DNS forwarding fails, i.e. hostnames are not resolved to IP addresses anymore, after doing a /etc/init.d/unbound restart
. In /var/log/messages there are many log entries like:
Dec 16 18:14:53 ipfire unbound: [13668:2] debug: configured stub or forward servers failed -- returning SERVFAIL
Dec 16 18:14:53 ipfire unbound: [13668:2] debug: return error response SERVFAIL
...
Dec 16 18:14:53 ipfire unbound: [13668:2] query: 192.168.4.1 0.ipfire.pool.ntp.org. A IN
Dec 16 18:14:53 ipfire unbound: [13668:2] reply: 192.168.4.1 0.ipfire.pool.ntp.org. A IN SERVFAIL 0.000000 1 50
/etc/init.d/network restart
brings DNS forwarding back to life.
Content of /etc/unbound/unbound.conf (after changing verbosity
back to 1):
#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#
server:
# Common Server Options
chroot: ""
directory: "/etc/unbound"
username: "nobody"
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
so-reuseport: yes
do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
verbosity: 1
use-syslog: yes
log-time-ascii: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
# Unbound Statistics
statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
# Randomise any cached responses
rrset-roundrobin: yes
# Privacy Options
hide-identity: yes
hide-version: yes
qname-minimisation: yes
minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-permissive-mode: no
val-clean-additional: yes
val-log-level: 1
# Hardening Options
harden-glue: yes
harden-short-bufsize: no
harden-large-queries: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
use-caps-for-id: yes
aggressive-nsec: yes
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
# Allow access from everywhere
access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
# Include any forward zones
include: "/etc/unbound/forward.conf"
# Include safe search settings
include: "/etc/unbound/safe-search.conf"
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
Content of /etc/unbound/forward.conf:
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
forward-zone:
name: .
forward-addr: 8.8.8.8
System versions:
IPFire version: IPFire 2.23 (x86_64) - core138
Pakfire version: 2.23-x86_64
Kernel version: Linux ipfire.localdomain 4.14.154-ipfire #1 SMP Fri Nov 15 07:27:41 GMT 2019 x86_64 Intel® Atom™ CPU C3558 @ 2.20GHz GenuineIntel GNU/Linux