Hello, I am running unbound 1.6.6 on Amazon Linux (RHEL 7 derivative).
I have an issue where startup is taking roughly a minute. After reading several posts I discovered that this is due to unbound trying to contact root DNS servers and it takes a minute to timeout. As a test I updated my outbound rules to allow all outbound traffic on port 53. This indeed made startup almost immediate. Unfortunately I have been told by my security team that I cannot enable this rule since they require all outbound DNS traffic to route through OpenDNS. In short I need to set up my unbound as a “dumb forwarder”. I tried setting module-config: "iterator" to disable DNSSEC but the behavior is the same. I even tried putting in the OpenDNS server IPs in root.hints but the startup time is still around a minute (timeout). As a further test I put one of the known root servers as the only entry in the root.hints file and set an outbound rule just for that server. The behavior I am seeing is it is faster but not what I expect. Start up takes 7-10 seconds which leads me to believe that it is still trying all of the root servers and not just the one I have configured. Does anyone know how to truly disable the root server queries on start up? I have read several of the threads and this appears to be the closest to my issue: https://nlnetlabs.nl/pipermail/unbound-users/2016-November/004533.html In the end he was told that it may be due to an older version of Unbound since the bug was fixed. I verified I am running the proper/latest for my Linux distribution unbound version (1.6.6): https://repology.org/project/unbound/versions Here is my config: server: directory: "/etc/unbound" username: "unbound" pidfile: "/var/run/unbound.pid: verbosity: 2 interface: 127.0.0.1 access-control: 127.0.0.0/8 allow domain-insecure: "." prefetch: yes num-threads: 2 root-hints: "root.hints" # I added for my tests module-config: "iterator" do-ip6: no forward-zone: name: "." forward-addr: 208.67.222.222 forward-addr: 208.67.222.220 Thanks, Daniel
