Selecting unbound when installing 10.3

[Oldrancher]

I did a fresh install of FreeBSD 10.3 release, using the full dvd .iso image.
One of the choices is to install with unbound, which I selected. Bad mistake.
When the install booted up, I was not able to reach anything that required DNS.

Recovery was pretty straightforward. I had to restore a simple /etc/resolv.conf, audit the rest of my networking, and disable unbound. I've saved the resolv.conf that the install generated for further analysis.

My systems are a typical server setup, with 100% static IP's and no DHCP needed for the servers. My audit showed that I had entered the correct IP's for DNS service and a default route, and that what broke things was what the installation had done for unbound.

 

[chrbr]

Is the setup for a workstation? In my situation unbound(8) just worked as documented, both for the local version but also for the version out of the ports tree. Has the correct variant of unbound(8) been enabled in /etc/rc.conf? I guess it should have been the local version. Have you tried to enable logging in unbound.conf? My /etc/resolv.conf is as below.

# Generated by resolvconf
#search local
#nameserver 192.168.0.32
#nameserver 127.0.0.1
nameserver 10.0.0.254

10.0.0.254 is the lo1 interface where my jails are listening, too. As far as I remember it only needs to modify /etc/resolv.conf to switch between unbound(8) and my router.
My unbound.conf is

server:
logfile: "/var/log/unbound.log"
verbosity: 1
chroot: ""
pidfile: "/var/run/unbound.pid"
port: 53    # port to answer queries from
do-ip4: yes    # Enable IPv4, "yes" or "no".
do-ip6: no    # Enable IPv6, "yes" or "no".
do-udp: yes    # Enable UDP, "yes" or "no".
do-tcp: yes
rrset-roundrobin: yes
minimal-responses: no
cache-min-ttl: 60
prefetch: yes
prefetch-key: yes
num-threads: 1  # 1 is enough for not heavy loaded server
interface: 10.0.0.254
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/24 allow

I hope this information is helpful.

 

[adamw@]

The problem is the auto-trust-anchor-file in /var/unbound/unbound.conf. If your upstream doesn't support DNSSEC, the default unbound configuration produces a non-functioning resolver. I have no idea why it's the default.

Either way, comment out the auto-trust-anchor-file line in /var/unbound/unbound.conf and it'll work.

 

[kpa]

In my opinion the local unbound service should default to recursive resolution and not to using the upstream forwarders from DHCP (or whatever is in /etc/resolv.conf in case of static IP). This is what the port version dns/unbound does anyway.