Maintained by: NLnet Labs

[Unbound-users] problem with forward zone?

Robert Edmonds
Wed Jan 22 18:40:51 CET 2014

W.C.A. Wijngaards wrote:
> Hi Casey,
> On 01/22/2014 10:18 AM, Casey Stone wrote:
> > I previously posted about Unbound seemingly not observing the
> > forward-zone settings in my setup (unbound version 1.4.19 on Ubuntu
> > 13.04 server). My reason for using the forward-zone directive in
> > unbound.conf is to forward all requests through dnscrypt-proxy
> > running on the localhost:

Based on your version numbers it sounds like you're using the unbound
package shipped with the Ubuntu system:

Which is based on the Debian unbound package.

> It seems something else is running and calling "unbound-control
> forward off".  This would disable your configured forward-zone
> statement at run time.  Setting control-enable: no causes this
> unbound-control sequence to be ignored (because you disallow
> remote-control in unbound.conf).

On Debian systems, the unbound package is integrated with the resolvconf
system for configuring the set of forwarders, which allows the sysadmin
to specify the forwarders to be used in the /etc/network/interfaces
config file using the "dns-nameservers" directive.  See the
interfaces(5) and resolvconf(8) manpages for details.  (I think the
resolvconf system can also learn forwarder addresses from

The unbound package's resolvconf integration is optional but enabled by
default.  It can be disabled by commenting out the line
"RESOLVCONF_FORWARDERS=true" in /etc/default/unbound (or by uninstalling
the resolvconf package), which is preferable to disabling the
remote-control mechanism entirely.  (Otherwise the unbound package's
resolvconf integration script will still be run on network interface
changes and still attempt to reconfigure unbound's forwarders, it will
just silently fail.)

Robert Edmonds
edmonds at