prevent unbound from attempting to contact root servers?

James Ralston ralston at
Wed Nov 16 20:21:30 UTC 2016

I'm attempting to configure unbound to act as a local caching
resolver.  I just want unbound to blindly forward all queries to our
local recursive resolvers.  That's it.

This has been somewhat challenging, because unbound's defaults are
clearly not optimized for this use case.

First, I turned off DNSSEC, and added the forward zone information:

            module-config: "iterator"

            name: "."
            forward-addr: <our nameserver1 IP>
            forward-addr: <our nameserver2 IP>
            forward-addr: <our nameserver3 IP>

But that wasn't enough, because unbound was killing queries for (or
containing) RFC1918 addresses, which we use.  So I had to add:


   local-zone: "localhost." nodefault
   local-zone: "" nodefault
   local-zone: "" nodefault
   local-zone: "" nodefault
   local-zone: "" nodefault

So this seems to work.

BUT: when unbound starts, it attempts to discover the current root
nameservers.  Unfortunately, it does this by attempting to send
queries directly to the root nameservers, instead of using the
forwarders.  This fails, because only our recursive resolvers (the
ones I configured unbound to use as forwarders) are permitted to send
DNS queries to the Internet at large; all other outbound DNS traffic
is blocked.  And unbound refuses to start (and refuses to answer
queries) until its attempts to reach the root nameservers time out,
which takes a good 20 seconds or so.

Moreover, after unbound is running and answering queries, it still
periodically attempts to contact the root nameservers directly.

I looked in the unbound.conf documentation to see if there was a way
to tell unbound to do one of the following:

    1.  Use the configured forwarders to learn the current root
        nameservers, instead of attempting to contact them directly.

    2.  Don't attempt to learn the current root nameservers at all,
        because unbound doesn't need to know them in this application.

But I could not find a way to accomplish either.

How can I prevent unbound from attempting to contact the root
nameservers directly?

More information about the Unbound-users mailing list