[Unbound-users] problem with forward zone?

Casey Stone tcstone at caseystone.com
Mon Aug 5 16:25:13 UTC 2013

Hello unbound-users:

I have Unbound 1.4.19 running on Ubuntu 13.04 server on my LAN (private address) that I wish to use as a local caching recursive DNS server (not attempting DNSSEC). The reason I have set up Unbound is to provide caching for DNSCrypt-Proxy which is also running on this same machine. By capturing the traffic at the router level I can verify that when I do a lookup from this same Ubuntu machine it is correctly going through DNSCrypt-Proxy because there is no port 53 activity, it runs over port 443 to the OpenDNS server as expected.

The problem arises when another computer on the LAN tries to do a lookup using the Unbound computer -- the traffic then uses standard port 53 and does a full lookup starting with a TLD.

The appearance is that the local machine respects the forward-zone setting (forwards all to DNSCrypt-Proxy on but the lookups for other machines on the LAN are not respecting the forward-zone setting.

I'm running unbound version 1.4.19 on Ubuntu 13.04 server. Thank you for your help.


my unbound.conf

        verbosity: 1
        statistics-cumulative: yes
        msg-cache-size: 8m
        rrset-cache-size: 16m
        access-control: allow
        username: "unbound"
        logfile: "/var/log/unbound.log"
        use-syslog: no
        log-time-ascii: yes
        private-domain: "home.lan"
        prefetch: yes
        module-config: "iterator"
        auto-trust-anchor-file: "/etc/unbound/root.key"
        dlv-anchor-file: "dlv.isc.org.key"
        domain-insecure: "home.lan"
    local-zone: "home.lan." static
    local-data: "pfsense.home.lan.  IN A"
    local-data-ptr: "  pfsense.home.lan"
        name: "home.lan"
        stub-prime: no
        stub-first: no
       name: "."
       forward-addr:  # forward all to where DNSCrypt is running!

More information about the Unbound-users mailing list