DNS Resolver
-
Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:
2.2-BETA (amd64)
built on Thu Nov 13 06:05:47 CST 2014
FreeBSD 10.1-RELEASEcheck in the config file below and check the pic:
/var/unbound: cat unbound.conf
##########################Unbound Configuration
##########################
Server configuration
server:
chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 1024
jostle-timeout: 200
infra-host-ttl: 900
infra-lame-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 4m
rrset-cache-size: 8m
outgoing-range: 462
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: noStatistics
Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yesInterface IP(s) to bind to
interface: 192.168.50.1
interface: 10.1.2.1
interface: 192.168.51.1
interface: 127.0.0.1
interface: ::1Outgoing interfaces to be used
outgoing-interface: #####
outgoing-interface: #####DNS Rebinding
For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10Set private domains in case authoritative name server returns a Private IP address
private-domain: "hsnetworks"
domain-insecure: "hsnetworks"Access lists
include: /var/unbound/access_lists.conf
Static host entries
include: /var/unbound/host_entries.conf
Domain overrides
include: /var/unbound/domainoverrides.conf
Remote Control Config
include: /var/unbound/remotecontrol.conf
(edited to include snapshot version)
-
More info on this:
although the config file of unbound doesn't have it, config.xml does have the right settings:
<custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
<dnssec><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
<outgoing_num_tcp>0</outgoing_num_tcp>
<incoming_num_tcp>0</incoming_num_tcp>
<edns_buffer_size>1480</edns_buffer_size>
<num_queries_per_thread>512</num_queries_per_thread>
<jostle_timeout>100</jostle_timeout></prefetchkey></prefetch></dnssec> -
The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully. -
Pull request: https://github.com/pfsense/pfsense/pull/1336
That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.
And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also ;)
-
Thanks again for being so fast. I'll test it and report back.
-
It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:
"FILE FORMAT
There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."Text parsed in the advanced field breaks the line with spaces. Do you think this is important?
-
Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
Will test it shortly.Cheers.
-
I'm using CARP virtual IPs and run Unbound on "All" interfaces.
If I query the CARP IP from a Linux box, I get this:root@none:~# dig @192.168.xxx.254 www.heise.de ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53 ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53 ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53Snapshot is AMD64 from today.
I took another look at this:
IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.
If you set
interface-automatic: yesthen it replies properly when doing a dig@ the alias IP.
This feature is marked experimental though, I don't know the downsides. -
Hi
I've another issue, all my DHCP6 static bindings are not included in /var/unbound/host_entries.conf. It shows only the IPv4 entries.
-
file a bug.
-
@gonzopancho:
file a bug.
Bug #4013
-
Most things should be fixed here now. Open DNS Resolver bug tickets can be viewed here:
https://redmine.pfsense.org/projects/pfsense/issues?query_id=42if you notice anything not on the list, please post here on this board, either in this thread or start your own. If you have a clearly-defined bug report, open a ticket at redmine.pfsense.org. If you're not sure the specific issue, it's best to discuss here first, where someone can help quantify the issue.
-
Does not seem to work properly with IP Aliases or CARP interfaces here. IP Aliases don't work at all, CARP virtual IPs create an interface entry with "Array" and unbound fails to start.
To reproduce:
-create an IP Alias
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf# Interface IP(s) to bind toOr:
-create a CARP virtual IP
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf# Interface IP(s) to bind to interface: 192.168.xxx.6 interface: ArrayI'm testing on the latest:
2.2-BETA (amd64) built on Mon Nov 17 19:31:46 CST 2014 FreeBSD 10.1-RELEASE -
cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
But I suspect that now you might just get no binding.
You could install the latest /etc/inc/unbound.inc and then report back what remains wrong. -
Thanks Phil!
CARP seems to work Ok now, also verified that it can be queried with dig@.
An IP alias still behaves as described above. -
Used to do this with dnsmasq:
Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense: bogus-nxdomain=92.242.140.2
This stopped my ISP from hijacking DNS.
Doesn't seem to work with unbound. Is there an equivalent command? If I put it in the unbound advanced box unbound dies.
-
I don't see an equivalent to that with Unbound. Though if you have Unbound doing its own recursion (don't enable forwarding mode), you should never see that from your ISP.
-
@CMB - thanks for the swift response. I know you are working at banging out 2.2.
Can you elaborate what "forwarding mode" does for unbound? I want unbound to cache DNS queries and be the DNS server for my LAN. I was under the impression I needed it on so unbound would be a cache server and "forward" the results of my main DNS servers (for example say 8.8.8.8).
BTW I did turn forwarding off to see what happens and the DNS hijacking stopped. Thx for that tip!
-
Forwarding mode means it will just send queries (for domains not already in the cache) directly upstream to the defined upstream DNS server/s it has been told about.
With recursion, unbound does its queries directly through the chain of internet root servers down to the authoritative server for the requested domain, thus avoiding using some intermediate upstream DNS and its cache, but keeps a cache for itself.
http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server -
So it caches either way?
So what is the use case for the forwarder option? To force something like OpenDNS? Because it sounds as if the non-forwarder behavior is the most accurate option, no? (maybe slower?).