• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver

2.2 Snapshot Feedback and Problems - RETIRED
44
186
133.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    phil.davis
    last edited by Nov 18, 2014, 8:02 AM

    cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
    But I suspect that now you might just get no binding.
    You could install the latest /etc/inc/unbound.inc and then report back what remains wrong.

    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

    1 Reply Last reply Reply Quote 0
    • A
      athurdent
      last edited by Nov 18, 2014, 8:21 AM

      Thanks Phil!
      CARP seems to work Ok now, also verified that it can be queried with dig@.
      An IP alias still behaves as described above.

      1 Reply Last reply Reply Quote 0
      • D
        dstroot
        last edited by Nov 18, 2014, 6:34 PM

        Used to do this with dnsmasq:

        Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense:  bogus-nxdomain=92.242.140.2

        This stopped my ISP from hijacking DNS.

        Doesn't seem to work with unbound.  Is there an equivalent command?  If I put it in the unbound advanced box unbound dies.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Nov 18, 2014, 9:06 PM

          I don't see an equivalent to that with Unbound. Though if you have Unbound doing its own recursion (don't enable forwarding mode), you should never see that from your ISP.

          1 Reply Last reply Reply Quote 0
          • D
            dstroot
            last edited by Nov 18, 2014, 9:21 PM Nov 18, 2014, 9:16 PM

            @CMB - thanks for the swift response.  I know you are working at banging out 2.2.

            Can you elaborate what "forwarding mode" does for unbound?  I want unbound to cache DNS queries and be the DNS server for my LAN.  I was under the impression I needed it on so unbound would be a cache server and "forward" the results of my main DNS servers (for example say 8.8.8.8).

            BTW I did turn forwarding off to see what happens and the DNS hijacking stopped.  Thx for that tip!

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by Nov 19, 2014, 1:08 AM

              Forwarding mode means it will just send queries (for domains not already in the cache) directly upstream to the defined upstream DNS server/s it has been told about.
              With recursion, unbound does its queries directly through the chain of internet root servers down to the authoritative server for the requested domain, thus avoiding using some intermediate upstream DNS and its cache, but keeps a cache for itself.
              http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • D
                dstroot
                last edited by Nov 19, 2014, 3:57 AM

                So it caches either way?

                So what is the use case for the forwarder option?  To force something like OpenDNS?  Because it sounds as if the non-forwarder behavior is the most accurate option, no?  (maybe slower?).

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by Nov 19, 2014, 4:05 AM

                  For example, I subscribe to the DynDNS "Internet Guide" service (it is cheap for 10 public IPs). So it can filter name responses for categories of sites (porn, violent…). That does a good job of keeping staff away from that sort of content.
                  So I want the pfSense DNS to just forward to DynDNS servers, because I really do want a changed (filtered) view of what the real root servers have.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by Nov 19, 2014, 9:48 AM

                    DNS Forwarder Host Overrides - the aliases (if any) of the main host override display on the main screen, in addition to the main override entry itself.
                    DNS Resolver Host Overrides - the aliases (if any) of the main host override do not display on the main screen. Only the main override entry itself is displayed.
                    It is not effecting what is stored in the actual config. When you edit a DNS Resolver Host Override the aliases are there.

                    Does anybody care?
                    Leave it as it is?

                    DNS-Forwarder-Host-Overrides.png
                    DNS-Forwarder-Host-Overrides.png_thumb
                    DNS-Resolver-Host-Override-entry.png
                    DNS-Resolver-Host-Override-entry.png_thumb
                    DNS-Resolver-Host-Overrides.png
                    DNS-Resolver-Host-Overrides.png_thumb

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by Nov 19, 2014, 5:13 PM

                      It'd be nice to have that back if you'd like to put in a pull request Phil. If not, it's not a big deal.

                      1 Reply Last reply Reply Quote 0
                      • R
                        Raul Ramos
                        last edited by Nov 19, 2014, 6:27 PM Nov 19, 2014, 5:45 PM

                        Hi

                        Is asking to match if the aliases appears like expanded p2 in IPsec, more or less?

                        Thanks

                        Edit: Can't start Resolver with DHCP Registration (Register DHCP leases in the DNS Resolver) checked.

                        Resolver log:

                        Nov 19 18:13:32	unbound: [86446:0] notice: Restart of unbound 1.4.22.
                        Nov 19 18:13:32	unbound: [86446:0] fatal error: Could not read config file: /unbound.conf
                        Nov 19 18:14:04	unbound: [40605:0] notice: init module 0: iterator
                        Nov 19 18:14:04	unbound: [40605:0] info: start of service (unbound 1.4.22).
                        Nov 19 18:14:04	unbound: [40605:0] info: service stopped (unbound 1.4.22).
                        Nov 19 18:14:04	unbound: [40605:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
                        Nov 19 18:14:04	unbound: [40605:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
                        Nov 19 18:14:04	unbound: [40605:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
                        Nov 19 18:14:04	unbound: [40605:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
                        

                        System -> General  log:

                        dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
                        

                        pfSense:
                        ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                        Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                        NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                        1 Reply Last reply Reply Quote 0
                        • P
                          phil.davis
                          last edited by Nov 20, 2014, 6:04 AM Nov 20, 2014, 5:23 AM

                          @cmb:

                          It'd be nice to have that back if you'd like to put in a pull request Phil. If not, it's not a big deal.

                          Yes, I will have a look. It should be just a copy-paste-search-replace operation to put the same functionality into the Resolver host override aliases case.
                          and yes, it was that easy, pull request: https://github.com/pfsense/pfsense/pull/1344

                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                          1 Reply Last reply Reply Quote 0
                          • S
                            stewgoin
                            last edited by Nov 20, 2014, 11:55 AM

                            @mais_um:

                            Edit: Can't start Resolver with DHCP Registration (Register DHCP leases in the DNS Resolver) checked.

                            I'm seeing the same behavior this morning after updating to the latest snapshot. I turned off the DHCP registration stuff in DNS Resolver and it starts up just fine.

                            1 Reply Last reply Reply Quote 0
                            • R
                              Raul Ramos
                              last edited by Nov 20, 2014, 12:33 PM

                              Hi

                              Thu Nov 20 00:23:34 CST 2014 build i can enable DHCP Registration.

                              pfSense:
                              ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                              Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                              NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                              1 Reply Last reply Reply Quote 0
                              • H
                                hiwi
                                last edited by Nov 21, 2014, 10:40 AM

                                Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by Nov 21, 2014, 7:08 PM

                                  @hiwi:

                                  Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.

                                  Can't seem to replicate that. How is your Unbound configured?

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hiwi
                                    last edited by Nov 21, 2014, 7:56 PM

                                    @cmb:

                                    @hiwi:

                                    Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.

                                    Can't seem to replicate that. How is your Unbound configured?

                                    What information do you need?

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      Hugovsky
                                      last edited by Nov 21, 2014, 7:57 PM

                                      To me, it gives the error attached if I try to start resolver with "Register DHCP leases in the DNS Resolver" set.

                                      2.2-BETA (amd64)
                                      built on Fri Nov 21 08:16:06 CST 2014
                                      FreeBSD 10.1-RELEASE

                                      system.jpg
                                      system.jpg_thumb

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hiwi
                                        last edited by Nov 21, 2014, 9:10 PM

                                        @cmb:

                                        @hiwi:

                                        Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.

                                        Can't seem to replicate that. How is your Unbound configured?

                                        With version '2.2-BETA (amd64) built on Fri Nov 21 08:16:06 CST 2014' unbound started directly after upgrade. After another reboot it didn't start with DHCP Registration ('Register DHCP leases in the DNS Resolver') on.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cmb
                                          last edited by Nov 21, 2014, 9:42 PM

                                          What's in your resolver log? Re: config, how are all the settings under Services>DNS Resolver configured?

                                          1 Reply Last reply Reply Quote 0
                                          64 out of 186
                                          • First post
                                            64/186
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.