Allowing +trace in Unbound

By default, +trace works when querying Bind server as it returns root hints as NS-list for “.”. However, +trace disables RD flag and the first query (dig +norecurse NS .) is REFUSED by unbound. The fix:

In unbound.conf, change
access-control: 10.0.0.0/8 allow
to
access-control: 10.0.0.0/8 allow_snoop

Change allow to allow_snoop for all subnets served by your Unbound server. This allows non-recusive query for root NS entries.


Posted

in

by

Tags: