Unbound stop root server lookup
Daniel_Guevara at intuit.com
Wed Sep 4 15:08:53 UTC 2019
I am running unbound 1.6.6 on Amazon Linux (RHEL 7 derivative).
I have an issue where startup is taking roughly a minute. After reading several posts I discovered that this is due to unbound trying to contact root DNS servers and it takes a minute to timeout. As a test I updated my outbound rules to allow all outbound traffic on port 53. This indeed made startup almost immediate.
Unfortunately I have been told by my security team that I cannot enable this rule since they require all outbound DNS traffic to route through OpenDNS. In short I need to set up my unbound as a “dumb forwarder”. I tried setting module-config: "iterator" to disable DNSSEC but the behavior is the same. I even tried putting in the OpenDNS server IPs in root.hints but the startup time is still around a minute (timeout). As a further test I put one of the known root servers as the only entry in the root.hints file and set an outbound rule just for that server. The behavior I am seeing is it is faster but not what I expect. Start up takes 7-10 seconds which leads me to believe that it is still trying all of the root servers and not just the one I have configured.
Does anyone know how to truly disable the root server queries on start up? I have read several of the threads and this appears to be the closest to my issue:
In the end he was told that it may be due to an older version of Unbound since the bug was fixed. I verified I am running the proper/latest for my Linux distribution unbound version (1.6.6):
Here is my config:
access-control: 127.0.0.0/8 allow
root-hints: "root.hints" # I added for my tests
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users