I'm attempting to configure unbound to act as a local caching resolver. I just want unbound to blindly forward all queries to our local recursive resolvers. That's it. This has been somewhat challenging, because unbound's defaults are clearly not optimized for this use case. First, I turned off DNSSEC, and added the forward zone information: server: module-config: "iterator" forward-zone: name: "." forward-addr: <our nameserver1 IP> forward-addr: <our nameserver2 IP> forward-addr: <our nameserver3 IP> But that wasn't enough, because unbound was killing queries for (or containing) RFC1918 addresses, which we use. So I had to add: server: local-zone: "localhost." nodefault local-zone: "10.in-addr.arpa." nodefault local-zone: "127.in-addr.arpa." nodefault local-zone: "172.in-addr.arpa." nodefault local-zone: "192.in-addr.arpa." nodefault So this seems to work. BUT: when unbound starts, it attempts to discover the current root nameservers. Unfortunately, it does this by attempting to send queries directly to the root nameservers, instead of using the forwarders. This fails, because only our recursive resolvers (the ones I configured unbound to use as forwarders) are permitted to send DNS queries to the Internet at large; all other outbound DNS traffic is blocked. And unbound refuses to start (and refuses to answer queries) until its attempts to reach the root nameservers time out, which takes a good 20 seconds or so. Moreover, after unbound is running and answering queries, it still periodically attempts to contact the root nameservers directly. I looked in the unbound.conf documentation to see if there was a way to tell unbound to do one of the following: 1. Use the configured forwarders to learn the current root nameservers, instead of attempting to contact them directly. 2. Don't attempt to learn the current root nameservers at all, because unbound doesn't need to know them in this application. But I could not find a way to accomplish either. How can I prevent unbound from attempting to contact the root nameservers directly?