Hello unbound-users: I have Unbound 1.4.19 running on Ubuntu 13.04 server on my LAN (private address) that I wish to use as a local caching recursive DNS server (not attempting DNSSEC). The reason I have set up Unbound is to provide caching for DNSCrypt-Proxy which is also running on this same machine. By capturing the traffic at the router level I can verify that when I do a lookup from this same Ubuntu machine it is correctly going through DNSCrypt-Proxy because there is no port 53 activity, it runs over port 443 to the OpenDNS server as expected. The problem arises when another computer on the LAN tries to do a lookup using the Unbound computer -- the traffic then uses standard port 53 and does a full lookup starting with a TLD. The appearance is that the local machine respects the forward-zone setting (forwards all to DNSCrypt-Proxy on 127.0.0.2) but the lookups for other machines on the LAN are not respecting the forward-zone setting. I'm running unbound version 1.4.19 on Ubuntu 13.04 server. Thank you for your help. -Casey my unbound.conf server: verbosity: 1 statistics-cumulative: yes interface: 127.0.0.1 interface: 10.0.1.13 outgoing-interface: 10.0.1.13 msg-cache-size: 8m rrset-cache-size: 16m access-control: 10.0.1.0/24 allow username: "unbound" logfile: "/var/log/unbound.log" use-syslog: no log-time-ascii: yes private-domain: "home.lan" prefetch: yes module-config: "iterator" auto-trust-anchor-file: "/etc/unbound/root.key" dlv-anchor-file: "dlv.isc.org.key" domain-insecure: "home.lan" local-zone: "home.lan." static local-data: "pfsense.home.lan. IN A 10.0.0.1" local-data-ptr: "10.0.0.1 pfsense.home.lan" python: remote-control: stub-zone: name: "home.lan" stub-addr: 10.0.1.1 stub-prime: no stub-first: no forward-zone: name: "." forward-addr: 127.0.0.2 # forward all to 127.0.0.2 where DNSCrypt is running!