DNS Resolver
-
My bad. I wasn't filling it out correctly - it works if you do it as I show in the attached.
-
Can I pass "include: /etc/unbound/local-blocking-data.conf" in the advanced field of the resolver? I want to block some domains.
-
Apparently the options in the advanced field are not parsed to the config file. Am I doing it wrong?
-
I'm sorry to say that Unbound in 2.2 beta has (still) issues:
Nov 12 18:21:42 unbound: [94783:0] notice: Restart of unbound 1.4.22. Nov 12 18:21:42 unbound: [94783:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024\. Config for less fds or compile with libevent Nov 12 18:21:42 unbound: [94783:0] warning: continuing with less udp ports: 91I've seen this a couple of times here, but no solution was found.
From what can be found on the web, it seems to be a problem with multicore cpu's (mine's a 2558 SOC).
The "Number of queries per thread" in the web interface shows 512, but in the actual config file it's still set at 1024.The value should sit around 250 for a 4-core cpu, not exceeding a total of 1024.
Manually adjusting the Unbound config is no use, after saving a change in the admin interface, it resets to 1024 again.This issue is causing Unbound to restart and when it does, delays the DNS lookups.
Old bug that really need to be fixed.Cheers.
-
Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:
2.2-BETA (amd64)
built on Thu Nov 13 06:05:47 CST 2014
FreeBSD 10.1-RELEASEcheck in the config file below and check the pic:
/var/unbound: cat unbound.conf
##########################Unbound Configuration
##########################
Server configuration
server:
chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 1024
jostle-timeout: 200
infra-host-ttl: 900
infra-lame-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 4m
rrset-cache-size: 8m
outgoing-range: 462
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: noStatistics
Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yesInterface IP(s) to bind to
interface: 192.168.50.1
interface: 10.1.2.1
interface: 192.168.51.1
interface: 127.0.0.1
interface: ::1Outgoing interfaces to be used
outgoing-interface: #####
outgoing-interface: #####DNS Rebinding
For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10Set private domains in case authoritative name server returns a Private IP address
private-domain: "hsnetworks"
domain-insecure: "hsnetworks"Access lists
include: /var/unbound/access_lists.conf
Static host entries
include: /var/unbound/host_entries.conf
Domain overrides
include: /var/unbound/domainoverrides.conf
Remote Control Config
include: /var/unbound/remotecontrol.conf
(edited to include snapshot version)
-
More info on this:
although the config file of unbound doesn't have it, config.xml does have the right settings:
<custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
<dnssec><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
<outgoing_num_tcp>0</outgoing_num_tcp>
<incoming_num_tcp>0</incoming_num_tcp>
<edns_buffer_size>1480</edns_buffer_size>
<num_queries_per_thread>512</num_queries_per_thread>
<jostle_timeout>100</jostle_timeout></prefetchkey></prefetch></dnssec> -
The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully. -
Pull request: https://github.com/pfsense/pfsense/pull/1336
That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.
And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also ;)
-
Thanks again for being so fast. I'll test it and report back.
-
It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:
"FILE FORMAT
There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."Text parsed in the advanced field breaks the line with spaces. Do you think this is important?
-
Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
Will test it shortly.Cheers.
-
I'm using CARP virtual IPs and run Unbound on "All" interfaces.
If I query the CARP IP from a Linux box, I get this:root@none:~# dig @192.168.xxx.254 www.heise.de ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53 ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53 ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53Snapshot is AMD64 from today.
I took another look at this:
IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.
If you set
interface-automatic: yesthen it replies properly when doing a dig@ the alias IP.
This feature is marked experimental though, I don't know the downsides. -
Hi
I've another issue, all my DHCP6 static bindings are not included in /var/unbound/host_entries.conf. It shows only the IPv4 entries.
-
file a bug.
-
@gonzopancho:
file a bug.
Bug #4013
-
Most things should be fixed here now. Open DNS Resolver bug tickets can be viewed here:
https://redmine.pfsense.org/projects/pfsense/issues?query_id=42if you notice anything not on the list, please post here on this board, either in this thread or start your own. If you have a clearly-defined bug report, open a ticket at redmine.pfsense.org. If you're not sure the specific issue, it's best to discuss here first, where someone can help quantify the issue.
-
Does not seem to work properly with IP Aliases or CARP interfaces here. IP Aliases don't work at all, CARP virtual IPs create an interface entry with "Array" and unbound fails to start.
To reproduce:
-create an IP Alias
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf# Interface IP(s) to bind toOr:
-create a CARP virtual IP
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf# Interface IP(s) to bind to interface: 192.168.xxx.6 interface: ArrayI'm testing on the latest:
2.2-BETA (amd64) built on Mon Nov 17 19:31:46 CST 2014 FreeBSD 10.1-RELEASE -
cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
But I suspect that now you might just get no binding.
You could install the latest /etc/inc/unbound.inc and then report back what remains wrong. -
Thanks Phil!
CARP seems to work Ok now, also verified that it can be queried with dig@.
An IP alias still behaves as described above. -
Used to do this with dnsmasq:
Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense: bogus-nxdomain=92.242.140.2
This stopped my ISP from hijacking DNS.
Doesn't seem to work with unbound. Is there an equivalent command? If I put it in the unbound advanced box unbound dies.