Unbound stop root server lookup

Paul Wouters paul at nohats.ca
Wed Sep 4 16:42:08 UTC 2019

On Wed, 4 Sep 2019, Guevara, Daniel via Unbound-users wrote:

> I am running unbound 1.6.6 on Amazon Linux (RHEL 7 derivative).

> Unfortunately I have been told by my security team that I cannot enable this rule since they require all outbound DNS traffic to route
> through OpenDNS. In short I need to set up my unbound as a “dumb forwarder”. I tried setting module-config: "iterator" to disable DNSSEC
> but the behavior is the same. I even tried putting in the OpenDNS server IPs in root.hints but the startup time is still around a minute
> (timeout). As a further test I put one of the known root servers as the only entry in the root.hints file and set an outbound rule just
> for that server. The behavior I am seeing is it is faster but not what I expect. Start up takes 7-10 seconds which leads me to believe
> that it is still trying all of the root servers and not just the one I have configured.

OpenDNS rewrites DNS answers and breaks DNSSEC. So you need to get in
sync with your Security people on the question of whether they expect
you to trust DNSSEC answers rewritten by opendnssec. If they just want
to audit the DNS queries and are monitoring all DNS queries to/via
opendns, then you only need to configure the opendns servers as
forwarders. You will drop all rewritten answers that fail DNSSEC
validation (but since they were rewritten, likely these were filtered

If the expect you to believe different DNS answers as rewritten by
opendns to possibly point to different IPs (does opendns do this?)
then you might need to also disable DNSSEC validation, but that
makes you vulnerable to DNS spoofing in the path between opendns
and your servers.

For your configuration, you can try removing the forward-zone
and use:

root-hints: "/etc/unbound/root.hints"

To get the root.hints, you can try:

wget -S -N https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints

If you need to disable dnssec, enable

 	val-permissive-mode: yes

But I strongly recommend to not disable DNSSEC.


More information about the Unbound-users mailing list