Is there a way to check which DNS servers Unbound is querying?

[jeremiah]

There's a problem with the current version of Unbound which results in errors like this taking up the entirety of the log: https://forums.freebsd.org/threads/libunbound-error.78121/

I expected to see only root server addressees in there but I am seeing a bunch of different addresses there including ones for Google, Facebook, and etc.

Any ideas as to how I can check the root.hints file on OPNsense?

Thanks!


Edit: I was able to SSH in and open up the root.hints file and it appears as if the root servers are listed correctly in there. If that's the case, why am I seeing DNS queries for other nameservers such as those owned by Google, Facebook, Cloudflare, and etc?

Anyone have any ideas what's going on? Thanks for your help!!

[lar.hed]

One way to do this is to use DoT settings?

[jeremiah]

What do you mean?

I don't have DoT configured and have not specified any servers for OPNsense to query, I want it to go to the root servers.

[lar.hed]

Well my thought was that with DoT you can easily specify which servers to use for the system.

If you need something else I guess you will have to use Custom Options.

[jeremiah]

Why would I need to do that?

The default/expected behavior of Unbound should be to directly query the root servers.

If I had specified other servers or changed the configuration, I would expect to see queries directed at other nameservers but I have not.

I hope you understand what I am asking/trying to say, I'm not trying to be combative. I appreciate you taking the time to help me diagnose this issue.

[Greelan]

why am I seeing DNS queries for other nameservers such as those owned by Google, Facebook, Cloudflare, and etc?

I would have thought you are seeing normal behaviour for a recursive resolver. For example, if there is a DNS request for facebook.com, unbound first queries the root servers. The root servers respond with the TLD nameservers for .com. unbound then queries one of those TLD nameservers. That TLD nameserver responds with the authoritative nameservers for facebook.com. Finally unbound queries one of those authoritative nameservers, which responds with the relevant records for facebook.com

Let me know if I have misunderstood your question

[lar.hed]

Why would I need to do that?

The default/expected behavior of Unbound should be to directly query the root servers.

My suggestion is based on me assuming you did know how it works, and you like to alter that by controling in detail which servers to use, aka custom settings. Greelan is correct in how it does work.

[jeremiah]

My suggestion is based on me assuming you did know how it works, and you like to alter that by controling in detail which servers to use, aka custom settings. Greelan is correct in how it does work.

I would have thought you are seeing normal behaviour for a recursive resolver. For example, if there is a DNS request for facebook.com, unbound first queries the root servers. The root servers respond with the TLD nameservers for .com. unbound then queries one of those TLD nameservers. That TLD nameserver responds with the authoritative nameservers for facebook.com. Finally unbound queries one of those authoritative nameservers, which responds with the relevant records for facebook.com

Let me know if I have misunderstood your question

Looks like you are both correct. My understanding of how Unbound worked was incomplete, thanks for taking the time to explain it!

Hope you both had a good Christmas!