Hi, You forgot to have do-not-query-localhost: no in the config file. This allows unbound to query hosts on the 127.0.0.1 and ::1 addresses, and is supposed to stop potential packet loops from happening.
Best regards, Wouter On 6/16/19 5:41 PM, ronvarburg--- via Unbound-users wrote: > With > > ------------------------------------------------------------- > server: > directory: "/etc/unbound" > do-daemonize: no > tcp-upstream: yes > trust-anchor-file: trusted-key.key > use-syslog: yes > username: "unbound" > > forward-zone: > name: "." > forward-addr: 127.0.0.1@1053 > ------------------------------------------------------------- > > and > % ssh -L 127.0.0.1:1053:127.0.0.1:53 server > , > % drill nameToQuery > > returns SERVFAIL. In fact, any query doesn't work. > According to tcpdump -vv -x -X -s 1500 -i lo 'port 1053', > nothing being sent to the forward-addr. > > While > % drill -I 127.0.0.1 -p 1053 -4 -t nameToQuery > > succeeds. Is that expected, for example because it is inherent to the NS > protocol? > If it supposed to work, how to further debug it? >
signature.asc
Description: OpenPGP digital signature
