DNSSEC on pfSense

wagonza

@johnpoz:

but now I have a domain override set, shows up in the unbound config, the server it points to at 192.168.1.4 is running bind, clearly answers for that zone test.ip, but when you ask the pfsense box running unbound you get servfail?

Ok i think i might have an idea on the problem here, can you send me your unbound.conf please? You can comment out any private data.

@johnpoz:

Still fails - also seems to me that if your pointing pfsense to itself only (unbound) for dns in general setup, that upon update to new snap the reinstall of packages fail..

yeah it wouldnt because no name resolution can take place as unbound is not started yet.

serangku

@wagonza …

from System: Advanced: Miscellaneous: System Tunables :
kern.ipc.maxsockbuf Maximum socket buffer size default (4262144)

i hope unbound back again on my site

wagonza

@serangku:

from System: Advanced: Miscellaneous: System Tunables :
kern.ipc.maxsockbuf Maximum socket buffer size default (4262144)

i hope unbound back again on my site

hmm…odd Unbound picked up a lower amount than that. Could have been an old snap that you were on which had a lower kern.ipc.maxsockbuf. Anyway it should be working for you since I did add some additional checks which will protect against what you experienced.
I have also just committed ACL support so if you reinstall you will see an additional page to allow other networks to query Unbound.
If you do use it just remember to add the necessary firewall rules.

Let me know if you pick up any problems please.

serangku

@wagonza …

here my pfsense date

2.0-BETA5 (i386)
built on Mon Jan 10 13:14:45 EST 2011

i use unbound for simple replace of dnsmasq without any feature, not yet …
i have reinstall unbound package
here my syslog :

Jan 13 08:56:28 login: login on ttyv0 as root
Jan 13 08:56:51 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294883811] unbound[29089:0] error: bind: address already in use [1294883811] unbound[29089:0] fatal error: could not open ports'
Jan 13 08:57:30 sshd[28148]: Accepted keyboard-interactive/pam for root from 192.168.110.188 port 39425 ssh2
Jan 13 08:57:30 sshd[28148]: subsystem request for sftp
Jan 13 09:03:21 check_reload_status: syncing firewall

then manually save on gui unbound

Jan 13 09:03:22 unbound: [26869:0] info: service stopped (unbound 1.4.7).
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 0: 53 queries, 4 answers from cache, 49 recursions, 1 prefetch
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 0: requestlist max 5 avg 1.34 exceeded 0
Jan 13 09:03:22 unbound: [26869:0] info: average recursion processing time 1.122806 sec
Jan 13 09:03:22 unbound: [26869:0] info: histogram of recursion processing times
Jan 13 09:03:22 unbound: [26869:0] info: [25%]=0.118928 median[50%]=0.104167 [75%]=0.614583
Jan 13 09:03:22 unbound: [26869:0] info: lower(secs) upper(secs) recursions
Jan 13 09:03:22 unbound: [26869:0] info: 0.131072 0.262144 4
Jan 13 09:03:22 unbound: [26869:0] info: 0.262144 0.524288 5
Jan 13 09:03:22 unbound: [26869:0] info: 0.524288 1.000000 13
Jan 13 09:03:22 unbound: [26869:0] info: 1.000000 2.000000 24
Jan 13 09:03:22 unbound: [26869:0] info: 2.000000 4.000000 2
Jan 13 09:03:22 unbound: [26869:0] info: 4.000000 8.000000 1
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 1: 4 queries, 0 answers from cache, 4 recursions, 0 prefetch
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 1: requestlist max 4 avg 1 exceeded 0
Jan 13 09:03:22 unbound: [26869:0] info: average recursion processing time 1.503178 sec
Jan 13 09:03:22 unbound: [26869:0] info: histogram of recursion processing times
Jan 13 09:03:22 unbound: [26869:0] info: [25%]=0.475712 median[50%]=0.5 [75%]=1
Jan 13 09:03:22 unbound: [26869:0] info: lower(secs) upper(secs) recursions
Jan 13 09:03:22 unbound: [26869:0] info: 0.524288 1.000000 1
Jan 13 09:03:22 unbound: [26869:0] info: 1.000000 2.000000 2
Jan 13 09:03:22 unbound: [26869:0] info: 2.000000 4.000000 1
Jan 13 09:03:22 unbound: [4452:0] notice: init module 0: validator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 0: validator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 1: iterator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 1: iterator
Jan 13 09:03:22 unbound: [4452:0] info: start of service (unbound 1.4.7).

and from dmesg

Syncing packages:
Unbound

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/unbound.inc on line 258

Syncing packages:
done.
Executing rc.d items…
Starting /usr/local/etc/rc.d/proxy_monitor.sh...
done.
Starting /usr/local/etc/rc.d/squid.sh...
done.
Starting /usr/local/etc/rc.d/unbound.sh...
done.
Bootup complete

i think that warning because on acl there's im not use any acl, am i right ?

so far running well with that syslog
and back gain to use unbound
really appreciate

ToxIcon

@wagonza I am having the strangest issue

with Unbound enable

dhcp clients can't browse any webpages

but clients with Static IP can

jlepthien

@ToxIcon:

@wagonza I am having the strangest issue

with Unbound enable

dhcp clients can't browse any webpages

but clients with Static IP can

Have you set the pfSense box as a DNS server on your dhcp tab? Otherwise you will get your DNS Servers from General Setup to your clients via dhcp and there might be a rule blocking DNS outgoing traffic. I can't see more in my crystal circle here, you need to give us more info on what your setup is like…

wagonza

@serangku:

Syncing packages:
Unbound

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/unbound.inc on line 258

Syncing packages:
done.

i think that warning because on acl there's im not use any acl, am i right ?

Ahhh long standing bug fixed. Thx for that!

Still investigating that darn unbound start error of yours…

_igor_

Today after updating pfsense i got the same error stating "Adress already in use". Ticking "save" at the unbound-page solved the problem. I didn't have this now long time. Only at the beginning of deployment of the unbound-package, say last year.

clarknova

Looks like Borat is no longer with us :(
http://www.downforeveryoneorjustme.com/dnssec-or-not.org

Here's another site, although a lot less satisfying to use, and not just because there's no Borat. A lookup failure is really a lame way to confirm that DNSSEC is working, considering many other factors could cause this, leading to an illusion of security. Bravo, Comcast. Anybody know of a better test site? Google results look sparse.

http://www.dnssec-failed.org

ToxIcon

Have you set the pfSense box as a DNS server on your dhcp tab? Otherwise you will get your DNS Servers from General Setup to your clients via dhcp and there might be a rule blocking DNS outgoing traffic. I can't see more in my crystal circle here, you need to give us more info on what your setup is like…

Thanks jlepthien :)

jlepthien

@ToxIcon:

Thanks jlepthien :)

So that was the problem? You could have easily found out by looking at the logs ;-)

clarknova

@wagonza:

Ahhh long standing bug fixed. Thx for that!

Interesting. I updated to 1.2.9 from 1.2.8 and my config was preserved except for listening interfaces. Where I had selected 4 interfaces previously, only LAN was selected after the upgrade.

jlepthien

Also did that update now. Config stays the same, except the interface problem I also have. Just one of my normally three selected interfaces (LAN) was active for the usage of Unbound…

ToxIcon

@jlepthien:

@ToxIcon:

Thanks jlepthien :)

So that was the problem? You could have easily found out by looking at the logs ;-)

yes that was the problem

I know I know that is what I get for rushing and the bad part is that I have a sticky posted on the box
to always check the logs when trying to fix connection error.

Unbound taste great less filling  works great :=)

mromero

http://tjeb.nl/Projects/DNSSEC/index.html

http://bogussig.dnssec.tjeb.nl/Projects/DNSSEC/index.html

First One Yes

Second One No.

Is there a script to do this? I could set up a page but maybe it is beyond me….

@clarknova:

Looks like Borat is no longer with us :(
http://www.downforeveryoneorjustme.com/dnssec-or-not.org

Here's another site, although a lot less satisfying to use, and not just because there's no Borat. A lookup failure is really a lame way to confirm that DNSSEC is working, considering many other factors could cause this, leading to an illusion of security. Bravo, Comcast. Anybody know of a better test site? Google results look sparse.

http://www.dnssec-failed.org

ToxIcon

Unbound 1.2.9 updated broke

php: : The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954557]
unbound[37313:0] fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954577] unbound[60423:0]
fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954608] unbound[37078:0]
fatal error: user 'unbound' does not exist.'

jlepthien

@ToxIcon:

Unbound 1.2.9 updated broke

php: : The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954557]
unbound[37313:0] fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954577] unbound[60423:0]
fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954608] unbound[37078:0]
fatal error: user 'unbound' does not exist.'

Try removing and reinstalling the package. Also watch the system.log while installing - you should see that the unbound user is added…

ToxIcon

Beginning package installation for Unbound…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading Unbound and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/unbound-1.4.7.tbz.
of unbound-1.4.7 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file unbound.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

mromero

Oh boy. Looks like the PFSENSE 2.0 Beta package installation is broken again.

We had this a few weeks ago with the Squid package - holding off on updating until someone confirms it is fixed.

I keep two boxes so when the snapshot is broken I go to the other box until a fix issued.  :(

@ToxIcon:

Beginning package installation for Unbound…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading Unbound and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/unbound-1.4.7.tbz.
of unbound-1.4.7 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file unbound.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

johnpoz

I did not have any issues updating to 1.2.9

Where you could run into issues with download is if your pfsense box is using itself as dns.. Have run into this with even just updates of snaps all the packages fail to reinstall.

I just changed mine in general to use 4.2.2.2 and then clicked update from 1.2.8 to 1.2.9 and went smooth as silk..

Now looking at the new acl tab, I could create an allow acl – but allow snoop get this error

"allow_snoop is not a valid ACL Action. Please select one of the four actions defined in the list."

I picked it from the list ;) hehehe

edit: btw borat is back with us http://test.dnssec-or-not.org/ is working from here.