prevent unbound from attempting to contact root servers?
listas at esds.com.br
Wed Nov 16 20:57:36 UTC 2016
2016-11-16 18:21 GMT-02:00 James Ralston via Unbound-users
<unbound-users at unbound.net>:
> I'm attempting to configure unbound to act as a local caching
> resolver. I just want unbound to blindly forward all queries to our
> local recursive resolvers. That's it.
> This has been somewhat challenging, because unbound's defaults are
> clearly not optimized for this use case.
> First, I turned off DNSSEC, and added the forward zone information:
> module-config: "iterator"
> name: "."
> forward-addr: <our nameserver1 IP>
> forward-addr: <our nameserver2 IP>
> forward-addr: <our nameserver3 IP>
> But that wasn't enough, because unbound was killing queries for (or
> containing) RFC1918 addresses, which we use. So I had to add:
> local-zone: "localhost." nodefault
> local-zone: "10.in-addr.arpa." nodefault
> local-zone: "127.in-addr.arpa." nodefault
> local-zone: "172.in-addr.arpa." nodefault
> local-zone: "192.in-addr.arpa." nodefault
> So this seems to work.
> BUT: when unbound starts, it attempts to discover the current root
> nameservers. Unfortunately, it does this by attempting to send
> queries directly to the root nameservers, instead of using the
> forwarders. This fails, because only our recursive resolvers (the
> ones I configured unbound to use as forwarders) are permitted to send
> DNS queries to the Internet at large; all other outbound DNS traffic
> is blocked. And unbound refuses to start (and refuses to answer
> queries) until its attempts to reach the root nameservers time out,
> which takes a good 20 seconds or so.
> Moreover, after unbound is running and answering queries, it still
> periodically attempts to contact the root nameservers directly.
> I looked in the unbound.conf documentation to see if there was a way
> to tell unbound to do one of the following:
> 1. Use the configured forwarders to learn the current root
> nameservers, instead of attempting to contact them directly.
> 2. Don't attempt to learn the current root nameservers at all,
> because unbound doesn't need to know them in this application.
> But I could not find a way to accomplish either.
> How can I prevent unbound from attempting to contact the root
> nameservers directly?
More information about the Unbound-users