Unbound stop root server lookup

Guevara, Daniel Daniel_Guevara at intuit.com
Wed Sep 4 15:08:53 UTC 2019 

Hello,

I am running unbound 1.6.6 on Amazon Linux (RHEL 7 derivative).

I have an issue where startup is taking roughly a minute. After reading several posts I discovered that this is due to unbound trying to contact root DNS servers and it takes a minute to timeout. As a test I updated my outbound rules to allow all outbound traffic on port 53. This indeed made startup almost immediate.

Unfortunately I have been told by my security team that I cannot enable this rule since they require all outbound DNS traffic to route through OpenDNS. In short I need to set up my unbound as a “dumb forwarder”. I tried setting module-config: "iterator" to disable DNSSEC but the behavior is the same. I even tried putting in the OpenDNS server IPs in root.hints but the startup time is still around a minute (timeout). As a further test I put one of the known root servers as the only entry in the root.hints file and set an outbound rule just for that server. The behavior I am seeing is it is faster but not what I expect. Start up takes 7-10 seconds which leads me to believe that it is still trying all of the root servers and not just the one I have configured.

Does anyone know how to truly disable the root server queries on start up? I have read several of the threads and this appears to be the closest to my issue:
https://nlnetlabs.nl/pipermail/unbound-users/2016-November/004533.html

In the end he was told that it may be due to an older version of Unbound since the bug was fixed. I verified I am running the proper/latest for my Linux distribution unbound version (1.6.6):
https://repology.org/project/unbound/versions


Here is my config:
server:
  directory: "/etc/unbound"
  username: "unbound"
  pidfile: "/var/run/unbound.pid:
  verbosity: 2
  interface: 127.0.0.1
  access-control: 127.0.0.0/8 allow
  domain-insecure: "."
  prefetch: yes
  num-threads: 2
  root-hints: "root.hints" # I added for my tests
  module-config: "iterator"
  do-ip6: no

forward-zone:
  name: "."
  forward-addr: 208.67.222.222
  forward-addr: 208.67.222.220


Thanks,
Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190904/e48a2764/attachment.htm>

More information about the Unbound-users mailing list