Status > DNS Resolver Shows No Data

g.shaffer · Apr 5, 2021, 11:23 PM

Running 2.5.1.r.20210405.0300. Looking at the DNS Resolver status the page reports "No Data" for both Cache Speed and Cache Stats.

If I run the same command as the Web GUI ("/usr/local/www: /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf dump_infra") I get the following output:

error: could not SSL_read
34375933952:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:/build/ce-crossbuild-251/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 80

My unbound config has not really changed from 2.4.5-p1 and I recall seeing info displayed when viewing the DNS Resolver status before. Any suggestions?

jimp · Apr 6, 2021, 1:03 PM

I've tried that on at least 10 different boxes on 2.5.1 and 21.02.2 snapshots (yesterday's date) in my lab and can't reproduce that. Every unbound-control command I run with similar parameters from the GUI or shell works.

Is there something special or unique about your DNS Resolver setup? Maybe you have chosen specific interfaces to bind but didn't include Localhost in the list?

Is the DNS Resolver running and returning valid answers to clients?

Do you have any potentially conflicting packages like BIND installed that might have grabbed Unbound's control port?

g.shaffer · Apr 6, 2021, 3:44 PM

@jimp Its a basic setup listening on all interfaces on port 53, enabled SSL/TLS services (port 853), as a Trasnperent zone using an LE cert. DNSSEC and Python are not enabled. DNS Query Forwarding is enabled along with use SSL/TLS for outgoing queries. I'm not registering any DHCP leases. I do have a large number of Host overrides set for my local environment and I am running pfBlockerNG DNSBL, I'm not running BIND. I have access lists setup for my internal networks.

Based on an older post, I did delete the unbound_control and unbound_server files in /var/unbound and restarted unbound. Still displaying "No Data" and seeing the same error when running the command manually.

jimp · Apr 6, 2021, 4:57 PM

I wouldn't call anything with pfBlockerNG DNSBL "basic".

Try disabling that temporarily and see if the behavior changes.

g.shaffer · Apr 6, 2021, 5:23 PM

@jimp based on this post https://forum.netgate.com/topic/162712/openssl-error-0201502d-system-library-ioctl-operation I changed the cryptographic hardware setting to AES-NI (had it set to AES-NI and Crypto Dev) and I am now seeing data in the DNS Resolver status page and am not getting the error when I run the command from the command line.

I was running both AES-NI and Crypto Dev in 2.4.5-p1 without seeing these issues. Something broke this in 2.5.0.

jimp · Apr 6, 2021, 6:05 PM

It was actually OK in 2.5.0 but broke on recent 2.5.1 snapshots with the OpenSSL 1.1.1k import. That introduced a change which broke cryptodev, which is what we're working on to resolve that other issue (and should take care of this as well).

g.shaffer · Apr 6, 2021, 6:40 PM

@jimp Thanks, let me know if I can test any fix for you.

jimp · Apr 6, 2021, 6:48 PM

The fix should be in snapshots building now, so try a snapshot in the AM and see if it's better there.

g.shaffer · Apr 7, 2021, 3:44 PM

@jimp 2.5.1.r.20210406.1302 has resolved the issue. Thanks!