DNS Resolver
-
cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
But I suspect that now you might just get no binding.
You could install the latest /etc/inc/unbound.inc and then report back what remains wrong. -
Thanks Phil!
CARP seems to work Ok now, also verified that it can be queried with dig@.
An IP alias still behaves as described above. -
Used to do this with dnsmasq:
Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense: bogus-nxdomain=92.242.140.2
This stopped my ISP from hijacking DNS.
Doesn't seem to work with unbound. Is there an equivalent command? If I put it in the unbound advanced box unbound dies.
-
I don't see an equivalent to that with Unbound. Though if you have Unbound doing its own recursion (don't enable forwarding mode), you should never see that from your ISP.
-
@CMB - thanks for the swift response. I know you are working at banging out 2.2.
Can you elaborate what "forwarding mode" does for unbound? I want unbound to cache DNS queries and be the DNS server for my LAN. I was under the impression I needed it on so unbound would be a cache server and "forward" the results of my main DNS servers (for example say 8.8.8.8).
BTW I did turn forwarding off to see what happens and the DNS hijacking stopped. Thx for that tip!
-
Forwarding mode means it will just send queries (for domains not already in the cache) directly upstream to the defined upstream DNS server/s it has been told about.
With recursion, unbound does its queries directly through the chain of internet root servers down to the authoritative server for the requested domain, thus avoiding using some intermediate upstream DNS and its cache, but keeps a cache for itself.
http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server -
So it caches either way?
So what is the use case for the forwarder option? To force something like OpenDNS? Because it sounds as if the non-forwarder behavior is the most accurate option, no? (maybe slower?).
-
For example, I subscribe to the DynDNS "Internet Guide" service (it is cheap for 10 public IPs). So it can filter name responses for categories of sites (porn, violent…). That does a good job of keeping staff away from that sort of content.
So I want the pfSense DNS to just forward to DynDNS servers, because I really do want a changed (filtered) view of what the real root servers have. -
DNS Forwarder Host Overrides - the aliases (if any) of the main host override display on the main screen, in addition to the main override entry itself.
DNS Resolver Host Overrides - the aliases (if any) of the main host override do not display on the main screen. Only the main override entry itself is displayed.
It is not effecting what is stored in the actual config. When you edit a DNS Resolver Host Override the aliases are there.Does anybody care?
Leave it as it is?
-
It'd be nice to have that back if you'd like to put in a pull request Phil. If not, it's not a big deal.
-
Hi
Is asking to match if the aliases appears like expanded p2 in IPsec, more or less?
Thanks
Edit: Can't start Resolver with DHCP Registration (Register DHCP leases in the DNS Resolver) checked.
Resolver log:
Nov 19 18:13:32 unbound: [86446:0] notice: Restart of unbound 1.4.22. Nov 19 18:13:32 unbound: [86446:0] fatal error: Could not read config file: /unbound.conf Nov 19 18:14:04 unbound: [40605:0] notice: init module 0: iterator Nov 19 18:14:04 unbound: [40605:0] info: start of service (unbound 1.4.22). Nov 19 18:14:04 unbound: [40605:0] info: service stopped (unbound 1.4.22). Nov 19 18:14:04 unbound: [40605:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch Nov 19 18:14:04 unbound: [40605:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 Nov 19 18:14:04 unbound: [40605:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch Nov 19 18:14:04 unbound: [40605:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0System -> General log:
dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process. -
@cmb:
It'd be nice to have that back if you'd like to put in a pull request Phil. If not, it's not a big deal.
Yes, I will have a look. It should be just a copy-paste-search-replace operation to put the same functionality into the Resolver host override aliases case.
and yes, it was that easy, pull request: https://github.com/pfsense/pfsense/pull/1344 -
@mais_um:
Edit: Can't start Resolver with DHCP Registration (Register DHCP leases in the DNS Resolver) checked.
I'm seeing the same behavior this morning after updating to the latest snapshot. I turned off the DHCP registration stuff in DNS Resolver and it starts up just fine.
-
Hi
Thu Nov 20 00:23:34 CST 2014 build i can enable DHCP Registration.
-
Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.
-
Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.
Can't seem to replicate that. How is your Unbound configured?
-
-
To me, it gives the error attached if I try to start resolver with "Register DHCP leases in the DNS Resolver" set.
2.2-BETA (amd64)
built on Fri Nov 21 08:16:06 CST 2014
FreeBSD 10.1-RELEASE
-
@cmb:
Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.
Can't seem to replicate that. How is your Unbound configured?
With version '2.2-BETA (amd64) built on Fri Nov 21 08:16:06 CST 2014' unbound started directly after upgrade. After another reboot it didn't start with DHCP Registration ('Register DHCP leases in the DNS Resolver') on.
-
What's in your resolver log? Re: config, how are all the settings under Services>DNS Resolver configured?