• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unbound not working

Scheduled Pinned Locked Moved DHCP and DNS
20 Posts 5 Posters 10.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K Offline
    kevindd992002
    last edited by Jan 27, 2015, 9:23 PM

    Now, I'm not sure why it's not working but I tried installing fresh to a VM (Unbound enabled and DNS Forwarder disabled) and the machines in my LAN cannot resolve DNS queries. When I enable DNS forwarder and disable Unbound, everything works as it should.

    How can I troubleshoot this?

    1 Reply Last reply Reply Quote 0
    • D Offline
      doktornotor Banned
      last edited by Jan 27, 2015, 9:34 PM

      Start with the resolver log and check whether it's running at all.

      1 Reply Last reply Reply Quote 0
      • K Offline
        kejianshi
        last edited by Jan 27, 2015, 10:24 PM Jan 27, 2015, 10:18 PM

        Did you have pfsense working before with unbound or with a DNS provider other than your ISP?
        Is it possible your ISP is killing any DNS that isn't theirs?

        Also, having unbound in forwarder mode using DNSSEC with and ISP who's DNS servers don't support DNSSEC will also kill you DNS.  (I tried it just for giggles)

        You probably need to post your unbound settings here - all of them.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kevindd992002
          last edited by Jan 28, 2015, 2:53 AM

          @doktornotor:

          Start with the resolver log and check whether it's running at all.

          I do see logs and it says it is running, yes.

          @kejianshi:

          Did you have pfsense working before with unbound or with a DNS provider other than your ISP?
          Is it possible your ISP is killing any DNS that isn't theirs?

          Also, having unbound in forwarder mode using DNSSEC with and ISP who's DNS servers don't support DNSSEC will also kill you DNS.  (I tried it just for giggles)

          You probably need to post your unbound settings here - all of them.

          I'm testing this in our company network, virtually. Basically, it's a test environment wherein I treat our test network (LAN) as pfsense's WAN side (virtual ISP).

          Are you saying that unbound is like another DNS provider that's embedded in pfsense? Sorry, I'm new to it. For what it's worth, I can specify the Google DNS servers on the General page, use DNS Forwarding, and not have any problems.

          Here are my settings:

          https://www.dropbox.com/s/jj0sl8t0vql7xne/unbound.JPG?dl=0

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by Jan 28, 2015, 3:03 AM

            Yes - Its a DNS resolver and yours is turned off.

            1 Reply Last reply Reply Quote 0
            • J Offline
              johnpoz LAYER 8 Global Moderator
              last edited by Jan 28, 2015, 3:06 AM

              Your settings are not even enabled ;)

              You have it send out queries to authoritative servers out ALL Your interfaces???

              Unbound is a dns RESOLVER.. ie it will ask roots hey who is owner server of domainx.com and then go ask domainx.com ns – hey what is IP of your a record www.domainx.com

              This is much different than forwarding queries of www.domainx.com to your isp dns..  Does your work lan let you talk outbound to the internet on 53?  So you can query any dns server you want?  Most company networks do NOT allow that..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              1 Reply Last reply Reply Quote 0
              • K Offline
                kevindd992002
                last edited by Jan 28, 2015, 3:51 AM

                @kejianshi:

                Yes - Its a DNS resolver and yours is turned off.

                @johnpoz:

                Your settings are not even enabled ;)

                You have it send out queries to authoritative servers out ALL Your interfaces???

                Unbound is a dns RESOLVER.. ie it will ask roots hey who is owner server of domainx.com and then go ask domainx.com ns – hey what is IP of your a record www.domainx.com

                This is much different than forwarding queries of www.domainx.com to your isp dns..  Does your work lan let you talk outbound to the internet on 53?  So you can query any dns server you want?  Most company networks do NOT allow that..

                I forgot to mention that that picture shows it as disabled but of course I'm not that dumb :) When I was testing it, it was enabled (that box is checked). I just didn't bother taking a screenshot of it while it was enabled because DNS Forwarder is working now.

                Well, it was setup that way as its "default", that is to query authoritative server out all the interfaces.

                Ok, got that. So unbound is like a DNS server in itself, not a forwarder. Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by Jan 28, 2015, 3:55 AM

                  Yes - But be aware that there is a huge difference between a resolver and a forwarder when it comes to how your pages may or may not resolve.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by Jan 28, 2015, 3:59 AM Jan 28, 2015, 3:55 AM

                    "Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?"

                    No not necessarily..  What that means is 53 is open to 8.8.8.8, .4.4 - does not mean that 53 is open to

                    .                      517311  IN      NS      a.root-servers.net.
                    .                      517311  IN      NS      b.root-servers.net.
                    .                      517311  IN      NS      c.root-servers.net.
                    .                      517311  IN      NS      d.root-servers.net.
                    .                      517311  IN      NS      e.root-servers.net.
                    .                      517311  IN      NS      f.root-servers.net.
                    .                      517311  IN      NS      g.root-servers.net.
                    .                      517311  IN      NS      h.root-servers.net.
                    .                      517311  IN      NS      i.root-servers.net.
                    .                      517311  IN      NS      j.root-servers.net.
                    .                      517311  IN      NS      k.root-servers.net.
                    .                      517311  IN      NS      l.root-servers.net.
                    .                      517311  IN      NS      m.root-servers.net.

                    or

                    ;; ANSWER SECTION:
                    com.                    172800  IN      NS      j.gtld-servers.net.
                    com.                    172800  IN      NS      b.gtld-servers.net.
                    com.                    172800  IN      NS      d.gtld-servers.net.
                    com.                    172800  IN      NS      c.gtld-servers.net.
                    com.                    172800  IN      NS      a.gtld-servers.net.
                    com.                    172800  IN      NS      h.gtld-servers.net.
                    com.                    172800  IN      NS      l.gtld-servers.net.
                    com.                    172800  IN      NS      m.gtld-servers.net.
                    com.                    172800  IN      NS      k.gtld-servers.net.
                    com.                    172800  IN      NS      i.gtld-servers.net.
                    com.                    172800  IN      NS      f.gtld-servers.net.
                    com.                    172800  IN      NS      e.gtld-servers.net.
                    com.                    172800  IN      NS      g.gtld-servers.net.

                    And then every single authoritative ns on the planet..  This is the different between a forwarder and a resolver - a forwarder would forward to say 8.8.8.8

                    What I would suggest is you use the forwarder, you have no need of the resolver function to look up shit ;)

                    As to it defaulting to ALL for interfaces..  It has to default to something..  But ALL is normally not going to be the correct setting for either of those..  Its rare you would listen for dns queries on wan, and its rare that you would talk to an authoritative ns out your lan for example..

                    I would suggest you leave it disabled and just use the forwarder pointing to 8.8.8.8, until such time that you actually require a resolver vs a forwarder.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by Jan 28, 2015, 4:07 AM Jan 28, 2015, 4:01 AM

                      Your unbound can also work just fine as a forwarder as long as what you are forwarding from allows that DNSSEC - Google dns does.  Your ISP may not.  Whatever is on your pfsense wan may not also.  In other words, when using unbound as a forwarder, you may not be able to use dnssec.  Just depends on your dns server you tell it to forward from.

                      So, lets say you don't allow your ISP to over rider you DNS settings on the WAN AND you also use 8.8.8.8 and 8.8.4.4 AND you also use DNSSEC in unbound DNS resolver with forwarder mode enabled, there is some advantage.  Whoever is between you and google DNS will have a hell of a time spoofing your DNS replies.

                      Your work guys may try?  I don't know.  Admins can be mischievous.

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kevindd992002
                        last edited by Jan 28, 2015, 4:28 AM

                        @johnpoz:

                        "Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?"

                        No not necessarily..  What that means is 53 is open to 8.8.8.8, .4.4 - does not mean that 53 is open to

                        .                      517311  IN      NS      a.root-servers.net.
                        .                      517311  IN      NS      b.root-servers.net.
                        .                      517311  IN      NS      c.root-servers.net.
                        .                      517311  IN      NS      d.root-servers.net.
                        .                      517311  IN      NS      e.root-servers.net.
                        .                      517311  IN      NS      f.root-servers.net.
                        .                      517311  IN      NS      g.root-servers.net.
                        .                      517311  IN      NS      h.root-servers.net.
                        .                      517311  IN      NS      i.root-servers.net.
                        .                      517311  IN      NS      j.root-servers.net.
                        .                      517311  IN      NS      k.root-servers.net.
                        .                      517311  IN      NS      l.root-servers.net.
                        .                      517311  IN      NS      m.root-servers.net.

                        or

                        ;; ANSWER SECTION:
                        com.                    172800  IN      NS      j.gtld-servers.net.
                        com.                    172800  IN      NS      b.gtld-servers.net.
                        com.                    172800  IN      NS      d.gtld-servers.net.
                        com.                    172800  IN      NS      c.gtld-servers.net.
                        com.                    172800  IN      NS      a.gtld-servers.net.
                        com.                    172800  IN      NS      h.gtld-servers.net.
                        com.                    172800  IN      NS      l.gtld-servers.net.
                        com.                    172800  IN      NS      m.gtld-servers.net.
                        com.                    172800  IN      NS      k.gtld-servers.net.
                        com.                    172800  IN      NS      i.gtld-servers.net.
                        com.                    172800  IN      NS      f.gtld-servers.net.
                        com.                    172800  IN      NS      e.gtld-servers.net.
                        com.                    172800  IN      NS      g.gtld-servers.net.

                        And then every single authoritative ns on the planet..  This is the different between a forwarder and a resolver - a forwarder would forward to say 8.8.8.8

                        What I would suggest is you use the forwarder, you have no need of the resolver function to look up shit ;)

                        As to it defaulting to ALL for interfaces..  It has to default to something..  But ALL is normally not going to be the correct setting for either of those..  Its rare you would listen for dns queries on wan, and its rare that you would talk to an authoritative ns out your lan for example..

                        I would suggest you leave it disabled and just use the forwarder pointing to 8.8.8.8, until such time that you actually require a resolver vs a forwarder.

                        Got it. You mean my work lan can allow outbound port 53 to known DNS servers like Google but not to root server, right?

                        And if I understand correctly, dnsmasq does recursive queries to where it forwards to and unbound does an iteritative lookup, right? In that case, what situation would I best use unbound and why it is kept enabled for fresh installations if it can produce some issues with certain ISPs?

                        @kejianshi:

                        Your unbound can also work just fine as a forwarder as long as what you are forwarding from allows that DNSSEC - Google dns does.  Your ISP may not.  Whatever is on your pfsense wan may not also.  In other words, when using unbound as a forwarder, you may not be able to use dnssec.  Just depends on your dns server you tell it to forward from.

                        So, lets say you don't allow your ISP to over rider you DNS settings on the WAN AND you also use 8.8.8.8 and 8.8.4.4 AND you also use DNSSEC in unbound DNS resolver with forwarder mode enabled, there is some advantage.  Whoever is between you and google DNS will have a hell of a time spoofing your DNS replies.

                        Your work guys may try?  I don't know.  Admins can be mischievous.

                        I understand. If forwarding is enabled in unbound though, what would its difference be with dnsmasq?

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by Jan 28, 2015, 12:52 PM

                          In forwarder mode it support dnssec - while dnsmasq does not, etc..

                          As to why they have unbound enabled out of the box?  While sure it could have issues with some connections..  Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not?  To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;)  While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe

                          The layer 8 problems are becoming very common on the board...

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • K Offline
                            kejianshi
                            last edited by Jan 28, 2015, 12:57 PM

                            Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.

                            1 Reply Last reply Reply Quote 0
                            • K Offline
                              kevindd992002
                              last edited by Jan 28, 2015, 6:37 PM

                              @johnpoz:

                              In forwarder mode it support dnssec - while dnsmasq does not, etc..

                              As to why they have unbound enabled out of the box?  While sure it could have issues with some connections..  Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not?  To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;)  While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe

                              The layer 8 problems are becoming very common on the board...

                              We all start somewhere, and that's why the pfsense community is here. I'm not at all clueless when it comes to DNS but I'll admit that I'm not an expert. What's basic for you may not be basic for others.

                              @kejianshi:

                              Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.

                              That's what I thought. I forgot to mention though that I have two pfsense firewalls in my setup, a front end and a back end firewall. I experimented and enabled unbound on just the front end while keeping dnsmasq enabled on the back end and that fixed my problem. Does this mean that it is not recommended to enabled unbound on both firewalls?

                              1 Reply Last reply Reply Quote 0
                              • K Offline
                                kejianshi
                                last edited by Jan 28, 2015, 6:47 PM

                                I'd think that means you have some issue with your pfsense setup on the back end.  I see no reason why it shouldn't work on the front and back end unless something is not correctly configured elsewhere. You can break it with block rules and things like that.  Doing relay from your front end should be no problem though.  Thats perfectly valid and should work very well - It just shouldn't be required.

                                1 Reply Last reply Reply Quote 0
                                • K Offline
                                  kevindd992002
                                  last edited by Feb 5, 2015, 2:34 AM

                                  Another clarification on my mind: is it accurate that when you enable forwarding with Unbound, it will never use the root hints?

                                  1 Reply Last reply Reply Quote 0
                                  • K Offline
                                    kejianshi
                                    last edited by Feb 5, 2015, 3:48 AM

                                    Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.

                                    1 Reply Last reply Reply Quote 0
                                    • K Offline
                                      kevindd992002
                                      last edited by Feb 5, 2015, 8:36 AM

                                      @kejianshi:

                                      Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.

                                      Is that a "from" or a "to" 8.8.8.8 or my ISP's DNS server? In any case, if you enable forwarding, regardless of what IP address you are forwarding to, it still disables the root hints, right?

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        phil.davis
                                        last edited by Feb 5, 2015, 5:56 PM

                                        Forwarding mode should forward all requests to the designated upstream DNS server/s.
                                        Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
                                        That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :)

                                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                        1 Reply Last reply Reply Quote 0
                                        • K Offline
                                          kevindd992002
                                          last edited by Feb 5, 2015, 6:35 PM

                                          @phil.davis:

                                          Forwarding mode should forward all requests to the designated upstream DNS server/s.
                                          Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
                                          That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :)

                                          Got it! I was just thinking that it's like the DNS server in Windows Server wherein there's a checkbox for "use root hints if no forwarders are available" under the forwarders tab.

                                          And by the way, can you guys help me out in another thread? I decided to separate it here: https://forum.pfsense.org/index.php?topic=88164.msg486107#msg486107

                                          Thanks.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received