[SOLVED] New SG-1100 DNS Resolver not working

djacu2

Problem
Just purchased a new SG-1100, and went through the setup multiple times, but could never get DNS resolution on my LAN clients.

Setup
I have a Frontier FIOS ONT passing CAT5 into my home. That is connected to the WAN on the SG-1100 and my desktop is connected to the LAN. The SG-1100 has an IP address of 10.0.1.1 and is currently handing my PC an address of 10.0.1.10. Gateway is 10.0.1.1 and DNS is 10.0.1.1. I am using Google's DNS servers configured in General Setup and the DNS Resolver (unbound) as shown in the images below. I have been following this article mostly (Troubleshooting Network Connectivity) and discovered the following.

• Diagnostics / Ping 8.8.8.8 works from both WAN and LAN
• Diagnositcs / Ping google.com works from both WAN and LAN
• Diagnostics / DNS Lookup for pfsense.org seems to work (see image below)
• My client can ping the SG-1100 LAN IP
• My client can ping the SG-1100 WAN IP
• My client can ping 8.8.8.8
• My client cannot ping google.com

I found this error in Status / System Logs / System / General

/services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1549232565] unbound[11670:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1549232565] unbound[11670:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1549232565] unbound[11670:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1549232565] unbound[11670:0] fatal error: could not set up remote-control'

Under Services / DNS Resolver / Advanced Settings - I set the Log Level to 2.
If I go to Status / System Logs / System / DNS Resolver there doesn't seem to be a lot of activity but I may not understand what I am looking at.

Feb 2 19:49:48	dnsmasq	40988	reading /etc/resolv.conf
Feb 2 19:49:48	dnsmasq	40988	ignoring nameserver 127.0.0.1 - local interface
Feb 2 19:49:48	dnsmasq	40988	using nameserver 8.8.8.8#53
Feb 2 19:49:48	dnsmasq	40988	using nameserver 8.8.4.4#53
Feb 2 19:49:48	dnsmasq	40988	read /etc/hosts - 3 addresses
Feb 2 19:50:46	dnsmasq	40988	exiting on receipt of SIGTERM
Feb 2 19:50:47	dnsmasq	96352	started, version 2.79 cachesize 10000
Feb 2 19:50:47	dnsmasq	96352	compile time options: IPv6 GNU-getopt no-DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify
Feb 2 19:50:47	dnsmasq	96352	reading /etc/resolv.conf
Feb 2 19:50:47	dnsmasq	96352	ignoring nameserver 127.0.0.1 - local interface
Feb 2 19:50:47	dnsmasq	96352	using nameserver 8.8.8.8#53
Feb 2 19:50:47	dnsmasq	96352	using nameserver 8.8.4.4#53
Feb 2 19:50:47	dnsmasq	96352	read /etc/hosts - 3 addresses
Feb 2 20:00:13	dnsmasq	96352	exiting on receipt of SIGTERM

What I have tried
Two things I've found to "work"

• Manually setting the DNS in my network settings to 8.8.8.8. Not really ideal.
• Disabling the DNS Resolver and enabling the DNS Forwarder. This does work but it bugs me that the resolver doesn't work and I'd rather fix it.

Help
Does anyone have any idea what my problem might be or where I can start looking? I've gone through numerous forum and reddit posts where people had DNS issues similar to mine but none of the solutions seemed to work for me.

General Setup

DNS Resolver Settings

DNS Lookup

djacu2

Another thing I forgot to mention was that in Status / Services, it appears that unbound is not running.

RonpfS

@djacu2 said in New SG-1100 DNS Resolver not working:

unbound_server.pem

https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/11

djacu2

Thank you! That was the solution. Copy instructions below.

Under /var/unbound delete the following and reboot.
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem