Can't resolve many hosts

Stuart Henderson stu at
Wed Oct 30 20:49:27 UTC 2019

On 2019-10-26, Luis P. Mendes via Unbound-users <unbound-users at> wrote:
> Hi,
> I've been following some tutorials and have come to the unbound.conf
> configuration that is shown below.

You have all sorts of confusion here.

> Many sites can't be accessed, for example:
> # dig

Covered by previous reply.

> The forward-addr are all of type:
>         forward-addr: at
> I've read that this ways it enable DNSSEC validity.
> Should I use one line without the '' part?

ok.... the IP at port#hostname syntax is used for checking certificate
names with a DNS-over-TLS upstream and is nothing to do with dnssec.
For this you would need e.g.

        forward-addr: at
        forward-tls-upstream: yes

This would use a TLS channel between you and the forwarder but doesn't
enable any dnssec checking your side. (Some upstream resolvers will
do their own dnssec checking, others won't, according to their policy).

The hostname part of this is unused unless you are using a TLS channel
(i.e. "forward-addr: XXX at" is pointless).

For dnssec validation you would use something like

        module-config: "validator iterator"

and it's also often helpful to bump up logging with

        val-log-level: 2                                   

Also note that some public resolvers you might use as an upstream
will *block* downstream dnssec validation by stripping certain records.
A notable example of this is OpenDNS.

>====  unbound.conf
> server:
>         include: "/usr/pkg/etc/unbound/ads.conf"
>         verbosity: 1
>         interface:
>         access-control: allow

..and finally, please don't run a resolver that is open to the world
unless it's properly monitored/controlled and you know what you're doing.
Just list your own network/s in access-control and deny the rest for now.

More information about the Unbound-users mailing list