Unbound problems

[mefisto]

Greetings all,

I have been experimenting with installing unbound on my laptop, connected to a router via an Ethernet interface.

1. My fist problem is that after issuing several pings, I notice an error:

"/var/unbound/db/root.key
fail: the anchor is NOT ok and could not be fixed"

Both

Code:

rm /var/unbound/db/root.key
unbound-anchor -a /var/unbound/db/root.key

and

Code:

unbound-anchor -F

restore the root.key, but in a while the same problem reoccurs.

Although based on my search some people do have similar root.key problem, it appears to be on the order of months and not minutes. Any ideas how to resolve the problem would be appreciated.

2. Although the response to the first ping takes a while, which I attribute to use of root server(s), the subsequent ping responses do not appear to be any faster. This puzzles me because my understanding is that unbound should cache the response. Do I have an error in the unbound.conf?

3. I cannot figure out from the various unbound related web pages, how to configure a browser (Firefox) to use the server. Do I need some redirection rule in pf.conf?

unbound.conf:

Code:

# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
	#---------------#
	# Set interfaces
	#---------------#

	interface: 127.0.0.1
	verbosity: 1

	do-ip4:  yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes

	#---------------#
	# Control access
	#---------------#

	access-control: 0.0.0.0/0 refuse	# Disable all interfaces
	access-control: 127.0.0.0/8 allow	# Allow all 127.0.0.0 interfaces
	access-control: 192.168.0.0/24 allow	# Allow all 192.168.0.0 interface queries
	do-not-query-localhost: no
	
	#-----------------#
	# Privacy settings
	#-----------------#

	hide-identity: yes	# id.server and version.bind queries refused
	hide-version: yes	# version.server and version.bind queries refused

	# Uncomment to enable qname minimisation.
	# https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-08
	#
	# qname-minimisation: yes

	# Enable DNSSEC validation.
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	root-hints: "/var/unbound/db/root.hints"

	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
	# May need lowering on broken networks with fragmentation/MTU issues,
	# particularly if validating DNSSEC.
	#
	#edns-buffer-size: 1480

	# Use TCP for "forward-zone" requests. Useful if you are making
	# DNS requests over an SSH port forwarding.
	#
	#tcp-upstream: yes

	# DNS64 options, synthesizes AAAA records for hosts that don't have
	# them. For use with NAT64 (PF "af-to").
	#
	#module-config: "dns64 validator iterator"
	#dns64-prefix: 64:ff9b::/96	# well-known prefix (default)
	#dns64-synthall: no

	local-zone: "local." static
	local-data: "dracula.local. IN A 192.168.0.108"

	#----------------------#
	# Remote access control
	#----------------------#

	remote-control:
	control-enable: no
	control-use-cert: no
	control-interface: /var/run/unbound.sock

Kindest regards,

M