https://tools.ietf.org/html/rfc7706#appendix-B.2
2016-11-16 18:21 GMT-02:00 James Ralston via Unbound-users <unbound-users@unbound.net>: > I'm attempting to configure unbound to act as a local caching > resolver. I just want unbound to blindly forward all queries to our > local recursive resolvers. That's it. > > This has been somewhat challenging, because unbound's defaults are > clearly not optimized for this use case. > > First, I turned off DNSSEC, and added the forward zone information: > > server: > module-config: "iterator" > > forward-zone: > name: "." > forward-addr: <our nameserver1 IP> > forward-addr: <our nameserver2 IP> > forward-addr: <our nameserver3 IP> > > But that wasn't enough, because unbound was killing queries for (or > containing) RFC1918 addresses, which we use. So I had to add: > > server: > > local-zone: "localhost." nodefault > local-zone: "10.in-addr.arpa." nodefault > local-zone: "127.in-addr.arpa." nodefault > local-zone: "172.in-addr.arpa." nodefault > local-zone: "192.in-addr.arpa." nodefault > > So this seems to work. > > BUT: when unbound starts, it attempts to discover the current root > nameservers. Unfortunately, it does this by attempting to send > queries directly to the root nameservers, instead of using the > forwarders. This fails, because only our recursive resolvers (the > ones I configured unbound to use as forwarders) are permitted to send > DNS queries to the Internet at large; all other outbound DNS traffic > is blocked. And unbound refuses to start (and refuses to answer > queries) until its attempts to reach the root nameservers time out, > which takes a good 20 seconds or so. > > Moreover, after unbound is running and answering queries, it still > periodically attempts to contact the root nameservers directly. > > I looked in the unbound.conf documentation to see if there was a way > to tell unbound to do one of the following: > > 1. Use the configured forwarders to learn the current root > nameservers, instead of attempting to contact them directly. > > 2. Don't attempt to learn the current root nameservers at all, > because unbound doesn't need to know them in this application. > > But I could not find a way to accomplish either. > > How can I prevent unbound from attempting to contact the root > nameservers directly? -- Eduardo Schoedler