I have tried this two different ways, one with my home router's DNS (192.168.1.1), local_unbound fails. I also tried to set the default DNS server to 8.8.8.8 which I know I can connect to, but local_unbound fails there as well. Here is the output for setup that I followed. This is a fresh 10.1 install with freebsd-update already run. # host google.com google.com has address 64.233.171.139 google.com has address 64.233.171.113 google.com has address 64.233.171.138 google.com has address 64.233.171.100 google.com has address 64.233.171.101 google.com has address 64.233.171.102 google.com has IPv6 address 2607:f8b0:400d:c04::71 google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. # cat /etc/resolv.conf # Generated by resolvconf search home nameserver 8.8.8.8 # service local_unbound status local_unbound is running as pid 389. # service local_unbound setup Performing initial setup. Extracting forwarders from /etc/resolv.conf. original /var/unbound/forward.conf saved as /var/unbound/forward.conf.20141219.174215 /var/unbound/lan-zones.conf not modified /var/unbound/unbound.conf not modified /etc/resolvconf.conf not modified original /etc/resolv.conf saved as /etc/resolv.conf.20141219.174215 # cat /etc/resolv.conf # Generated by resolvconf search home # nameserver 8.8.8.8 nameserver 127.0.0.1 options edns0 # host google.com Host google.com not found: 2(SERVFAIL) # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=247 time=17.438 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=247 time=28.465 ms ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 17.438/22.951/28.465/5.513 ms
I am using the local_unbound behind a NAT either and it works for me, when I disable DNSSEC in the local unbound. At least Google does not support DNSSEC: drill -D -S google.com @8.8.8.8 ;; Number of trusted keys: 1 ;; Chasing: google.com. A DNSSEC Trust tree: <no data> No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. To disable DNSSEC for the local unbound you should add val-permissive-mode: yes to your local unbound.conf. Does this fix your issue?
Can you please test 10.2-PRERELEASE to confirm if this is still an issue? Unbound has (recently) been updated to version 1.3.5 in 10.x.
Yes and no. No, because the default installation fails. I booted FreeBSD-10.2-PRERELEASE-amd64-20150704-r285132-bootonly.iso and made an network install. Unbound is of version 1.4.22. I do not think this a problem with the unbound software, but with the unbound configuration or DNSSEC in general. In the default configuration with dnssec unbound tries to get the DNSSEC public keys from the upstream nameserver, but the upstram nameserver does not deliver. Without public keys unbound cannot do validate the domain and fails. This behaviour is correct, because otherwise any attacker could disable DNSSEC. Yes, when I edit my /etc/resolv.conf root@freebsd:~ # cat /etc/resolv.conf search home nameserver 8.8.8.8 options edns and run root@freebsd:~ # /etc/rc.d/local_unbound setup Performing initial setup. Extracting forwarders from /etc/resolv.conf. original /var/unbound/forward.conf saved as /var/unbound/forward.conf.20150725.174438 /var/unbound/lan-zones.conf not modified /var/unbound/unbound.conf not modified /etc/resolvconf.conf not modified original /etc/resolv.conf saved as /etc/resolv.conf.20150725.174438 and then unbound config looks like root@freebsd:~ # cat /etc/unbound/forward.conf # Generated by local-unbound-setup # Do not edit this file. forward-zone: name: . forward-addr: 8.8.8.8 After an restart of unbound root@freebsd:~ # /etc/rc.d/local_unbound restart unbound resolves hosts: root@freebsd:~ # host google.com google.com has address 216.58.213.46 google.com has IPv6 address 2a00:1450:4008:800::1007 google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. When you are using DHCP, it will overwrite /etc/resolv.conf and unbound will be back to use the DHCP provided DNS Server. In short: Correctly configured Unbound works for me. Default configuration does not work. DNSSEC by design does not work with forward nameserver, which does not answer for public DNSSEC keys. This should be mentioned somewhere explicitly, because in my opinion the most SOHO devices do not run a DNSSEC aware DNS Server.
Add local_unbound_forwarders="8.8.8.8" to /etc/rc.conf and re-run 'service local_unbound setup' to prevent DHCP from switching back.