It is quite possible I am just clueless and doing things all wrong, so please forgive me if this is a waste of your time. I've Googled and experimented for hours, and am no closer to understanding what's going wrong here.
I'm just trying to get Unbound configured on FreeBSD 10.2-STABLE such that: * the DHCP-assigned nameserver (10.0.1.1, my router) is ignored, even after lease renewals * by default, queries go to my ISP's resolvers (Comcast: 75.75.75.75 & 75.75.76.76) * DNSBL zone queries bypass the ISP's resolvers - e.g., *.multi.uribl.com needs to be resolved starting from the root servers, such that a TXT lookup of test.uribl.com.multi.uribl.com will return the descriptive text "permanent testpoint" rather than "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 76.x.x.x]" At the bottom of this post you can see my config files. The reason I'm bypassing the DHCP-assigned nameserver is because I only get SERVFAIL for any lookup with it, even though it just forwards to my ISP. It's a current-model Apple AirPort Time Capsule, so you'd think it would be DNSSEC-friendly, but I guess not, and of course there's no advanced settings available in the AirPort Utility. The main thing I'm trying to diagnose at this point is not the DHCP stuff, rather just the DNSBL forwards. When using my config files, lookups for most domains work, but the DNSBL test only ever gives me SERVFAIL. tcpdump is not very helpful; nothing is going out over the wire for those lookups, even on first try: 17:06:36.553477 IP (tos 0x0, ttl 64, id 46664, offset 0, flags [none], proto UDP (17), length 76, bad cksum 0 (->c656)!) 127.0.0.1.52659 > 127.0.0.1.53: [bad udp cksum 0xfe4b -> 0xede4!] 60714+ TXT? test.uribl.com.multi.uribl.com. (48) 17:06:36.561421 IP (tos 0x0, ttl 64, id 46675, offset 0, flags [none], proto UDP (17), length 76, bad cksum 0 (->c64b)!) 127.0.0.1.53 > 127.0.0.1.52659: [bad udp cksum 0xfe4b -> 0x6d62!] 60714 ServFail q: TXT? test.uribl.com.multi.uribl.com. 0/0/0 (48) And here's the unbound -ddvvv output: http://pastebin.com/raw.php?i=dcRP67yZ It includes the startup messages and the messages resulting from these 4 commands (and I realize I may be a bit paranoid with the flushes): # unbound-control -c /var/unbound/unbound.conf list_forwards . IN forward 75.75.75.75 75.75.76.76 multi.uribl.com. IN forward multi.uribl.com. # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # host -tTXT test.uribl.com.multi.uribl.com Host test.uribl.com.multi.uribl.com not found: 2(SERVFAIL) OK, bear with me here. If I remove the "." forward at this point, I still get SERVFAIL: # unbound-control -c /var/unbound/unbound.conf forward_remove . ok # unbound-control -c /var/unbound/unbound.conf list_forwards multi.uribl.com. IN forward multi.uribl.com. # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # host -tTXT test.uribl.com.multi.uribl.com Host test.uribl.com.multi.uribl.com not found: 2(SERVFAIL) ...And everything works fine if I remove both forwards: # unbound-control -c /var/unbound/unbound.conf forward_remove . ok # unbound-control -c /var/unbound/unbound.conf forward_remove multi.uribl.com ok # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # host -tTXT test.uribl.com.multi.uribl.com test.uribl.com.multi.uribl.com descriptive text "permanent testpoint" Now here's the really weird part: I can add the forwards back in with unbound-control, and the behavior is different. Now the DNSBL forward is still not working, but instead of SERVFAIL, it is going through the default forward! # unbound-control -c /var/unbound/unbound.conf forward_add . 75.75.75.75 75.75.76.76 ok # unbound-control -c /var/unbound/unbound.conf forward_add multi.uribl.com multi.uribl.com ok # unbound-control -c /var/unbound/unbound.conf list_forwards . IN forward 75.75.76.76 75.75.75.75 multi.uribl.com. IN forward multi.uribl.com. # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 11 rrsets, 4 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # host -tTXT test.uribl.com.multi.uribl.com test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 76.96.107.199]" (I do note one small difference: the default resolvers I specified on the command line apparently got added in reverse order for some reason. It doesn't seem to matter, though; I tried putting them reversed on the command line and the result was the same.) And as if that wasn't strange enough, remove the "." forward now, leaving just the one for the DNSBL zone, et voila: # unbound-control -c /var/unbound/unbound.conf forward_remove . ok # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 1 rrsets, 2 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf list_forwards multi.uribl.com. IN forward multi.uribl.com. # host -tTXT test.uribl.com.multi.uribl.com test.uribl.com.multi.uribl.com descriptive text "permanent testpoint" *boggle* And I can go back to the initial SERVFAIL state with a reload (this is with Dag-Erling's patch applied): # unbound-control -c /var/unbound/unbound.conf reload ok # unbound-control -c /var/unbound/unbound.conf flush_zone uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # unbound-control -c /var/unbound/unbound.conf flush_zone multi.uribl.com ok removed 0 rrsets, 0 messages and 0 key entries # host -tTXT test.uribl.com.multi.uribl.com Host test.uribl.com.multi.uribl.com not found: 2(SERVFAIL) Clearly I must be doing something wrong in my configuration, but I can't figure out what. Any help appreciated, and let me know if more info is needed. My configs: # cat /etc/resolvconf.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. resolv_conf="/dev/null" # prevent updating /etc/resolv.conf # Static DNS configuration # cat /etc/resolv.conf # Generated by resolvconf # search hsd1.co.comcast.net. # nameserver 10.0.1.1 nameserver 127.0.0.1 options edns0 # cat /var/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf # cat /var/unbound/forward.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. forward-zone: name: . forward-addr: 75.75.75.75 forward-addr: 75.75.76.76 # cat /var/unbound/conf.d/uribl.conf forward-zone: name: multi.uribl.com forward-host: multi.uribl.com