Am 22.09.2015 um 19:02 schrieb Mike Brown via Unbound-users:
* by default, queries go to my ISP's resolvers (Comcast: 75.75.75.75 & 75.75.76.76)
why would you do that? I expect Comcast not to block other DNS queries? Assuming that I would suggest to run unbound simply in default configuration -> resolving direct via root nameservers. No default forwarding -> no need to configure exceptions for DNSBL zones. Also I'm not aware any unbound configuration is modified in any way by a DHCP client. I use to ignore any resolver announced by a DHCP server: $ stat --printf "%a\n" /etc/dhcp/dhclient-enter-hooks.d/do_not_touch_resolv_conf 755 $ cat /etc/dhcp/dhclient-enter-hooks.d/do_not_touch_resolv_conf #!/bin/sh make_resolv_conf() { logger -p daemon.info -t /etc/dhcp/dhclient-enter-hooks.d/do_not_touch_resolv_conf "ignore DHCP suggestion 'nameserver $new_domain_name_servers'" : }