my setup nsd listening on localhost port 53530 dnscrypt-proxy listening on localhost port 40 using both start up and run without errors dns and dnssec works fine without dnscrypt when i uncomment the forward-zone lines unbound is unable to start can anyone spot where i have made an error ? thanks Shadrock unbound.conf ============== server: verbosity: 3 username: "unbound" interface: 127.0.0.1 interface: 10.2.1.4 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 10.2.1.0/8 allow directory: "/etc/unbound" logfile: "/unbound/unbound.log" pidfile: "/var/run/unbound.pid" root-hints: "/etc/unbound/root.hints" hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes use-caps-for-id: yes cache-min-ttl: 3600 cache-max-ttl: 86400 prefetch: yes prefetch-key: yes extended-statistics: yes num-threads: 4 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 rrset-cache-size: 256m msg-cache-size: 128m private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-domain: "mydomain.co.uk" unwanted-reply-threshold: 10000 do-not-query-localhost: no trust-anchor-file: "trusted-key.key" val-clean-additional: yes # forward-zone: # name: "." # forward-addr: 127.0.0.1@40 # This local-zone line will tell unbound that private addresses like # 10.2.1.0/8 can send queries to a stub zone authoritative server like NSD. local-zone: "10.in-addr.arpa." nodefault # FORWARD lookup stub zone pointing to the NSD authoritative server. # stub-zone: name: "mydomain.co.uk" stub-addr: 127.0.0.1@53530 # REVERSE (rDNS) dns lookup for the mydomain.co.uk zone. stub-zone: name: "1.2.10.in-addr.arpa." stub-addr: 127.0.0.1@53530 ## unbound.conf