local_unbound and dnscrypt-proxy

Beeblebrox zaphod at berentweb.com
Fri Nov 7 16:56:00 UTC 2014

There are several issues here:

1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't
know why, but both port maintainer and software developer seem to not have
taken the issue seriously. For now, disable in unbound.conf:
# auto-trust-anchor-file: "/var/unbound/root.key"
I'm going to re-open the issue I had filed about this on github.

2. You need to use some flags when starting dnscrypt-proxy. Here's mine, as
an example. I have unbound from source (not ports) and dnscrypt-proxy
running inside a jail. My resolv.conf points to the dns jail. Jail's rc.conf
has below, with d=deamonize, a=listen-IP:port, m=log-level. 

dnscrypt_proxy_flags="-d -a -R dnscrypt.eu-nl
--logfile=/var/log/dnscrypt-proxy.log -m 0"

You need to define provider-key for correct dnscrypt-proxy startup (download
and review

3. freebsd-24: I really don't understand your issue fully, but I would try
* On <Second IP>, set forward-zone to non dnscrypt-proxy IP ( for
* Test and debug unbound on <Second IP> to make sure that unbound is
forwarding DNS requests.
* Once unbound is confirmed as working, re-set dnscrypt-proxy as
forward-zone, and configure dnscrypt-proxy as descrbed above.

View this message in context: http://freebsd.1045724.n5.nabble.com/local-unbound-and-dnscrypt-proxy-tp5961730p5963426.html
Sent from the freebsd-questions mailing list archive at Nabble.com.

More information about the freebsd-questions mailing list