• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver

Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
186 Posts 44 Posters 138.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dstroot
    last edited by Nov 10, 2014, 3:23 PM

    My bad.  I wasn't filling it out correctly - it works if you do it as I show in the attached.

    blocked.png
    blocked.png_thumb

    1 Reply Last reply Reply Quote 0
    • H
      Hugovsky
      last edited by Nov 12, 2014, 2:57 PM

      Can I pass "include: /etc/unbound/local-blocking-data.conf" in the advanced field of the resolver? I want to block some domains.

      1 Reply Last reply Reply Quote 0
      • H
        Hugovsky
        last edited by Nov 12, 2014, 9:10 PM

        Apparently the options in the advanced field are not parsed to the config file. Am I doing it wrong?

        1 Reply Last reply Reply Quote 0
        • E
          Escorpiom
          last edited by Nov 12, 2014, 11:36 PM Nov 12, 2014, 11:33 PM

          I'm sorry to say that Unbound in 2.2 beta has (still) issues:

          Nov 12 18:21:42	unbound: [94783:0] notice: Restart of unbound 1.4.22.
          Nov 12 18:21:42	unbound: [94783:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024\. Config for less fds or compile with libevent
          Nov 12 18:21:42	unbound: [94783:0] warning: continuing with less udp ports: 91
          

          I've seen this a couple of times here, but no solution was found.
          From what can be found on the web, it seems to be a problem with multicore cpu's (mine's a 2558 SOC).
          The "Number of queries per thread" in the web interface shows 512, but in the actual config file it's still set at 1024.

          The value should sit around 250 for a 4-core cpu, not exceeding a total of 1024.
          Manually adjusting the Unbound config is no use, after saving a change in the admin interface, it resets to 1024 again.

          This issue is causing Unbound to restart and when it does, delays the DNS lookups.
          Old bug that really need to be fixed.

          Cheers.

          1 Reply Last reply Reply Quote 0
          • H
            Hugovsky
            last edited by Nov 13, 2014, 2:36 PM Nov 13, 2014, 2:26 PM

            Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:

            2.2-BETA (amd64)
            built on Thu Nov 13 06:05:47 CST 2014
            FreeBSD 10.1-RELEASE

            check in the config file below and check the pic:

            /var/unbound: cat unbound.conf
            ##########################

            Unbound Configuration

            ##########################

            Server configuration

            server:
            chroot: /var/unbound
            username: "unbound"
            directory: "/var/unbound"
            pidfile: "/var/run/unbound.pid"
            use-syslog: yes
            port: 53
            verbosity: 1
            harden-referral-path: no
            do-ip4: yes
            do-ip6: yes
            do-udp: yes
            do-tcp: yes
            do-daemonize: yes
            module-config: "validator iterator"
            unwanted-reply-threshold: 0
            num-queries-per-thread: 1024
            jostle-timeout: 200
            infra-host-ttl: 900
            infra-lame-ttl: 900
            infra-cache-numhosts: 10000
            outgoing-num-tcp: 10
            incoming-num-tcp: 10
            edns-buffer-size: 4096
            cache-max-ttl: 86400
            cache-min-ttl: 0
            harden-dnssec-stripped: yes
            num-threads: 2
            msg-cache-slabs: 4
            rrset-cache-slabs: 4
            infra-cache-slabs: 4
            key-cache-slabs: 4
            msg-cache-size: 4m
            rrset-cache-size: 8m
            outgoing-range: 462
            #so-rcvbuf: 4m
            auto-trust-anchor-file: /var/unbound/root.key
            prefetch: no
            prefetch-key: no

            Statistics

            Unbound Statistics

            statistics-interval: 0
            extended-statistics: yes
            statistics-cumulative: yes

            Interface IP(s) to bind to

            interface: 192.168.50.1
            interface: 10.1.2.1
            interface: 192.168.51.1
            interface: 127.0.0.1
            interface: ::1

            Outgoing interfaces to be used

            outgoing-interface: #####
            outgoing-interface: #####

            DNS Rebinding

            For DNS Rebinding prevention

            private-address: 10.0.0.0/8
            private-address: 172.16.0.0/12
            private-address: 192.168.0.0/16
            private-address: 192.254.0.0/16
            private-address: fd00::/8
            private-address: fe80::/10

            Set private domains in case authoritative name server returns a Private IP address

            private-domain: "hsnetworks"
            domain-insecure: "hsnetworks"

            Access lists

            include: /var/unbound/access_lists.conf

            Static host entries

            include: /var/unbound/host_entries.conf

            Domain overrides

            include: /var/unbound/domainoverrides.conf

            Remote Control Config

            include: /var/unbound/remotecontrol.conf

            (edited to include snapshot version)

            general.jpg
            general.jpg_thumb
            advanced.jpg
            advanced.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • H
              Hugovsky
              last edited by Nov 13, 2014, 2:55 PM

              More info on this:

              although the config file of unbound doesn't have it, config.xml does have the right settings:

              <custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
              <dnssec><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
              <outgoing_num_tcp>0</outgoing_num_tcp>
              <incoming_num_tcp>0</incoming_num_tcp>
              <edns_buffer_size>1480</edns_buffer_size>
              <num_queries_per_thread>512</num_queries_per_thread>
              <jostle_timeout>100</jostle_timeout></prefetchkey></prefetch></dnssec>

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by Nov 13, 2014, 3:46 PM

                The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
                I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by Nov 13, 2014, 5:14 PM Nov 13, 2014, 4:58 PM

                  Pull request: https://github.com/pfsense/pfsense/pull/1336

                  That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.

                  And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also  ;)

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • H
                    Hugovsky
                    last edited by Nov 13, 2014, 5:11 PM

                    Thanks again for being so fast. I'll test it and report back.

                    1 Reply Last reply Reply Quote 0
                    • H
                      Hugovsky
                      last edited by Nov 13, 2014, 11:21 PM

                      It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:

                      "FILE FORMAT
                            There  must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."

                      Text parsed in the advanced field breaks the line with spaces. Do you think this is important?

                      1 Reply Last reply Reply Quote 0
                      • E
                        Escorpiom
                        last edited by Nov 14, 2014, 3:17 AM

                        Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
                        Will test it shortly.

                        Cheers.

                        1 Reply Last reply Reply Quote 0
                        • A
                          athurdent
                          last edited by Nov 14, 2014, 6:09 AM

                          @athurdent:

                          I'm using CARP virtual IPs and run Unbound on "All" interfaces.
                          If I query the CARP IP from a Linux box, I get this:

                          root@none:~# dig @192.168.xxx.254 www.heise.de
                          ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                          ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                          ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                          

                          Snapshot is AMD64 from today.

                          I took another look at this:

                          IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.

                          If you set

                          interface-automatic: yes
                          

                          then it replies properly when doing a dig@ the alias IP.
                          This feature is marked experimental though, I don't know the downsides.

                          1 Reply Last reply Reply Quote 0
                          • P
                            p1erre
                            last edited by Nov 14, 2014, 6:50 AM

                            Hi

                            I've another issue, all my DHCP6 static bindings are not included in /var/unbound/host_entries.conf. It shows only the IPv4 entries.

                            1 Reply Last reply Reply Quote 0
                            • ?
                              Guest
                              last edited by Nov 15, 2014, 1:27 AM

                              file a bug.

                              1 Reply Last reply Reply Quote 0
                              • P
                                p1erre
                                last edited by Nov 15, 2014, 1:42 PM

                                @gonzopancho:

                                file a bug.

                                Bug #4013

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by Nov 18, 2014, 4:01 AM

                                  Most things should be fixed here now. Open DNS Resolver bug tickets can be viewed here:
                                  https://redmine.pfsense.org/projects/pfsense/issues?query_id=42

                                  if you notice anything not on the list, please post here on this board, either in this thread or start your own. If you have a clearly-defined bug report, open a ticket at redmine.pfsense.org. If you're not sure the specific issue, it's best to discuss here first, where someone can help quantify the issue.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    athurdent
                                    last edited by Nov 18, 2014, 6:38 AM

                                    Does not seem to work properly with IP Aliases or CARP interfaces here. IP Aliases don't work at all, CARP virtual IPs create an interface entry with "Array" and unbound fails to start.

                                    To reproduce:
                                    -create an IP Alias
                                    -choose it as the only Network interface in Unbound
                                    Result in /var/unbound/unbound.conf

                                    # Interface IP(s) to bind to
                                    

                                    Or:
                                    -create a CARP virtual IP
                                    -choose it as the only Network interface in Unbound
                                    Result in /var/unbound/unbound.conf

                                    # Interface IP(s) to bind to
                                    interface: 192.168.xxx.6
                                    interface: Array
                                    

                                    I'm testing on the latest:

                                    2.2-BETA (amd64) 
                                    built on Mon Nov 17 19:31:46 CST 2014 
                                    FreeBSD 10.1-RELEASE
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      phil.davis
                                      last edited by Nov 18, 2014, 8:02 AM

                                      cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
                                      But I suspect that now you might just get no binding.
                                      You could install the latest /etc/inc/unbound.inc and then report back what remains wrong.

                                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        athurdent
                                        last edited by Nov 18, 2014, 8:21 AM

                                        Thanks Phil!
                                        CARP seems to work Ok now, also verified that it can be queried with dig@.
                                        An IP alias still behaves as described above.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          dstroot
                                          last edited by Nov 18, 2014, 6:34 PM

                                          Used to do this with dnsmasq:

                                          Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense:  bogus-nxdomain=92.242.140.2

                                          This stopped my ISP from hijacking DNS.

                                          Doesn't seem to work with unbound.  Is there an equivalent command?  If I put it in the unbound advanced box unbound dies.

                                          1 Reply Last reply Reply Quote 0
                                          47 out of 186
                                          • First post
                                            47/186
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received