Maintained by: NLnet Labs

prevent unbound from attempting to contact root servers?

Eduardo Schoedler
Wed Nov 16 21:57:36 CET 2016


https://tools.ietf.org/html/rfc7706#appendix-B.2



2016-11-16 18:21 GMT-02:00 James Ralston via Unbound-users
<unbound-users at unbound.net>:
> I'm attempting to configure unbound to act as a local caching
> resolver.  I just want unbound to blindly forward all queries to our
> local recursive resolvers.  That's it.
>
> This has been somewhat challenging, because unbound's defaults are
> clearly not optimized for this use case.
>
> First, I turned off DNSSEC, and added the forward zone information:
>
>     server:
>             module-config: "iterator"
>
>     forward-zone:
>             name: "."
>             forward-addr: <our nameserver1 IP>
>             forward-addr: <our nameserver2 IP>
>             forward-addr: <our nameserver3 IP>
>
> But that wasn't enough, because unbound was killing queries for (or
> containing) RFC1918 addresses, which we use.  So I had to add:
>
>     server:
>
>    local-zone: "localhost." nodefault
>    local-zone: "10.in-addr.arpa." nodefault
>    local-zone: "127.in-addr.arpa." nodefault
>    local-zone: "172.in-addr.arpa." nodefault
>    local-zone: "192.in-addr.arpa." nodefault
>
> So this seems to work.
>
> BUT: when unbound starts, it attempts to discover the current root
> nameservers.  Unfortunately, it does this by attempting to send
> queries directly to the root nameservers, instead of using the
> forwarders.  This fails, because only our recursive resolvers (the
> ones I configured unbound to use as forwarders) are permitted to send
> DNS queries to the Internet at large; all other outbound DNS traffic
> is blocked.  And unbound refuses to start (and refuses to answer
> queries) until its attempts to reach the root nameservers time out,
> which takes a good 20 seconds or so.
>
> Moreover, after unbound is running and answering queries, it still
> periodically attempts to contact the root nameservers directly.
>
> I looked in the unbound.conf documentation to see if there was a way
> to tell unbound to do one of the following:
>
>     1.  Use the configured forwarders to learn the current root
>         nameservers, instead of attempting to contact them directly.
>
>     2.  Don't attempt to learn the current root nameservers at all,
>         because unbound doesn't need to know them in this application.
>
> But I could not find a way to accomplish either.
>
> How can I prevent unbound from attempting to contact the root
> nameservers directly?



-- 
Eduardo Schoedler