• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNSSEC on pfSense

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
178 Posts 18 Posters 71.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • _
    _igor_
    last edited by Dec 18, 2010, 2:03 AM

    I think you know it, but here for future? reference…

    http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
    Sounds interesting...

    1 Reply Last reply Reply Quote 0
    • W
      wagonza
      last edited by Dec 18, 2010, 7:23 AM Dec 18, 2010, 7:11 AM

      @jlepthien:

      Does not work here. When enabling the forward mode the servers do not get written and unbound-config forward still says 'off'. Since OpenDNS is not supporting DNSSEC anyway I might as well stick to dnsmasq or disable DNSSEC…

      Just do a grep reload /usr/local/pkg/unbound.inc  - that should return zero results. If it does then you will need to uninstall the package and then re-install.

      Otherwise yeah disable DNSSec or stick to DNSMasq for now :$ OpenDNS do say they will eventually support DNSSec if gains more traction…

      Follow me on twitter http://twitter.com/wagonza
      http://www.thepackethub.co.za

      1 Reply Last reply Reply Quote 0
      • W
        wagonza
        last edited by Dec 18, 2010, 7:24 AM

        @_igor_:

        I think you know it, but here for future? reference…

        http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
        Sounds interesting...

        thanks - will check this out.

        Follow me on twitter http://twitter.com/wagonza
        http://www.thepackethub.co.za

        1 Reply Last reply Reply Quote 0
        • M
          mromero
          last edited by Dec 31, 2010, 4:04 AM

          On the latest snapshot of today i386 still getting:

          Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
          ???

          1 Reply Last reply Reply Quote 0
          • W
            wagonza
            last edited by Jan 3, 2011, 5:41 PM

            @mromero:

            On the latest snapshot of today i386 still getting:

            Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
            ???

            Is this still a problem? I can only assume DNSMasq was re-enabled.

            I have been away for the last week - hence the late reply.

            Follow me on twitter http://twitter.com/wagonza
            http://www.thepackethub.co.za

            1 Reply Last reply Reply Quote 0
            • M
              mromero
              last edited by Jan 4, 2011, 9:09 PM

              On latest snapshot of today 4 January same old:

              Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

              @wagonza:

              @mromero:

              On the latest snapshot of today i386 still getting:

              Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
              ???

              Is this still a problem? I can only assume DNSMasq was re-enabled.

              I have been away for the last week - hence the late reply.

              1 Reply Last reply Reply Quote 0
              • M
                mromero
                last edited by Jan 6, 2011, 4:29 AM

                It appears we are close to a RC1 candidate with so many things broken?

                One of the developers tweeted:

                "DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet"

                Could this be why no one seems to care about the Unbound package?

                1 Reply Last reply Reply Quote 0
                • _
                  _igor_
                  last edited by Jan 6, 2011, 2:17 PM

                  I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".

                  1 Reply Last reply Reply Quote 0
                  • M
                    mromero
                    last edited by Jan 6, 2011, 4:13 PM

                    Here is the original Tweet, but I notice the URL goes to a 404 - do not known what to make of it:

                    sullrich Scott Ullrich
                    DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet. -DJB http://ha.cx/DJB.mp4

                    29 Dec

                    @_igor_:

                    I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".

                    1 Reply Last reply Reply Quote 0
                    • W
                      wagonza
                      last edited by Jan 6, 2011, 7:15 PM

                      @mromero:

                      On latest snapshot of today 4 January same old:

                      Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

                      Can you check if this happens next time and if so issue the following command when you see this error:

                      sockstat -4 -p 53

                      Follow me on twitter http://twitter.com/wagonza
                      http://www.thepackethub.co.za

                      1 Reply Last reply Reply Quote 0
                      • _
                        _igor_
                        last edited by Jan 6, 2011, 11:38 PM

                        Found something about the "denial of service amplifier" of DNSSEC: There was a discussion at the 27c3 in Berlin at the end of 2010… Was about the weakness of DNSSEC and the glory of dnscurve...

                        It can be found here: http://events.ccc.de/congress/2010/wiki/Conference_Recordings (Its Number 4295)
                        http://events.ccc.de/congress/2010/Fahrplan/attachments/1773_slides.pdf

                        And here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/

                        Maybe all this clears some things up (or not ;-)

                        1 Reply Last reply Reply Quote 0
                        • M
                          mromero
                          last edited by Jan 7, 2011, 12:12 AM

                          Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:

                          USER        COMMAND      PID        FD      PROTO      LOCAL ADDRESS      FOREIGN ADDRESS

                          unbound  unbound        22871    12      udp4        192.168.1.1:53        :
                          unbound  unbound        22871    13      tcp4          192.168.1.1:53        :

                          @wagonza:

                          @mromero:

                          On latest snapshot of today 4 January same old:

                          Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

                          Can you check if this happens next time and if so issue the following command when you see this error:

                          sockstat -4 -p 53

                          1 Reply Last reply Reply Quote 0
                          • G
                            gnhb
                            last edited by Jan 8, 2011, 12:21 AM

                            @_igor_:

                            And here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/

                            Maybe all this clears some things up (or not ;-)

                            This was a great read from Dan Kaminsky. I'm a DNSSEC convert! :)

                            Check out his slides from his BlackHat talk too. http://dankaminsky.com/phreebird/

                            Time to check out Unbound . . .

                            GB

                            1 Reply Last reply Reply Quote 0
                            • T
                              ToxIcon
                              last edited by Jan 8, 2011, 5:35 AM Jan 8, 2011, 5:11 AM

                              just install Unbound on 2.0beta5 full install, install went good with no errors Its up and running but when i go to test.dnssec-or-not.org I get No, you are not using DNSSEC,
                              If you guys dont mind  Can someone with Unbound working up and running post pics of their Unbound DNS Settings  thanks.

                              1 Reply Last reply Reply Quote 0
                              • W
                                wagonza
                                last edited by Jan 8, 2011, 8:13 AM

                                @mromero:

                                Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:

                                USER        COMMAND      PID        FD      PROTO      LOCAL ADDRESS      FOREIGN ADDRESS

                                unbound   unbound        22871     12      udp4         192.168.1.1:53        :
                                unbound   unbound        22871     13      tcp4          192.168.1.1:53         :

                                hmm … this shows that Unbound is listening - in this instance did you get a log entry with the failure to start for Unbound?
                                If so then it appears that for some reason Unbound is trying to be started twice on your system.

                                Follow me on twitter http://twitter.com/wagonza
                                http://www.thepackethub.co.za

                                1 Reply Last reply Reply Quote 0
                                • _
                                  _igor_
                                  last edited by Jan 8, 2011, 12:31 PM

                                  @ ToxIcon:

                                  Enable unbound
                                  choose LAN (and your additional Interfaces maybe)
                                  enable DNSSEC
                                  This should work instantly.

                                  I have the forwarding mode disabled, but should not make any difference as i have seen here

                                  Do you have squid installed? If you have tested before, it could be that squid is "answering" or your local browser-cache. I had this too. Its working fine here since the beginning. I don't have any errors. Nor double starting of unbound. That was only at an early stage here. But may be different depending on whatever. You see, wagonza is working.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    adrianhensler
                                    last edited by Jan 8, 2011, 1:54 PM

                                    If you are using squid, go to the config page for squid then add your pfsense IP to this line:

                                    "Use alternate DNS-servers for the proxy-server"

                                    Fixed it for me, no more sad Picard.

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      wagonza
                                      last edited by Jan 8, 2011, 4:15 PM

                                      Also check http://doc.pfsense.org/index.php/Unbound_package for a bit more detail on the setup of Unbound.
                                      Please let me know if you spot any mistakes/grammer errors or have suggestions.

                                      thx

                                      Follow me on twitter http://twitter.com/wagonza
                                      http://www.thepackethub.co.za

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        mromero
                                        last edited by Jan 8, 2011, 6:38 PM

                                        THANKS! This did the trick. I am still getting errors as per below but Unbound is now giving me the Borat Smile.

                                        This on AMD 64of today. Will work on the other i386 box now.

                                        Jan 8 18:31:59 php: : SQUID is installed but not started. Not installing "nat" rules.
                                        Jan 8 18:32:00 php: : SQUID is installed but not started. Not installing "filter" rules.
                                        Jan 8 18:32:04 php: : Creating rrd update script
                                        Jan 8 18:32:04 php: : Resyncing configuration for all packages.
                                        Jan 8 18:32:09 php: : Starting Squid
                                        Jan 8 18:32:09 squid[22968]: Squid Parent: child process 23503 started
                                        Jan 8 18:32:09 check_reload_status: reloading filter
                                        Jan 8 18:32:09 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294511529] unbound[31067:0] error: bind: address already in use [1294511529] unbound[31067:0] fatal error: could not open ports'
                                        Jan 8 18:32:10 login: login on ttyv0 as root
                                        Jan 8 18:32:10 sshlockout[38992]: sshlockout/webConfigurator v3.0 starting up
                                        Jan 8 18:32:14 Squid_Alarm[45562]: Squid has exited. Reconfiguring filter.
                                        Jan 8 18:32:14 Squid_Alarm[45854]: Attempting restart…
                                        Jan 8 18:32:14 squid[46948]: Squid Parent: child process 47334 started
                                        Jan 8 18:32:17 Squid_Alarm[47945]: Reconfiguring filter…
                                        Jan 8 18:32:17 Squid_Alarm[56094]: Squid has resumed. Reconfiguring filter.

                                        @adrianhensler:

                                        If you are using squid, go to the config page for squid then add your pfsense IP to this line:

                                        "Use alternate DNS-servers for the proxy-server"

                                        Fixed it for me, no more sad Picard.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mromero
                                          last edited by Jan 8, 2011, 7:26 PM

                                          O.K. I upgraded to today's snapshot on another box with i386 and it wiped out my Squid. Reinstalled Squid and Squid and Unbound working now with Borat Smiling.

                                          I guess the kinks will be worked out eventually…

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received