DNSSEC on pfSense
-
Hey wagonza,
thanks for the answer. I now get Borat, so this looks good. Still, I can't resolve my local hostnames as before with dnsmasq.
What kind of info do you need? It is working with dnsmasq…Thanks for your help!
-
Plz PM me the contents of your unbound.conf file (/usr/local/etc/unbound/unbound.conf) also the output of unbound-checkconf
-
thanks for unbound package …
theres alternative with unbound or dnsmasq
-
Here it does NOT run. Say, at http://test.dnssec-or-not.org/ i don't see Borat. I reinstalled unbound, no change.
Nor local hosts resolve.unbound-checkconf shows this:
unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.confLogs here:
Nov 20 17:35:49 unbound: [63765:0] info: start of service (unbound 1.4.7). Nov 20 17:35:49 unbound: [63765:0] notice: init module 1: iterator Nov 20 17:35:49 unbound: [63765:0] notice: init module 1: iterator Nov 20 17:35:49 unbound: [63765:0] notice: init module 0: validator Nov 20 17:35:49 unbound: [63765:0] notice: init module 0: validator Nov 20 17:35:49 check_reload_status: syncing firewall Nov 20 17:35:49 unbound: [53712:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 Nov 20 17:35:49 unbound: [53712:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch Nov 20 17:35:49 unbound: [53712:0] info: service stopped (unbound 1.4.7). Nov 20 17:35:40 unbound: [53712:0] info: start of service (unbound 1.4.7). Nov 20 17:35:40 unbound: [53712:0] notice: init module 1: iterator Nov 20 17:35:40 unbound: [53712:0] notice: init module 1: iterator Nov 20 17:35:40 unbound: [53712:0] notice: init module 0: validator Nov 20 17:35:40 unbound: [53712:0] notice: init module 0: validator Nov 20 17:35:39 check_reload_status: syncing firewall Nov 20 17:35:39 unbound: [37568:0] info: 1.000000 2.000000 1 Nov 20 17:35:39 unbound: [37568:0] info: lower(secs) upper(secs) recursions Nov 20 17:35:39 unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0 Nov 20 17:35:39 unbound: [37568:0] info: histogram of recursion processing times Nov 20 17:35:39 unbound: [37568:0] info: average recursion processing time 1.647413 sec Nov 20 17:35:39 unbound: [37568:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 Nov 20 17:35:39 unbound: [37568:0] info: server stats for thread 0: 2 queries, 1 answers from cache, 1 recursions, 0 prefetch Nov 20 17:35:39 unbound: [37568:0] info: service stopped (unbound 1.4.7). Nov 20 17:34:38 check_reload_status: reloading filter Nov 20 17:34:37 php: /pkg_edit.php: Reloading Squid for configuration sync Nov 20 17:33:04 check_reload_status: syncing firewall Nov 20 17:33:10 unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0 Nov 20 17:33:10 unbound: [37568:0] info: server stats for thread 0: 5 queries, 5 answers from cache, 0 recursions, 2 prefetch Nov 20 17:33:03 check_reload_status: syncing firewall Nov 20 17:29:08 kernel: xl0: tx underrun, increasing tx start threshold to 180 bytes Nov 20 17:29:08 kernel: xl0: transmission error: 90 Nov 20 17:28:10 unbound: [37568:0] info: 1.000000 2.000000 1 Nov 20 17:28:10 unbound: [37568:0] info: 0.524288 1.000000 1 Nov 20 17:28:10 unbound: [37568:0] info: lower(secs) upper(secs) recursions Nov 20 17:28:10 unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0 Nov 20 17:28:10 unbound: [37568:0] info: histogram of recursion processing times Nov 20 17:28:10 unbound: [37568:0] info: average recursion processing time 1.237340 sec Nov 20 17:28:10 unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0 Nov 20 17:28:10 unbound: [37568:0] info: server stats for thread 0: 3 queries, 1 answers from cache, 2 recursions, 0 prefetch -
Had another problem with the package. Sometimes after the dhcp lease is over, the client doesn't get my pfSense box as a DNS server, but the DNS servers I provided in general settings. Then my clients can't connect to the internet, because dns is not allowed for them, only to the pfSense box. Why do these servers sometimes get pushed to the clients?
-
Updated to version 1.2.2 and still my clients do not get the pfSense LAN ip address as the dns server but the ones configured in general dns settings. Why is that? dnsmasq correctly pushes my pfSense LAN IP to the clients…
-
Sorry im currently on vacation until Sunday so will try do as much as I can while away. @jlepthien - will investigate.
-
Take your time m8…
-
I updated today pfSense 2.0-BETA4 (i386) built on Mon Nov 22 02:54:15 EST 2010 and unbound to v 1.22. But no luck:
Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err```
or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:52 unbound: [56312:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:52 check_reload_status: syncing firewall
Nov 22 19:50:16 unbound: [56312:0] info: start of service (unbound 1.4.7).
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:15 check_reload_status: reloading filter
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:14 unbound: [53850:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:13 check_reload_status: syncing firewall
Nov 22 19:49:58 unbound: [53850:0] info: start of service (unbound 1.4.7).
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 check_reload_status: syncing firewall
Nov 22 19:48:27 check_reload_status: reloading filter
Nov 22 19:48:26 php: : Reloading Squid for configuration sync
Nov 22 19:48:14 check_reload_status: syncing firewall
Nov 22 19:48:14 php: /pkg_mgr_install.php: Beginning package installation for Unbound.After starting unbound manually (via console didn't work: unbound-control start, stop or status resulted in nothing. No output nor the program exited. Had to kill it via ctrl-c. But starting via Webif worked:Nov 22 20:00:04 unbound: [22972:0] info: start of service (unbound 1.4.7).
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validatorBut i still don't get Borat, only Picard on the dnssec-test-site. :( -
Take your time m8…
heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.
-
Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err[code]or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports' [/code] Looks like DNSMasq wasnt shutdown - will have to add some additional safety belts. [quote] But i still don't get Borat, only Picard on the dnssec-test-site. :( [/quote] What does dig @ <ip>edu +dnssec return? Have a look at the flags section in the returned output it should contain a 'ad' flag. Piccard could be cached.</ip> -
Take your time m8…
heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.
Cool! Waiting for an update then. Until then I'll just use dnsmasq as before…
-
after reboot, syslog ui :
Nov 30 09:41:58 unbound: [669:0] info: service stopped (unbound 1.4.7).
Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
Nov 30 09:41:58 unbound: [687:0] info: start of service (unbound 1.4.7).
Nov 30 09:42:00 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1291084920] unbound[704:0] error: bind: address already in use [1291084920] unbound[704:0] fatal error: could not open ports'manualy save on gui syslog, its look running :
Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: 73 queries, 0 answers from cache, 73 recursions, 0 prefetch
Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: requestlist max 7 avg 3.23288 exceeded 0
Nov 30 09:46:58 unbound: [687:0] info: average recursion processing time 1.453108 sec
Nov 30 09:46:58 unbound: [687:0] info: histogram of recursion processing times
Nov 30 09:46:58 unbound: [687:0] info: [25%]=0.182044 median[50%]=0.261905 [75%]=0.289474
Nov 30 09:46:58 unbound: [687:0] info: lower(secs) upper(secs) recursions
Nov 30 09:46:58 unbound: [687:0] info: 0.032768 0.065536 1
Nov 30 09:46:58 unbound: [687:0] info: 0.065536 0.131072 3
Nov 30 09:46:58 unbound: [687:0] info: 0.131072 0.262144 8
Nov 30 09:46:58 unbound: [687:0] info: 0.262144 0.524288 9
Nov 30 09:46:58 unbound: [687:0] info: 0.524288 1.000000 10
Nov 30 09:46:58 unbound: [687:0] info: 1.000000 2.000000 21
Nov 30 09:46:58 unbound: [687:0] info: 2.000000 4.000000 19
Nov 30 09:46:58 unbound: [687:0] info: 4.000000 8.000000 2on console, still get error message
[2.0-BETA4][root@rserver.local]/root(4): unbound -v
[1291085668] unbound[2106:0] notice: Start of unbound 1.4.7.
[1291085668] unbound[2106:0] error: bind: address already in use
[1291085668] unbound[2106:0] fatal error: could not open portscoonection to net works, but resolve still slow then with dnsmasq
i think use dnsmasq till get update
thanks to provide unbound package -
Ok I am back from vacation. Will look into the various bugs and let you guys know when an update is committed.
-
hello wagonza! Hope your vacation was nice and groovy…
I have a little(?) proposal: Could you put the unbound-logs separate? Maybe in that section "package-logs"?
It is logging really lot and so the normal syslog is full of unbound-log-entries, which make it somewhat difficult to find special entries. Say, i have to open a console to view directly at the log. 1000 lines are not enough at the webgui... (Not a big clue, but would make that thing easier.) -
I hear you - will add this. Otherwise Im winning with all the other changes. Hopefully will commit some time tomorrow.
Off to lala land for tonight. -
Woot!
-
Guys I have committed some changes which include Unbound getting its own log file. This will require a recent snapshot (later than Thursday last week) as there were some bugs in package log handling. I have also added some extra 'statistics' options, so that it is up to the user to decide on what he/she wants to see and how often.
I can add debugging verbosity as well if you guys think that would help you?
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Lastly, if you make use of DHCP and you assign pfSense as your DNS server (i.e. DNS servers field is left blank) then you will need to specify the IP address of the respective DHCP interface so that existing behaviour is kept. The reason for this is that in the base of pfSense it will automatically assign the Systems: General DNS servers to the dhcp client if DNSMasq is disabled.
So just reinstall and please let me know what else is still not working.
-
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Hey,
great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?
-
Unbound does not install:
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted.