Should unbound-control work by default?

Taz79 · Apr 11, 2019, 7:25 PM

@jimp said in Should unbound-control work by default?:

/var/unbound/remotecontrol.conf shouldn't be zero bytes, so it's also possible something corrupted that. Easy test is to rm /var/unbound/remotecontrol.conf and then save/apply in the resolver settings.

That solved the problem!! What would i do without you guys! I would have tried to add my own settings in that file and that would not have been good i guess.. :)

EDIT: whops.. it looked good from the beginning.. check my screenshots below.. The file got re-created and it looked good.. But now the unbound service won't start up, i noticed because wife started complain about Netflix not working anymore... HAHA..

Here is the error message from the General log:

Status before:

After save:

Content of the new file:

Anything special about your setup? Any custom options in unbound? DNSBL or other pfBlocker things enabled?

Only addition im running at the moment is Bandwithd. Before i have changed outgoing network interfaces to my VPN tunnel to internet but i have since then changed it back to "All" again.

I have enabled "Serve Expired" yesterday and also removed "Enable SSL/TLS Service. But that was after i noticed the file was 0 bytes.

The pfsense hardware is pretty new. 2 months old SG-1100. I have restored configurations from my old system, or i just restored the VPN part, dont remember wich one i did now :)

jimp · Apr 11, 2019, 7:30 PM

Something is definitely unhappy in those files. run rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.key and save/apply, see if that helps. That should force unbound to regenerate those files as well.

RonpfS · Apr 11, 2019, 7:31 PM

@jimp said in Should unbound-control work by default?:

Something is definitely unhappy in those files

Files are empty

Taz79 · Apr 11, 2019, 7:39 PM

@jimp said in Should unbound-control work by default?:

Something is definitely unhappy in those files. run rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.key and save/apply, see if that helps. That should force unbound to regenerate those files as well.

Holy **** ... That was a fast answer from your side!!! :)

I tried it. and it works! :) Unbound service is running now and i can do DNS lookups again :)

Files has been re-created and is not empty anymore.. Strange problem.. And also the file date of those files with 0 bytes were 7th Jan.. That was before i got my SG-1100... I guess the restore i did would not create files that way (with an old date)..

jimp · Apr 11, 2019, 7:40 PM

Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.

Worst case there you can rm -rf /var/unbound and save/apply and it should generate everything again.

The older date may be from when the system was initially imaged at the factory.

Taz79 · Apr 11, 2019, 7:44 PM

This also solved other issues i had... Now Status -> DNS Resolver is working

AND! unbound-control works too! .. I'm a Happy panda now.. Thanks Jimp!!!!

RonpfS · Apr 11, 2019, 7:44 PM

The root.key.57361-0 file should not be there.

jimp · Apr 11, 2019, 7:45 PM

@Taz79 said in Should unbound-control work by default?:

This also solved other issues i had... Now Status -> DNS Resolver is working

Not surprising since that page uses data output from unbound-control :-)

Taz79 · Apr 11, 2019, 7:47 PM

@jimp said in Should unbound-control work by default?:

Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.

Worst case there you can rm -rf /var/unbound and save/apply and it should generate everything again.

The older date may be from when the system was initially imaged at the factory.

We very seldom have power fails here.. Last time was 2 years ago actually.. Some power fails are planned work but then i always shutdown stuff first. I will buy a UPS for my router and other equipment soon though since power fails cause a lot of issues for sure! :)

Can i schedule a diskcheck at reboot? and see the results later from "remote (web)"? .. or must i have a display connected to the router?

Taz79 · Apr 11, 2019, 7:53 PM

@jimp can i ask you about the feature "Serve Expired"?

I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

tman222 · Apr 12, 2019, 8:27 PM

@Taz79 said in Should unbound-control work by default?:

@jimp can i ask you about the feature "Serve Expired"?

I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.

Taz79 · Apr 15, 2019, 6:31 AM

@tman222 said in Should unbound-control work by default?:

@Taz79 said in Should unbound-control work by default?:

@jimp can i ask you about the feature "Serve Expired"?

I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.

Seems like i have to create a separate thread for this to get it sorted out :) .. It defenatly helps me though looking at the statistics. Thanks for your reply!