Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue
-
After the upgrade DNS service stopped working correctly. I even tried doing a factory reset but still was unable to get DNS working. When I try to update DNS resolver settings I get the following errors:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1469464586] unbound-checkconf[62152:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unboundI have seen references to these errors in the forums and bug reports, but I have not figured out a way to get unbound working again on my system. I'd like to fix if possible, but if necessary I can do a fresh install of pfsense….
-
In the past when my root.key has become corrupt, I've been able to fix it by SSH'ing into the system and running these commands:
rm /var/unbound/root.key unbound-anchor -a /var/unbound/root.key chown unbound /var/unbound/root.key
But looking at your error, it looks a little weird to me that your anchor file is at /var/unbound/test/
That doesn't seem right. It should be at /var/unbound on a standard system (afaik).Can you post your entire unbound.conf (should be at /var/unbound/unbound.conf)
-
I am seeing the exact same problem, but with release 2.3.2, with unbound and the strange path issue. Here is the error message when DNS Resolver is completely disabled:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/root.key: No such file or directory [1469918305] unbound-checkconf[94255:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
I tried the 3 commands that were listed as a possible fix and no-go. Now here is the weird part about all of this…
DNS resolution on my network is working very well. I send 3 forward and 1 reverse domain to a Windows Server that handles AD. That is all working great surprisingly! But, I noticed that on the pfSense dashboard, it is unable to check for the latest version nor can I see installed or available packages. I also noticed that when the filter rules are reapplied, there are failures from filterdns:
Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns4.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns5.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns1.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns3.he.net will retry later again.
Here is even more goodness:
[2.3.2-RELEASE][admin@pfSense]/root: ping www.google.com ping: cannot resolve www.google.com: Host name lookup failure [2.3.2-RELEASE][admin@pfSense]/root:nslookup www.google.com nslookup: isc_socket_bind: address not available
Tell me what you need and I will get it to you. Thanks for you help!
-
:( I hate having to do this, but I have to bump this topic.
I don't believe I mentioned that I have multi-wan going with two TWC cable modems and yes they are on two completely separate gateway/subnet combinations. It works and it's NICE…
As far as I can tell, there is zero DNS resolution occurring on the pfSense server. The only way I have sort of been able to at least get pkg updated was adding a /etc/hosts entry, but after a few seconds to minutes, that fails as well. FilterDNS command cannot resolve DNS entries, it's basically like the system has lost all DNS functionality. I have an internal DNS server which DHCP servers as the DNS server, so all client machines are resolving perfectly. I have even tried putting the internal IP as one of the resolver IPs as well as now using my ISP's DNS servers. I completely reinstalled pfSense 2.3.2 from scratch, but unfortunately, I used a backup configuration to get my system back up and going.
I'm honestly not looking for a solution, I'm looking for possible places to start with and I'd rather not start the whole thing over from scratch… Any ideas would help!
-
Make sure you have a default gateway. Check Diag > Routes, make sure you have a "default" line there. If you don't, then go to System > Routing, edit one of the gateways and mark it default, then save/apply and check it again.
Try to ping out from the firewall by IP address, see if that works.
If you can ping to 8.8.8.8, perhaps set that as a DNS server under System > General Setup and enable forwarding mode in the DNS Resolver.
Also you could try disabling DNSSEC.