DNS forwarding fails, i.e. hostnames are not resolved to IP addresses anymore, after doing a
/etc/init.d/unbound restart. In /var/log/messages there are many log entries like:
Dec 16 18:14:53 ipfire unbound: [13668:2] debug: configured stub or forward servers failed -- returning SERVFAIL Dec 16 18:14:53 ipfire unbound: [13668:2] debug: return error response SERVFAIL ... Dec 16 18:14:53 ipfire unbound: [13668:2] query: 192.168.4.1 0.ipfire.pool.ntp.org. A IN Dec 16 18:14:53 ipfire unbound: [13668:2] reply: 192.168.4.1 0.ipfire.pool.ntp.org. A IN SERVFAIL 0.000000 1 50
/etc/init.d/network restart brings DNS forwarding back to life.
Content of /etc/unbound/unbound.conf (after changing
verbosity back to 1):
# # Unbound configuration file for IPFire # # The full documentation is available at: # https://www.unbound.net/documentation/unbound.conf.html # server: # Common Server Options chroot: "" directory: "/etc/unbound" username: "nobody" port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes so-reuseport: yes do-not-query-localhost: yes # System Tuning include: "/etc/unbound/tuning.conf" # Logging Options verbosity: 1 use-syslog: yes log-time-ascii: yes log-queries: yes log-replies: yes log-tag-queryreply: yes # Unbound Statistics statistics-interval: 86400 statistics-cumulative: yes extended-statistics: yes # Prefetching prefetch: yes prefetch-key: yes # Randomise any cached responses rrset-roundrobin: yes # Privacy Options hide-identity: yes hide-version: yes qname-minimisation: yes minimal-responses: yes # DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" val-permissive-mode: no val-clean-additional: yes val-log-level: 1 # Hardening Options harden-glue: yes harden-short-bufsize: no harden-large-queries: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes aggressive-nsec: yes # Harden against DNS cache poisoning unwanted-reply-threshold: 1000000 # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0 # Allow access from everywhere access-control: 0.0.0.0/0 allow # Bootstrap root servers root-hints: "/etc/unbound/root.hints" # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf" # Include any forward zones include: "/etc/unbound/forward.conf" # Include safe search settings include: "/etc/unbound/safe-search.conf" remote-control: control-enable: yes control-use-cert: no control-interface: 127.0.0.1 # Import any local configurations include: "/etc/unbound/local.d/*.conf"
Content of /etc/unbound/forward.conf:
# This file is automatically generated and any changes # will be overwritten. DO NOT EDIT! forward-zone: name: . forward-addr: 184.108.40.206
IPFire version: IPFire 2.23 (x86_64) - core138
Pakfire version: 2.23-x86_64
Kernel version: Linux ipfire.localdomain 4.14.154-ipfire #1 SMP Fri Nov 15 07:27:41 GMT 2019 x86_64 Intel® Atom™ CPU C3558 @ 2.20GHz GenuineIntel GNU/Linux