 2001:500:12::d0d port 53
[1610066678] unbound[72:0] info: error sending query to auth server 2001:500:12::d0d port 53
[1610066679] unbound[72:0] notice: sendto failed: Address not available
[1610066679] unbound[72:0] notice: remote address is 2001:dc3::35 port 53
[1610066679] unbound[72:0] info: error sending query to auth server 2001:dc3::35 port 53
[1610066679] unbound[72:0] notice: sendto failed: Address not available
[1610066679] unbound[72:0] notice: remote address is 2001:500:9f::42 port 53
[1610066679] unbound[72:0] info: error sending query to auth server 2001:500:9f::42 port 53
[1610066680] unbound[72:0] notice: sendto failed: Address not available
[1610066680] unbound[72:0] notice: remote address is 2001:500:2::c port 53
[1610066680] unbound[72:0] info: error sending query to auth server 2001:500:2::c port 53
[1610066680] unbound[72:0] notice: sendto failed: Address not available
[1610066680] unbound[72:0] notice: remote address is 2001:dc3::35 port 53
[1610066680] unbound[72:0] info: error sending query to auth server 2001:dc3::35 port 53
[1610066682] unbound[72:0] notice: sendto failed: Address not available
[1610066682] unbound[72:0] notice: remote address is 2001:503:c27::2:30 port 53
[1610066682] unbound[72:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1610066682] unbound[72:0] notice: sendto failed: Address not available
[1610066682] unbound[72:0] notice: remote address is 2001:dc3::35 port 53
[1610066682] unbound[72:0] info: error sending query to auth server 2001:dc3::35 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:500:1::53 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:500:1::53 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:500:1::53 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:500:1::53 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:500:9f::42 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:500:9f::42 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:7fd::1 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:7fd::1 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:dc3::35 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:dc3::35 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:dc3::35 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:dc3::35 port 53
[1610066683] unbound[72:0] notice: sendto failed: Address not available
[1610066683] unbound[72:0] notice: remote address is 2001:7fe::53 port 53
[1610066683] unbound[72:0] info: error sending query to auth server 2001:7fe::53 port 53
[1610066685] unbound[72:0] notice: sendto failed: Address not available
[1610066685] unbound[72:0] notice: remote address is 2001:500:2f::f port 53
[1610066685] unbound[72:0] info: error sending query to auth server 2001:500:2f::f port 53
[1610066688] unbound[72:0] notice: sendto failed: Address not available
[1610066688] unbound[72:0] notice: remote address is 2001:7fe::53 port 53
[1610066688] unbound[72:0] info: error sending query to auth server 2001:7fe::53 port 53
[1610066688] unbound[72:0] notice: sendto failed: Address not available
[1610066688] unbound[72:0] notice: remote address is 2001:500:12::d0d port 53
[1610066688] unbound[72:0] info: error sending query to auth server 2001:500:12::d0d port 53
[1610066688] unbound[72:0] notice: sendto failed: Address not available
[1610066688] unbound[72:0] notice: remote address is 2001:500:9f::42 port 53
[1610066688] unbound[72:0] info: error sending query to auth server 2001:500:9f::42 port 53
[1610066688] unbound[72:0] notice: sendto failed: Address not available
[1610066688] unbound[72:0] notice: remote address is 2001:500:12::d0d port 53
[1610066688] unbound[72:0] info: error sending query to auth server 2001:500:12::d0d port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:7fd::1 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:7fd::1 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:503:ba3e::2:30 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:7fd::1 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:7fd::1 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:2f::f port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:2f::f port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:9f::42 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:9f::42 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:1::53 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:1::53 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:a8::e port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:a8::e port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:7fe::53 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:7fe::53 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:2f::f port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:2f::f port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:7fe::53 port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:7fe::53 port 53
[1610066691] unbound[72:0] notice: sendto failed: Address not available
[1610066691] unbound[72:0] notice: remote address is 2001:500:200::b port 53
[1610066691] unbound[72:0] info: error sending query to auth server 2001:500:200::b port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:500:12::d0d port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:500:12::d0d port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:500:a8::e port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:500:a8::e port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:7fd::1 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:7fd::1 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:503:ba3e::2:30 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:503:ba3e::2:30 port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:500:12::d0d port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:500:12::d0d port 53
[1610066692] unbound[72:0] notice: sendto failed: Address not available
[1610066692] unbound[72:0] notice: remote address is 2001:500:2d::d port 53
[1610066692] unbound[72:0] info: error sending query to auth server 2001:500:2d::d port 53
[1610066694] unbound[72:0] notice: sendto failed: Address not available
[1610066694] unbound[72:0] notice: remote address is 2001:500:2d::d port 53
[1610066694] unbound[72:0] info: error sending query to auth server 2001:500:2d::d port 53
[1610066695] unbound[72:0] notice: sendto failed: Address not available
[1610066695] unbound[72:0] notice: remote address is 2001:500:2::c port 53
[1610066695] unbound[72:0] info: error sending query to auth server 2001:500:2::c port 53
[1610066695] unbound[72:0] notice: sendto failed: Address not available
[1610066695] unbound[72:0] notice: remote address is 2001:503:c27::2:30 port 53
[1610066695] unbound[72:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:200::b port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:200::b port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:503:ba3e::2:30 port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:a8::e port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:a8::e port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:200::b port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:200::b port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:2::c port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:2::c port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:2::c port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:2::c port 53
[1610066698] unbound[72:0] notice: sendto failed: Address not available
[1610066698] unbound[72:0] notice: remote address is 2001:500:2::c port 53
[1610066698] unbound[72:0] info: error sending query to auth server 2001:500:2::c port 53

Unbound 从转发区域获得正确答案 （见下文） ，但继续忽略它并尝试查询其他 DNS 服务器。

在公共热点后面时，我在 docker 映像上运行 unbound (1.10.0) 。

我添加了转发规则以在检测到需要登录时允许通信。

重要提示：目前我无法访问互联网，我只能 ping 路由器中的本地 DNS 和几个域。

这是未绑定的日志

和配置文件：（unbound.conf）

从日志中我可以看到它有来自转发区域 dns 服务器的正确响应。

unbound    | [1587387141] unbound[1:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
unbound    | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
unbound    | ;; QUESTION SECTION:
unbound    | telekom.portal.fon.com.    IN  A
unbound    | 
unbound    | ;; ANSWER SECTION:
unbound    | telekom.portal.fon.com.    42099   IN  A   87.140.198.194
unbound    | 
unbound    | ;; AUTHORITY SECTION:
unbound    | 
unbound    | ;; ADDITIONAL SECTION:
unbound    | ;; MSG SIZE  rcvd: 56

但随后继续查询我定义的根 dns 服务器或其他转发区域。

如果我从配置中删除/注释以下行，它似乎可以工作：

auto-trust-anchor-file: "var/root.key"

但它对任何其他配置选项都不敏感。

谢谢

编辑：它继续查询根 dns 服务器，而不是根主机

我正在尝试使用 unbound 将请求转发到一对 dns 服务器，同时在本地回答一个充满查询的小手。在对此进行测试时，我在以下位置构建了以下配置/etc/unbound/conf.d/my.zone.com.conf

forward-zone:
    name: "my.zone.com"
    forward-addr: 1.2.3.4   # my DNS server
    forward-addr: 1.2.3.5   # my other DNS server

    local-data: "server1.my.zone.com. IN A 1.2.3.6"

    local-data-ptr: "1.2.3.6 server1.my.zone.com"

运行 unbound-checkconf 时出现以下错误：

$ unbound-checkconf
/etc/unbound.conf.d/my.zone.com.conf:8: error: syntax error
read /etc/unbound.conf.d/my.zone.com.conf failed: 1 errors in configuration file
$

我想要的行为是 unbound 应该将所有请求转发到 DNS 服务器1.2.3.4，并且1.2.3.5应该用本地信息响应server1.my.zone.com.

我在线浏览了许多冗长的配置文件示例，但我只是看不出我做错了什么——尽管我怀疑它local-data与local-data-ptr嵌套在forward-zone.

配置文件/etc/unbound/unbound.conf与 centos7 中默认的 yum install 保持不变。

在此先感谢您的帮助

使用 BIND RPZ 为我提供了我正在寻找的更改查询的确切内容。但是，数百个客户端正在使用我的递归 DNS 服务器，我正在寻找一种方法来允许每个客户端进行某种程度的自定义。客户可能希望启用数百个区域，以实现数千种不同的可能组合。

看来我仅限于 32 个 RPZ 区域（看似无限长），但仅此一项是行不通的——每个用户都需要选择加入特定区域的能力。即使每个客户端都有大量区域，它仍然会达到 32 个限制。

我已经简要地查看了 Unbound，它似乎具有类似的具有本地数据透明度的 RPZ 设置，但是当寻找一种将事物分成视图的方法时，乐趣似乎已经结束，因此我只能将它们提供给特定的客户。

当然有一种方法可以在不重新发明轮子的情况下实现这一目标？我看到商业提供商提供类似的设置，例如 OpenDNS，成千上万的客户可以在其中切换各种列表。秘方是什么？