Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikeybs
      last edited by

      After the upgrade DNS service stopped working correctly.  I even tried doing a factory reset but still was unable to get DNS working.  When I try to update DNS resolver settings I get the following errors:

      The generated config file cannot be parsed by unbound. Please correct the following errors:
      /var/unbound/test/root.key: No such file or directory
      [1469464586] unbound-checkconf[62152:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

      I have seen references to these errors in the forums and bug reports, but I have not figured out a way to get unbound working again on my system.  I'd like to fix if possible, but if necessary I can do a fresh install of pfsense….

      1 Reply Last reply Reply Quote 0
      • luckman212L
        luckman212 LAYER 8
        last edited by

        In the past when my root.key has become corrupt, I've been able to fix it by SSH'ing into the system and running these commands:

        rm /var/unbound/root.key
        unbound-anchor -a /var/unbound/root.key
        chown unbound /var/unbound/root.key
        
        

        But looking at your error, it looks a little weird to me that your anchor file is at /var/unbound/test/
        That doesn't seem right.  It should be at /var/unbound on a standard system (afaik).

        Can you post your entire unbound.conf (should be at /var/unbound/unbound.conf)

        1 Reply Last reply Reply Quote 0
        • J
          JeremyTTU
          last edited by

          I am seeing the exact same problem, but with release 2.3.2, with unbound and the strange path issue. Here is the error message when DNS Resolver is completely disabled:

          The following input errors were detected:

              The generated config file cannot be parsed by unbound. Please correct the following errors:
              /var/unbound/test/root.key: No such file or directory
              [1469918305] unbound-checkconf[94255:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
          

          I tried the 3 commands that were listed as a possible fix and no-go. Now here is the weird part about all of this…

          DNS resolution on my network is working very well. I send 3 forward and 1 reverse domain to a Windows Server that handles AD. That is all working great surprisingly! But, I noticed that on the pfSense dashboard, it is unable to check for the latest version nor can I see installed or available packages. I also noticed that when the filter rules are reapplied, there are failures from filterdns:

          Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns4.he.net will retry later again.
          Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns5.he.net will retry later again.
          Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns1.he.net will retry later again.
          Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns3.he.net will retry later again.
          

          Here is even more goodness:

          [2.3.2-RELEASE][admin@pfSense]/root: ping www.google.com
          ping: cannot resolve www.google.com: Host name lookup failure
          
          [2.3.2-RELEASE][admin@pfSense]/root:nslookup www.google.com
          nslookup: isc_socket_bind: address not available
          

          Tell me what you need and I will get it to you. Thanks for you help!

          1 Reply Last reply Reply Quote 0
          • J
            JeremyTTU
            last edited by

            :( I hate having to do this, but I have to bump this topic.

            I don't believe I mentioned that I have multi-wan going with two TWC cable modems and yes they are on two completely separate gateway/subnet combinations. It works and it's NICE…

            As far as I can tell, there is zero DNS resolution occurring on the pfSense server. The only way I have sort of been able to at least get pkg updated was adding a /etc/hosts entry, but after a few seconds to minutes, that fails as well. FilterDNS command cannot resolve DNS entries, it's basically like the system has lost all DNS functionality. I have an internal DNS server which DHCP servers as the DNS server, so all client machines are resolving perfectly. I have even tried putting the internal IP as one of the resolver IPs as well as now using my ISP's DNS servers. I completely reinstalled pfSense 2.3.2 from scratch, but unfortunately, I used a backup configuration to get my system back up and going.

            I'm honestly not looking for a solution, I'm looking for possible places to start with and I'd rather not start the whole thing over from scratch… Any ideas would help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Make sure you have a default gateway. Check Diag > Routes, make sure you have a "default" line there. If you don't, then go to System > Routing, edit one of the gateways and mark it default, then save/apply and check it again.

              Try to ping out from the firewall by IP address, see if that works.

              If you can ping to 8.8.8.8, perhaps set that as a DNS server under System > General Setup and enable forwarding mode in the DNS Resolver.
              Also you could try disabling DNSSEC.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.