1

In order to have local DNSSEC validation, I set up a Raspberry Pi (having a static IP) with Raspian Jessie and unbound to offer a DNS server to my LAN.

After I looked up some tutorials and howtos, I came up with this configuration that seems to work:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:
    verbosity: 1
    interface: 0.0.0.0
    interface: ::0
    access-control: 192.168.0.0/24 allow

hide-identity: yes
hide-version: yes

harden-glue: yes
harden-dnssec-stripped: yes

I used dig to run some tests against its DNSSEC functionality and the validation works as expected.

Since I set up a DNSSEC validating server in the past, I am wondering which upstream servers unbound uses to process the DNS requests. As you can see in my configuration, I didn't set up any upstream/delegation servers and it still seems to work.

Are there certain hard-coded root-servers that unbound is querying to get to the requested DNS data or how does this work?

My DHCP server (also my router) is set up to use the Raspberry Pi as a DNS server and also offer it to its clients.

I also checked /etc/resolv.conf but it only lists localhost (both IPv4 and IPv6) which was generated by resolvconf.

Interestingly, resolvconf seems to create a file in /var/cache/unbound/resolvconf_resolvers.conf where it writes the forward-zone I was looking for, though the forward-addr shouldn't work, since it is the router's address, which in turn forwards the requests to the Pi. I checked that by stopping the unbound service which resulted in that address not returning any results anymore and turning it back on, where it returns results again.

Here is the content of that file:

# Generated by resolvconf

forward-zone:
    name: "."
    forward-addr: 2001:beef:beef: ... :abcd        # my router's IPv6 address
comfreak
  • 1,451
  • 1
  • 21
  • 32

1 Answers1

3

It uses the root servers and works it's way down from there.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Sorry for my lack of knowledge about nameservers but if I understood you right, these root servers are hard-coded (in other words having a fixed, well-known IP address)? – comfreak Dec 13 '15 at 15:11
  • 3
    When first starting to learn something, jumping in at the deep end is great fun but there come a time when there is no substitute for sitting down with the docs and _learning_ how the technology you are using actually works. You seem to have reached that point and I heartily recommend http://www.tcpipguide.com/free/t_TCPIPDomainNameSystemDNS.htm. Hint: root.hints too. – user9517 Dec 13 '15 at 15:22
  • 1
    Yeah, I had a basic understanding of DNS but this is where it ended ;-) Thanks for your answer, I marked it as accepted. Now I will have to read the rest.. :) – comfreak Dec 13 '15 at 15:39