unbound DNS Resolver Will Not Start

newUser2pfSense

From: /var/unbound/unbound.conf

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 8
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP(s) to bind to

interface-automatic: yes
interface: 0.0.0.0
interface: ::0

Outgoing interfaces to be used

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Unbound custom options

log-replies: yes

Remote Control Config

include: /var/unbound/remotecontrol.conf

bmeeks

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

From: /var/unbound/unbound.conf

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 8
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP(s) to bind to

interface-automatic: yes
interface: 0.0.0.0
interface: ::0

Outgoing interfaces to be used

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Unbound custom options

log-replies: yes

Remote Control Config

include: /var/unbound/remotecontrol.conf

You need to open this file in an editor and find line #105. That's where the error is. Look again at the error message you are given from the logs:

the output was '/var/unbound/unbound.conf:105: error: syntax error

The ":105" part is the line number where the syntax error is located.

newUser2pfSense

I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

log-replies: yes

pete35

Go to the custom options in the unbound gui and remove this line. Save and restart unbound.

bmeeks

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

I copied the entire contents and pasted it into a text file in an editor and I believe line 105 is:

log-replies: yes

I don't see anything wrong on that line, but there may be extra control or other characters present that either did not get copied into your post or show up as whitespace and thus are invisible. Clearly there is something on line 105 that unbound does not care for. Could be something just in front of, or just behind, that line number.

bmeeks

User @pete35 is on the right track with his suggestions. You need to wipe out all of the custom conf stuff that pfBlockerNG would have added to unbound's conf file.

newUser2pfSense

So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

bmeeks

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

So I went to Services > DNS Resolver > General settings and deleted the log-replies: yes.

As soon as I went to the dashboard, the Services Status > unbound DNS Resolver is now started.

Great! There must have been something else lurking on that line because according to the man page I found on Google that option is a vaild one.

pete35

So insert that line again, but dont copy it from anywhere, just type it in. save and Restart, if that is ok then, you can enable pfblocker.

newUser2pfSense

Ok, so I tried this two times and no luck -
I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

The following input errors were detected:

• The generated config file cannot be parsed by unbound. Please correct the following errors:
• /var/unbound/test/unbound.conf:105: error: syntax error
• read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

pete35

Hmm, i dont think you need that option. If it is ok for you, just forget about it. Enable pfblocker. Sugestion: in advance to reconfigure anything or do an update, please do a backup of a running config.

bmeeks

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

Ok, so I tried this two times and no luck -
I went to Diagnostics > Edit File and browsed to the file and typed the line back in and saved the file. As a test to make sure the line stayed in the file, I restarted pfSense. When logging back into the GUI, the unbound DNS Resolver is working, however, when I check the file, the line is not there.

Going to Services > DNS Resolver > General Settings > Custom options, I tried typing the line in there and saving and I eceived the following error message:

The following input errors were detected:

• The generated config file cannot be parsed by unbound. Please correct the following errors:
• /var/unbound/test/unbound.conf:105: error: syntax error
• read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

Hmm, /test/ is in this path. When I look in the file with the /test/ in the path, the line is there.

Manually typing into the config files will not be persistent. The GUI code recreates the conf files for all packages each time you start/stop the service or otherwise modify something in pfSense. All configuration is stored in the firewall's config.xml file and read out from there when creating or recreating conf files. When you go into SERVICES > DNS Resolver > General Settings > Custom Options and type in something, then when you click Save the conf file is recreated from scratch. Any changes you make directly on the filesystem (such as when using DIAGNOSTICS > EDIT FILE) are overwritten. This is true for all packages, and is something new users typically get confused by. You edit something on the command line and yet it doesn't "stay edited".

newUser2pfSense

Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

server:include: /var/unbound/pfb_dnsbl.*conf

I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

bmeeks

@newUser2pfSense said in unbound DNS Resolver Will Not Start:

Maybe that's why I'm now seeing the following line in Custom options as it wasn't there before:

server:include: /var/unbound/pfb_dnsbl.*conf

I was actually going to go into the console and use vi to add the line as a test to see what happens but now that this line is in there, on line 105, I'm not sure what to do.

pfBlockerNG's DNSBL functionality puts that line in there. It tells the unbound resolver to load up the additional configuration info it finds in that file (or files matching that wildcard). That's how the ad blocking and other stuff works. Now, it may be that unbound is no longer liking that wildcard spec or something.

newUser2pfSense

Interestingly, I went to Services > DNS Resolver > General Settings > General DNS Resolver Options > Custom options and typed in the line, saved it, and then restarted pfSense. Everything seems to work now for whatever reason, odd. The Custom options box now shows these two lines:

server:include: /var/unbound/pfb_dnsbl.*conf
log-replies: yes

Wouldn't you know it, as I look on the GUI Dashboard, there's a new version of pfBlockerNG-devel.

newUser2pfSense

Everything seems to be back online and working now.

I made sure I completed a pfSense backup.

I want to thank bmeeks and pete35 for all of their assistance. I appreciate you taking time out of your day to help!

serbus

Hello!

I have been bit by this before...

log-replies has to go in a server block.
You are leaching off the "server:" specified by pfb, but when that package is removed you get the error.
I recommend that that you enter the full block specifiers for all custom unbound commands.
So:

server:log-replies:yes

It is OK to have multiple server blocks specified.

John

newUser2pfSense

serbus...thank you for the reply. I've made the edit, saved, restarted, and everything is still working. I've also made my backups to the system. Wheeew!

reza.mnp

i can not start unbound service:

The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
Shared object "libevent-2.1.so.7" not found, required by "unbound-checkconf"

Gertjan

@reza-mnp said in unbound DNS Resolver Will Not Start:

Shared object "libevent-2.1.so.7" not found, required by "unbound-checkconf"

"libevent-2.1.so.7" is not /var/unbound/unbound.conf.

I saw this one https://forum.netgate.com/topic/154509/libevent-2-1-so-7-not-found and I can create that situation rather easily : by deleting that lib file.
Still, there is not enough info.