Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unbound DNS Resolver Will Not Start

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    33 Posts 7 Posters 10.8k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      newUser2pfSense
      last edited by newUser2pfSense

      So I changed a value in the "Advanced Resolver Options", saved it, changed it back, saved it again.

      In the Status > System Logs > System > DNS Resolver:

      Nothing changed...no new lines at all.

      In the Status > System Logs > System > General, these are the new lines:

      Jun 10 13:30:24 php-fpm 357 /services_unbound_advanced.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810224] unbound[36841:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'
      Jun 10 13:30:51 check_reload_status Syncing firewall
      Jun 10 13:30:54 php-fpm 356 /services_unbound_advanced.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810254] unbound[69110:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'
      Jun 10 13:31:02 php-fpm 356 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:105: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1591810262] unbound[82148:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'

      In the Diagnostics > Command prompt, I ran the following command:

      unbound-checkconf /var/unbound/unbound.conf

      The result:
      /var/unbound/unbound.conf:105: error: syntax error
      read /var/unbound/unbound.conf failed: 1 errors in configuration file

      1 Reply Last reply Reply Quote 0
      • P Offline
        pete35
        last edited by

        Maybe post your unbound.conf here?

        <a href="https://carsonlam.ca">bintang88</a>
        <a href="https://carsonlam.ca">slot88</a>

        1 Reply Last reply Reply Quote 0
        • N Offline
          newUser2pfSense
          last edited by

          From: /var/unbound/unbound.conf

          ##########################

          Unbound Configuration

          ##########################

          Server configuration

          server:

          chroot: /var/unbound
          username: "unbound"
          directory: "/var/unbound"
          pidfile: "/var/run/unbound.pid"
          use-syslog: yes
          port: 53
          verbosity: 2
          hide-identity: yes
          hide-version: yes
          harden-glue: yes
          do-ip4: yes
          do-ip6: no
          do-udp: yes
          do-tcp: yes
          do-daemonize: yes
          module-config: "validator iterator"
          unwanted-reply-threshold: 0
          num-queries-per-thread: 512
          jostle-timeout: 200
          infra-host-ttl: 900
          infra-cache-numhosts: 10000
          outgoing-num-tcp: 10
          incoming-num-tcp: 10
          edns-buffer-size: 4096
          cache-max-ttl: 86400
          cache-min-ttl: 0
          harden-dnssec-stripped: yes
          msg-cache-size: 4m
          rrset-cache-size: 8m

          num-threads: 8
          msg-cache-slabs: 8
          rrset-cache-slabs: 8
          infra-cache-slabs: 8
          key-cache-slabs: 8
          outgoing-range: 4096
          #so-rcvbuf: 4m
          auto-trust-anchor-file: /var/unbound/root.key
          prefetch: no
          prefetch-key: no
          use-caps-for-id: no
          serve-expired: no

          Statistics

          Unbound Statistics

          statistics-interval: 0
          extended-statistics: yes
          statistics-cumulative: yes

          TLS Configuration

          tls-cert-bundle: "/etc/ssl/cert.pem"

          Interface IP(s) to bind to

          interface-automatic: yes
          interface: 0.0.0.0
          interface: ::0

          Outgoing interfaces to be used

          DNS Rebinding

          For DNS Rebinding prevention

          private-address: 127.0.0.0/8
          private-address: 10.0.0.0/8
          private-address: ::ffff:a00:0/104
          private-address: 172.16.0.0/12
          private-address: ::ffff:ac10:0/108
          private-address: 169.254.0.0/16
          private-address: ::ffff:a9fe:0/112
          private-address: 192.168.0.0/16
          private-address: ::ffff:c0a8:0/112
          private-address: fd00::/8
          private-address: fe80::/10

          Access lists

          include: /var/unbound/access_lists.conf

          Static host entries

          include: /var/unbound/host_entries.conf

          dhcp lease entries

          include: /var/unbound/dhcpleases_entries.conf

          Domain overrides

          include: /var/unbound/domainoverrides.conf

          Forwarding

          forward-zone:
          name: "."
          forward-tls-upstream: yes
          forward-addr: 9.9.9.9@853
          forward-addr: 149.112.112.112@853

          Unbound custom options

          log-replies: yes

          Remote Control Config

          include: /var/unbound/remotecontrol.conf

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB Online
            bmeeks @newUser2pfSense
            last edited by

            @newUser2pfSense said in unbound DNS Resolver Will Not Start:

            From: /var/unbound/unbound.conf

            ##########################

            Unbound Configuration

            ##########################

            Server configuration

            server:

            chroot: /var/unbound
            username: "unbound"
            directory: "/var/unbound"
            pidfile: "/var/run/unbound.pid"
            use-syslog: yes
            port: 53
            verbosity: 2
            hide-identity: yes
            hide-version: yes
            harden-glue: yes
            do-ip4: yes
            do-ip6: no
            do-udp: yes
            do-tcp: yes
            do-daemonize: yes
            module-config: "validator iterator"
            unwanted-reply-threshold: 0
            num-queries-per-thread: 512
            jostle-timeout: 200
            infra-host-ttl: 900
            infra-cache-numhosts: 10000
            outgoing-num-tcp: 10
            incoming-num-tcp: 10
            edns-buffer-size: 4096
            cache-max-ttl: 86400
            cache-min-ttl: 0
            harden-dnssec-stripped: yes
            msg-cache-size: 4m
            rrset-cache-size: 8m

            num-threads: 8
            msg-cache-slabs: 8
            rrset-cache-slabs: 8
            infra-cache-slabs: 8
            key-cache-slabs: 8
            outgoing-range: 4096
            #so-rcvbuf: 4m
            auto-trust-anchor-file: /var/unbound/root.key
            prefetch: no
            prefetch-key: no
            use-caps-for-id: no
            serve-expired: no

            Statistics

            Unbound Statistics

            statistics-interval: 0
            extended-statistics: yes
            statistics-cumulative: yes

            TLS Configuration

            tls-cert-bundle: "/etc/ssl/cert.pem"

            Interface IP(s) to bind to

            interface-automatic: yes
            interface: 0.0.0.0
            interface: ::0

            Outgoing interfaces to be used

            DNS Rebinding

            For DNS Rebinding prevention

            private-address: 127.0.0.0/8
            private-address: 10.0.0.0/8
            private-address: ::ffff:a00:0/104
            private-address: 172.16.0.0/12
            private-address: ::ffff:ac10:0/108
            private-address: 169.254.0.0/16
            private-address: ::ffff:a9fe:0/112
            private-address: 192.168.0.0/16
            private-address: ::ffff:c0a8:0/112
            private-address: fd00::/8
            private-address: fe80::/10

            Access lists

            include: /var/unbound/access_lists.conf

            Static host entries

            include: /var/unbound/host_entries.conf

            dhcp lease entries

            include: /var/unbound/dhcpleases_entries.conf

            Domain overrides

            include: /var/unbound/domainoverrides.conf

            Forwarding

            forward-zone:
            name: "."
            forward-tls-upstream: yes
            forward-addr: 9.9.9.9@853
            forward-addr: 149.112.112.112@853

            Unbound custom options

            log-replies: yes

            Remote Control Config

            include: /var/unbound/remotecontrol.conf

            You need to open this file in an editor and find line #105. That's where the error is. Look again at the error message you are given from the logs:

            the output was '/var/unbound/unbound.conf:105: error: syntax error
            

            The ":105" part is the line number where the syntax error is located.

            1 Reply Last reply Reply Quote 0
            • N Offline
              newUser2pfSense
              last edited by newUser2pfSense

              I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

              log-replies: yes

              bmeeksB 1 Reply Last reply Reply Quote 0
              • P Offline
                pete35
                last edited by

                Go to the custom options in the unbound gui and remove this line. Save and restart unbound.

                <a href="https://carsonlam.ca">bintang88</a>
                <a href="https://carsonlam.ca">slot88</a>

                1 Reply Last reply Reply Quote 0
                • bmeeksB Online
                  bmeeks @newUser2pfSense
                  last edited by bmeeks

                  @newUser2pfSense said in unbound DNS Resolver Will Not Start:

                  I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

                  log-replies: yes

                  I don't see anything wrong on that line, but there may be extra control or other characters present that either did not get copied into your post or show up as whitespace and thus are invisible. Clearly there is something on line 105 that unbound does not care for. Could be something just in front of, or just behind, that line number.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB Online
                    bmeeks
                    last edited by

                    User @pete35 is on the right track with his suggestions. You need to wipe out all of the custom conf stuff that pfBlockerNG would have added to unbound's conf file.

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      newUser2pfSense
                      last edited by

                      So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

                      As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB Online
                        bmeeks @newUser2pfSense
                        last edited by

                        @newUser2pfSense said in unbound DNS Resolver Will Not Start:

                        So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

                        As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

                        Great! There must have been something else lurking on that line because according to the man page I found on Google that option is a vaild one.

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          pete35
                          last edited by

                          So insert that line again, but dont copy it from anywhere, just type it in. save and Restart, if that is ok then, you can enable pfblocker.

                          <a href="https://carsonlam.ca">bintang88</a>
                          <a href="https://carsonlam.ca">slot88</a>

                          1 Reply Last reply Reply Quote 0
                          • N Offline
                            newUser2pfSense
                            last edited by

                            Ok, so I tried this two times and no luck -
                            I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

                            Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

                            The following input errors were detected:

                            • The generated config file cannot be parsed by unbound. Please correct the following errors:
                            • /var/unbound/test/unbound.conf:105: error: syntax error
                            • read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

                            Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • P Offline
                              pete35
                              last edited by

                              Hmm, i dont think you need that option. If it is ok for you, just forget about it. Enable pfblocker. Sugestion: in advance to reconfigure anything or do an update, please do a backup of a running config.

                              <a href="https://carsonlam.ca">bintang88</a>
                              <a href="https://carsonlam.ca">slot88</a>

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB Online
                                bmeeks @newUser2pfSense
                                last edited by bmeeks

                                @newUser2pfSense said in unbound DNS Resolver Will Not Start:

                                Ok, so I tried this two times and no luck -
                                I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

                                Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

                                The following input errors were detected:

                                • The generated config file cannot be parsed by unbound. Please correct the following errors:
                                • /var/unbound/test/unbound.conf:105: error: syntax error
                                • read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

                                Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

                                Manually typing into the config files will not be persistent. The GUI code recreates the conf files for all packages each time you start/stop the service or otherwise modify something in pfSense. All configuration is stored in the firewall's config.xml file and read out from there when creating or recreating conf files. When you go into SERVICES > DNS Resolver > General Settings > Custom Options and type in something, then when you click Save the conf file is recreated from scratch. Any changes you make directly on the filesystem (such as when using DIAGNOSTICS > EDIT FILE) are overwritten. This is true for all packages, and is something new users typically get confused by. You edit something on the command line and yet it doesn't "stay edited".

                                1 Reply Last reply Reply Quote 0
                                • N Offline
                                  newUser2pfSense
                                  last edited by

                                  Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

                                  server:include: /var/unbound/pfb_dnsbl.*conf

                                  I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

                                  bmeeksB 1 Reply Last reply Reply Quote 0
                                  • bmeeksB Online
                                    bmeeks @newUser2pfSense
                                    last edited by

                                    @newUser2pfSense said in unbound DNS Resolver Will Not Start:

                                    Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

                                    server:include: /var/unbound/pfb_dnsbl.*conf

                                    I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

                                    pfBlockerNG's DNSBL functionality puts that line in there. It tells the unbound resolver to load up the additional configuration info it finds in that file (or files matching that wildcard). That's how the ad blocking and other stuff works. Now, it may be that unbound is no longer liking that wildcard spec or something.

                                    1 Reply Last reply Reply Quote 0
                                    • N Offline
                                      newUser2pfSense
                                      last edited by

                                      Interestingly, I went to Services > DNS Resolver > General Settings > General DNS Resolver Options > Custom options and typed in the line, saved it, and then restarted pfSense. Everything seems to work now for whatever reason, odd. The Custom options box now shows these two lines:

                                      server:include: /var/unbound/pfb_dnsbl.*conf
                                      log-replies: yes

                                      Wouldn't you know it, as I look on the GUI Dashboard, there's a new version of pfBlockerNG-devel.

                                      1 Reply Last reply Reply Quote 0
                                      • N Offline
                                        newUser2pfSense
                                        last edited by

                                        Everything seems to be back online and working now.

                                        I made sure I completed a pfSense backup.

                                        I want to thank bmeeks and pete35 for all of their assistance. I appreciate you taking time out of your day to help!

                                        C 1 Reply Last reply Reply Quote 0
                                        • S Offline
                                          serbus
                                          last edited by

                                          Hello!

                                          I have been bit by this before...

                                          log-replies has to go in a server block.
                                          You are leaching off the "server:" specified by pfb, but when that package is removed you get the error.
                                          I recommend that that you enter the full block specifiers for all custom unbound commands.
                                          So:

                                          server:log-replies:yes

                                          It is OK to have multiple server blocks specified.

                                          John

                                          Lex parsimoniae

                                          1 Reply Last reply Reply Quote 0
                                          • N Offline
                                            newUser2pfSense
                                            last edited by

                                            serbus...thank you for the reply. I've made the edit, saved, restarted, and everything is still working. I've also made my backups to the system. Wheeew!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.