unbound DNS Resolver Will Not Start

newUser2pfSense · Jun 10, 2020, 5:18 PM

So I made a mistake and didn't backup my configuration before updating. Wow, big mistake. That won't happen again! The backups that I do have are just over 3 months old and I'm not sure if they have my complete configuration or not.

How would I go about reconfiguring the resolver and then save it again? Any ideas?

bmeeks · Jun 10, 2020, 5:26 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

I'm not sure if this helps or not but here are the last log file lines in the System Logs > System > DNS Resolver after updating and it repeats about 5 times:

Jun 10 09:15:18 unbound 22966:1 info: 127.0.0.1 _https._tcp.pkg.pfsense.org. SRV IN NOERROR 0.000000 1 123
Jun 10 09:15:18 unbound 22966:1 info: 127.0.0.1 files00.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:6 info: 127.0.0.1 files00.netgate.com. AAAA IN NOERROR 0.000000 1 65
Jun 10 09:15:18 unbound 22966:3 info: 127.0.0.1 files01.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:3 info: 127.0.0.1 files01.netgate.com. AAAA IN NOERROR 0.000000 1 65
Jun 10 09:15:18 unbound 22966:6 info: 127.0.0.1 files00.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:6 info: 127.0.0.1 files00.netgate.com. AAAA IN NOERROR 0.000000 1 65
Jun 10 09:15:18 unbound 22966:6 info: 127.0.0.1 files01.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:1 info: 127.0.0.1 files01.netgate.com. AAAA IN NOERROR 0.000000 1 65
Jun 10 09:15:18 unbound 22966:2 info: 127.0.0.1 files00.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:6 info: 127.0.0.1 files00.netgate.com. AAAA IN NOERROR 0.000000 1 65
Jun 10 09:15:18 unbound 22966:7 info: 127.0.0.1 files01.netgate.com. A IN NOERROR 0.000000 1 53
Jun 10 09:15:18 unbound 22966:7 info: 127.0.0.1 files01.netgate.com. AAAA IN NOERROR 0.000000 1 65

Here's an interesting line in the System Logs > System > General

Jun 10 12:35:05 php-fpm 88498 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591806905] unbound[31342:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'

When I enter "unbound-checkconf" (no quotes) in the Diagnostics > Command Prompt, I get the following:

unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf

You ran the "checkconf" on the wrong unbound.conf file. Look again at your error message. It does not like the unbound.conf file in '/var/unbound. So you will need to run the unbound-checkconf command against /var/unbound/unbound.conf to find out what's actually wrong.

See, here is the actual error message:

fatal error: Could not read config file: /var/unbound/unbound.conf.

Because you gave the unbound-checkconf utility no parameters, it checked the default file here:

no errors in /usr/local/etc/unbound/unbound.conf

but that is NOT the file that unbound uses when it actually runs. It runs from config files in /var/unbound.

pete35 · Jun 10, 2020, 5:27 PM

Just change any number on the "advanced resolver options" under "advanced settings" save it and change it back. Save it again. Try to start unbound then and check the logs again.

newUser2pfSense · Jun 10, 2020, 5:40 PM

So I changed a value in the "Advanced Resolver Options", saved it, changed it back, saved it again.

In the Status > System Logs > System > DNS Resolver:

Nothing changed...no new lines at all.

In the Status > System Logs > System > General, these are the new lines:

Jun 10 13:30:24 php-fpm 357 /services_unbound_advanced.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810224] unbound[36841:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'
Jun 10 13:30:51 check_reload_status Syncing firewall
Jun 10 13:30:54 php-fpm 356 /services_unbound_advanced.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810254] unbound[69110:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'
Jun 10 13:31:02 php-fpm 356 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810262] unbound[82148:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'

In the Diagnostics > Command prompt, I ran the following command:

unbound-checkconf /var/unbound/unbound.conf

The result:
/var/unbound/unbound.conf:105: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file

pete35 · Jun 10, 2020, 5:40 PM

Maybe post your unbound.conf here?

newUser2pfSense · Jun 10, 2020, 5:46 PM

From: /var/unbound/unbound.conf

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 8
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP(s) to bind to

interface-automatic: yes
interface: 0.0.0.0
interface: ::0

Outgoing interfaces to be used

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Unbound custom options

log-replies: yes

Remote Control Config

include: /var/unbound/remotecontrol.conf

bmeeks · Jun 10, 2020, 5:49 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

From: /var/unbound/unbound.conf

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 8
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP(s) to bind to

interface-automatic: yes
interface: 0.0.0.0
interface: ::0

Outgoing interfaces to be used

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Unbound custom options

log-replies: yes

Remote Control Config

include: /var/unbound/remotecontrol.conf

You need to open this file in an editor and find line #105. That's where the error is. Look again at the error message you are given from the logs:

the output was '/var/unbound/unbound.conf:105: error: syntax error

The ":105" part is the line number where the syntax error is located.

newUser2pfSense · Jun 10, 2020, 5:51 PM

I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

log-replies: yes

pete35 · Jun 10, 2020, 5:53 PM

Go to the custom options in the unbound gui and remove this line. Save and restart unbound.

bmeeks · Jun 10, 2020, 5:54 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

log-replies: yes

I don't see anything wrong on that line, but there may be extra control or other characters present that either did not get copied into your post or show up as whitespace and thus are invisible. Clearly there is something on line 105 that unbound does not care for. Could be something just in front of, or just behind, that line number.

bmeeks · Jun 10, 2020, 5:57 PM

User @pete35 is on the right track with his suggestions. You need to wipe out all of the custom conf stuff that pfBlockerNG would have added to unbound's conf file.

newUser2pfSense · Jun 10, 2020, 5:58 PM

So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

bmeeks · Jun 10, 2020, 6:00 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

Great! There must have been something else lurking on that line because according to the man page I found on Google that option is a vaild one.

pete35 · Jun 10, 2020, 6:00 PM

So insert that line again, but dont copy it from anywhere, just type it in. save and Restart, if that is ok then, you can enable pfblocker.

newUser2pfSense · Jun 10, 2020, 6:17 PM

Ok, so I tried this two times and no luck -
I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

The following input errors were detected:

The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/unbound.conf:105: error: syntax error
read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

pete35 · Jun 10, 2020, 6:24 PM

Hmm, i dont think you need that option. If it is ok for you, just forget about it. Enable pfblocker. Sugestion: in advance to reconfigure anything or do an update, please do a backup of a running config.

bmeeks · Jun 10, 2020, 7:41 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

Ok, so I tried this two times and no luck -
I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

The following input errors were detected:

The generated config file cannot be parsed by unbound. Please correct the following errors:

/var/unbound/test/unbound.conf:105: error: syntax error

read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

Manually typing into the config files will not be persistent. The GUI code recreates the conf files for all packages each time you start/stop the service or otherwise modify something in pfSense. All configuration is stored in the firewall's config.xml file and read out from there when creating or recreating conf files. When you go into SERVICES > DNS Resolver > General Settings > Custom Options and type in something, then when you click Save the conf file is recreated from scratch. Any changes you make directly on the filesystem (such as when using DIAGNOSTICS > EDIT FILE) are overwritten. This is true for all packages, and is something new users typically get confused by. You edit something on the command line and yet it doesn't "stay edited".

newUser2pfSense · Jun 10, 2020, 6:47 PM

Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

server:include: /var/unbound/pfb_dnsbl.*conf

I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

bmeeks · Jun 10, 2020, 6:52 PM

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

server:include: /var/unbound/pfb_dnsbl.*conf

I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

pfBlockerNG's DNSBL functionality puts that line in there. It tells the unbound resolver to load up the additional configuration info it finds in that file (or files matching that wildcard). That's how the ad blocking and other stuff works. Now, it may be that unbound is no longer liking that wildcard spec or something.

newUser2pfSense · Jun 10, 2020, 7:01 PM

Interestingly, I went to Services > DNS Resolver > General Settings > General DNS Resolver Options > Custom options and typed in the line, saved it, and then restarted pfSense. Everything seems to work now for whatever reason, odd. The Custom options box now shows these two lines:

server:include: /var/unbound/pfb_dnsbl.*conf
log-replies: yes

Wouldn't you know it, as I look on the GUI Dashboard, there's a new version of pfBlockerNG-devel.