Unbound stop root server lookup

Guevara, Daniel Daniel_Guevara at intuit.com
Wed Sep 4 17:17:06 UTC 2019

Thanks Paul.

I want to make sure I understand a few things.

If I remove the forward zone as you proposed, that will not send traffic to OpenDNS correct? I understand that I need to have the conversation with my security team about whether they choose to trust rewritten answers, but they still require that we use OpenDNS.

Second, I am not sure I completely understand the root.hints functionality. I was under the impression that I could create a custom one. For example the one you linked has 13 root servers. I tried configuring it with only one of those root servers, allowing outbound access to that server, yet the startup time is still not as quick as when I allow all outbound access. This leads me to believe that it is still trying root servers I did not define? (This was only a test and I am not proposing to only use one root server)

On 9/4/19, 9:42 AM, "Paul Wouters" <paul at nohats.ca> wrote:

    This email is from an external sender.
    On Wed, 4 Sep 2019, Guevara, Daniel via Unbound-users wrote:
    > I am running unbound 1.6.6 on Amazon Linux (RHEL 7 derivative).
    > Unfortunately I have been told by my security team that I cannot enable this rule since they require all outbound DNS traffic to route
    > through OpenDNS. In short I need to set up my unbound as a “dumb forwarder”. I tried setting module-config: "iterator" to disable DNSSEC
    > but the behavior is the same. I even tried putting in the OpenDNS server IPs in root.hints but the startup time is still around a minute
    > (timeout). As a further test I put one of the known root servers as the only entry in the root.hints file and set an outbound rule just
    > for that server. The behavior I am seeing is it is faster but not what I expect. Start up takes 7-10 seconds which leads me to believe
    > that it is still trying all of the root servers and not just the one I have configured.
    OpenDNS rewrites DNS answers and breaks DNSSEC. So you need to get in
    sync with your Security people on the question of whether they expect
    you to trust DNSSEC answers rewritten by opendnssec. If they just want
    to audit the DNS queries and are monitoring all DNS queries to/via
    opendns, then you only need to configure the opendns servers as
    forwarders. You will drop all rewritten answers that fail DNSSEC
    validation (but since they were rewritten, likely these were filtered
    If the expect you to believe different DNS answers as rewritten by
    opendns to possibly point to different IPs (does opendns do this?)
    then you might need to also disable DNSSEC validation, but that
    makes you vulnerable to DNS spoofing in the path between opendns
    and your servers.
    For your configuration, you can try removing the forward-zone
    and use:
    root-hints: "/etc/unbound/root.hints"
    To get the root.hints, you can try:
    wget -S -N https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints
    If you need to disable dnssec, enable
            val-permissive-mode: yes
    But I strongly recommend to not disable DNSSEC.

More information about the Unbound-users mailing list