Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue
mikeybs last edited by
After the upgrade DNS service stopped working correctly. I even tried doing a factory reset but still was unable to get DNS working. When I try to update DNS resolver settings I get the following errors:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
 unbound-checkconf[62152:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
I have seen references to these errors in the forums and bug reports, but I have not figured out a way to get unbound working again on my system. I'd like to fix if possible, but if necessary I can do a fresh install of pfsense….
luckman212 last edited by
In the past when my root.key has become corrupt, I've been able to fix it by SSH'ing into the system and running these commands:
rm /var/unbound/root.key unbound-anchor -a /var/unbound/root.key chown unbound /var/unbound/root.key
But looking at your error, it looks a little weird to me that your anchor file is at /var/unbound/test/
That doesn't seem right. It should be at /var/unbound on a standard system (afaik).
Can you post your entire unbound.conf (should be at /var/unbound/unbound.conf)
JeremyTTU last edited by
I am seeing the exact same problem, but with release 2.3.2, with unbound and the strange path issue. Here is the error message when DNS Resolver is completely disabled:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/root.key: No such file or directory  unbound-checkconf[94255:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
I tried the 3 commands that were listed as a possible fix and no-go. Now here is the weird part about all of this…
DNS resolution on my network is working very well. I send 3 forward and 1 reverse domain to a Windows Server that handles AD. That is all working great surprisingly! But, I noticed that on the pfSense dashboard, it is unable to check for the latest version nor can I see installed or available packages. I also noticed that when the filter rules are reapplied, there are failures from filterdns:
Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns4.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns5.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns1.he.net will retry later again. Jul 4 07:12:09 pfSense filterdns: failed to resolve host ns3.he.net will retry later again.
Here is even more goodness:
[2.3.2-RELEASE][admin@pfSense]/root: ping www.google.com ping: cannot resolve www.google.com: Host name lookup failure [2.3.2-RELEASE][admin@pfSense]/root:nslookup www.google.com nslookup: isc_socket_bind: address not available
Tell me what you need and I will get it to you. Thanks for you help!
JeremyTTU last edited by
:( I hate having to do this, but I have to bump this topic.
I don't believe I mentioned that I have multi-wan going with two TWC cable modems and yes they are on two completely separate gateway/subnet combinations. It works and it's NICE…
As far as I can tell, there is zero DNS resolution occurring on the pfSense server. The only way I have sort of been able to at least get pkg updated was adding a /etc/hosts entry, but after a few seconds to minutes, that fails as well. FilterDNS command cannot resolve DNS entries, it's basically like the system has lost all DNS functionality. I have an internal DNS server which DHCP servers as the DNS server, so all client machines are resolving perfectly. I have even tried putting the internal IP as one of the resolver IPs as well as now using my ISP's DNS servers. I completely reinstalled pfSense 2.3.2 from scratch, but unfortunately, I used a backup configuration to get my system back up and going.
I'm honestly not looking for a solution, I'm looking for possible places to start with and I'd rather not start the whole thing over from scratch… Any ideas would help!
Make sure you have a default gateway. Check Diag > Routes, make sure you have a "default" line there. If you don't, then go to System > Routing, edit one of the gateways and mark it default, then save/apply and check it again.
Try to ping out from the firewall by IP address, see if that works.
If you can ping to 22.214.171.124, perhaps set that as a DNS server under System > General Setup and enable forwarding mode in the DNS Resolver.
Also you could try disabling DNSSEC.