4. Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue

Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue

  • M

    After the upgrade DNS service stopped working correctly.  I even tried doing a factory reset but still was unable to get DNS working.  When I try to update DNS resolver settings I get the following errors:

    The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/root.key: No such file or directory
    [1469464586] unbound-checkconf[62152:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

    I have seen references to these errors in the forums and bug reports, but I have not figured out a way to get unbound working again on my system.  I'd like to fix if possible, but if necessary I can do a fresh install of pfsense….

    0

  • In the past when my root.key has become corrupt, I've been able to fix it by SSH'ing into the system and running these commands:

    rm /var/unbound/root.key
unbound-anchor -a /var/unbound/root.key
chown unbound /var/unbound/root.key

    But looking at your error, it looks a little weird to me that your anchor file is at /var/unbound/test/
    That doesn't seem right.  It should be at /var/unbound on a standard system (afaik).

    Can you post your entire unbound.conf (should be at /var/unbound/unbound.conf)

    0
  • J

    I am seeing the exact same problem, but with release 2.3.2, with unbound and the strange path issue. Here is the error message when DNS Resolver is completely disabled:

    The following input errors were detected:

        The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/root.key: No such file or directory
    [1469918305] unbound-checkconf[94255:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

    I tried the 3 commands that were listed as a possible fix and no-go. Now here is the weird part about all of this…

    DNS resolution on my network is working very well. I send 3 forward and 1 reverse domain to a Windows Server that handles AD. That is all working great surprisingly! But, I noticed that on the pfSense dashboard, it is unable to check for the latest version nor can I see installed or available packages. I also noticed that when the filter rules are reapplied, there are failures from filterdns:

    Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns4.he.net will retry later again.
Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns5.he.net will retry later again.
Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns1.he.net will retry later again.
Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns3.he.net will retry later again.

    Here is even more goodness:

    [2.3.2-RELEASE][admin@pfSense]/root: ping www.google.com
ping: cannot resolve www.google.com: Host name lookup failure

[2.3.2-RELEASE][admin@pfSense]/root:nslookup www.google.com
nslookup: isc_socket_bind: address not available

    Tell me what you need and I will get it to you. Thanks for you help!

    0
  • J

    :( I hate having to do this, but I have to bump this topic.

    I don't believe I mentioned that I have multi-wan going with two TWC cable modems and yes they are on two completely separate gateway/subnet combinations. It works and it's NICE

    As far as I can tell, there is zero DNS resolution occurring on the pfSense server. The only way I have sort of been able to at least get pkg updated was adding a /etc/hosts entry, but after a few seconds to minutes, that fails as well. FilterDNS command cannot resolve DNS entries, it's basically like the system has lost all DNS functionality. I have an internal DNS server which DHCP servers as the DNS server, so all client machines are resolving perfectly. I have even tried putting the internal IP as one of the resolver IPs as well as now using my ISP's DNS servers. I completely reinstalled pfSense 2.3.2 from scratch, but unfortunately, I used a backup configuration to get my system back up and going.

    I'm honestly not looking for a solution, I'm looking for possible places to start with and I'd rather not start the whole thing over from scratch… Any ideas would help!

    0
  • Rebel Alliance Developer Netgate

    Make sure you have a default gateway. Check Diag > Routes, make sure you have a "default" line there. If you don't, then go to System > Routing, edit one of the gateways and mark it default, then save/apply and check it again.

    Try to ping out from the firewall by IP address, see if that works.

    If you can ping to 8.8.8.8, perhaps set that as a DNS server under System > General Setup and enable forwarding mode in the DNS Resolver.
    Also you could try disabling DNSSEC.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy