Unbound with disabled recursion

[Kostya]

Apparently unbound keeps sending requests to external servers during service restart even with recursion disabled and internal forwarders configured.

[shawniverson]

How's the health of your forwarders?

Can you share the following config?

/etc/unbound/conf.d/forwarders.conf

[Kostya]

This is what I have in the file:

forward-zone:
name: "."
forward-addr: 10.0.15.4
forward-addr: 10.0.15.73

Both servers are my active directory domain controllers that are serving the network. I'm sure they are healthy. Also, the issue is happening in 3 different environments.

However it seems to be happening only when the service starts. Doesn't look like it's trying to connect externally when the service is running.

[shawniverson]

However it seems to be happening only when the service starts. Doesn't look like it's trying to connect externally when the service is running.

Explain?

[Kostya]

With recursion disabled and config file posted earlier it takes over 30 minutes for unbound to start. It doesn't matter if it's during server reboot or if I just stop the service and start it manually. Turns out all 30 minutes it's sending DNS requests to outside and firewall with DNS inspection is blocking replies because of the length (we had 512 limit by default).

It starts eventually and once it's up and running I don't see this traffic through the firewall anymore.

[shawniverson]

I haven't noticed this behavior, but I will run a test and see if I can find the issue.....

[Kostya]

Have you been able to reproduce the issue?

[shawniverson]

Negative