This is my unbound.conf
server:
interface: 0.0.0.0
access-control: 10.0.0.0/8 allow_snoop
access-control: 127.0.0.1 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
...
Reading the documentation, it should be enough. And then in resolv.conf:
nameserver 127.0.0.1
However this does not work. dig gives me
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41485
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
...
SERVER: 127.0.0.1#53(127.0.0.1)
The problem can be resolved if I add access-control: <internet-ip-address-of-eth0> allow to unbound configuration, but this requires me to put the address into the config file, and that address might change.
Why doesn't this configuration simply make dig query the local server on 127.0.0.1? (Even though it says it did!).
It looks like unbound receives queries on 127.0.0.1, but then tries to respond on the internet ip? (It's from the syslog:)
Jan 11 11:26:28 hostname unbound: [25567:0] info: send_udp over interface: 1 127.0.0.1 127.0.0.1
Jan 11 11:26:39 hostname unbound: [25567:0] info: receive_udp on interface: 1 127.0.0.1 127.0.0.1
Jan 11 11:26:39 hostname unbound: [25567:0] debug: refused query from ip4 35.63.78.210 port 48650 (len 16)