Thanks Jan. Perhaps I was a little too vague by saying "allowing all outbound traffic on port 53". In short I meant my outbound NACL currently only allows outbound access on port 53 to the OpenDNS IPs (208.67.222.222 & 208.67.222.220). Rather than putting rules for all 26 root servers (both udp and tcp on port 53), it was easier for me to test by allowing all outbound (0.0.0.0/0) on port 53.
I have a better understanding now of how this works. Thanks again! On 9/5/19, 12:35 PM, "Jan Komissar (jkomissa)" <[email protected]> wrote: Hi Daniel, Since your forward-zone is configured correctly, it should work fine as long as you have access to the forward servers. I am not sure what you mean by allowing all outbound traffic on port 53 or not. You need to be able to send traffic to port 53 on the OpenDNS servers for this to work. I run with a forward-zone for "." all the time and have no problems with the default root servers. Regarding root-hints: The reason they are called hints is that as long as you can get to any one of them, that one will tell you where the others are. In other words, having one is the same as having all, as long as that one is valid. Good luck, Jan. On 9/5/19, 3:13 PM, "Unbound-users on behalf of Guevara, Daniel via Unbound-users" <[email protected] on behalf of [email protected]> wrote: Hoping someone can help me understand the root.hints functionality. From my previous email: "I was under the impression that I could create a custom root.hints. For example the one you linked has 13 root servers. I tried configuring it with only one of those root servers, allowing outbound access to that server, yet the startup time is still not as quick as when I allow all outbound access. This leads me to believe that it is still trying root servers I did not define? (This was only a test and I am not proposing to only use one root server)" Is there a way to do root server lookup on only the server specified (if it cannot be disabled completely)?
