Upgrading from 2.3.2 -> 2.3.2-p1 - DNS Resolver service failed

dumplab · Oct 7, 2016, 6:37 AM

After the upgrade the DNS Resolver doesn't start when using pfBlocker with DNSBL.

Systemlog:
rc.bootup: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:93: error: cannot open include file '/var/unbound/pfb_dnsbl.conf': No such file or directory read /var/unbound/unbound.conf failed: 1 errors in configuration file [1475819560] unbound[35120:0] fatal error: Could not read config file: /var/unbound/unbound.conf'

Workaround:

Disable pfBlocker DNSBL
Restart DNS Resolver
Enable pfBlocker DNSBL
Run Update, the file will be rebuild

….

UPDATE PROCESS START [ 10/07/16 07:43:21 ]

===[ DNSBL Process ]================================================
Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding

After reloading the firewall, the problem still exists

[EDIT] seems to be a only problem when /var in RAM

tonymorella · Oct 8, 2016, 3:00 PM

FYI just did the same upgrade and did not have an issue.

RonpfS · Oct 8, 2016, 8:57 PM

It is good practice to disable packages like pfBlockerNG, Snort, Suricata, etc that can interfere with internet access or DNS before doing an upgrade.

BBcan177 · Oct 9, 2016, 4:08 AM

@dumplab:

After the upgrade the DNS Resolver doesn't start when using pfBlocker with DNSBL.

The package has a feature to backup and restore the DNSBL database for RAMDisk installations.

There is an open Redmine, to fix this for certain scenarios:
https://redmine.pfsense.org/issues/6603

Mr. Jingles · Oct 27, 2016, 5:21 PM

One year and three heart surgeries later my doc told me not to stress. I did :P

BB, on my backup pfsense, Dell R200, there is indeed the problem that after the upgrade to 2.3.2-1 Unbound will refuse to start as long as DNSBL is active, and GUI becomes very inresponsive (nonresponsive/nonresponsive/deresponsive/antiresponsive: pick one :-* ).

BBcan177 · Oct 29, 2016, 4:21 PM

Hey Mr.J…

Sorry for any added stress.. :) However, this is something that needs to be fixed in pfSense Unbound... There is an open Redmine here:

https://redmine.pfsense.org/issues/6603

Basically, if you take a backup with DNSBL enabled... Then use this backup configuration in a new machine that doesn't have pfBlockerNG/DNSBL installed, then Unbound will not start since the Unbound Custom options is trying to load "server:include: /var/unbound/pfb_dnsbl.conf"....

So either remove that line, and restart Unbound, or take the future backups with DNSBL disabled...

or create a dummy file :

touch /var/unbound/pfb_dnsbl.conf

Hopefully the devs apply a patch to fix this issue once and for all….

Ibor Daru · Feb 2, 2017, 2:01 AM

@BBcan177:

The package has a feature to backup and restore the DNSBL database for RAMDisk installations.

Where can I find that feature precisely? Thanks in advance!

BBcan177 · Feb 2, 2017, 5:28 AM

@Ibor:

@BBcan177:

The package has a feature to backup and restore the DNSBL database for RAMDisk installations.

Where can I find that feature precisely? Thanks in advance!

Its done automatically in the background when RAMDisks are enabled…. No real need to touch it...