Upgrade from 2.2.6 to 2.3.1, now dns resolver and unbound issue



  • After the upgrade DNS service stopped working correctly.  I even tried doing a factory reset but still was unable to get DNS working.  When I try to update DNS resolver settings I get the following errors:

    The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/root.key: No such file or directory
    [1469464586] unbound-checkconf[62152:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

    I have seen references to these errors in the forums and bug reports, but I have not figured out a way to get unbound working again on my system.  I'd like to fix if possible, but if necessary I can do a fresh install of pfsense….



  • In the past when my root.key has become corrupt, I've been able to fix it by SSH'ing into the system and running these commands:

    rm /var/unbound/root.key
    unbound-anchor -a /var/unbound/root.key
    chown unbound /var/unbound/root.key
    
    

    But looking at your error, it looks a little weird to me that your anchor file is at /var/unbound/test/
    That doesn't seem right.  It should be at /var/unbound on a standard system (afaik).

    Can you post your entire unbound.conf (should be at /var/unbound/unbound.conf)



  • I am seeing the exact same problem, but with release 2.3.2, with unbound and the strange path issue. Here is the error message when DNS Resolver is completely disabled:

    The following input errors were detected:

        The generated config file cannot be parsed by unbound. Please correct the following errors:
        /var/unbound/test/root.key: No such file or directory
        [1469918305] unbound-checkconf[94255:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
    

    I tried the 3 commands that were listed as a possible fix and no-go. Now here is the weird part about all of this…

    DNS resolution on my network is working very well. I send 3 forward and 1 reverse domain to a Windows Server that handles AD. That is all working great surprisingly! But, I noticed that on the pfSense dashboard, it is unable to check for the latest version nor can I see installed or available packages. I also noticed that when the filter rules are reapplied, there are failures from filterdns:

    Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns4.he.net will retry later again.
    Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns5.he.net will retry later again.
    Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns1.he.net will retry later again.
    Jul  4 07:12:09 pfSense filterdns: failed to resolve host ns3.he.net will retry later again.
    

    Here is even more goodness:

    [2.3.2-RELEASE][admin@pfSense]/root: ping www.google.com
    ping: cannot resolve www.google.com: Host name lookup failure
    
    [2.3.2-RELEASE][admin@pfSense]/root:nslookup www.google.com
    nslookup: isc_socket_bind: address not available
    

    Tell me what you need and I will get it to you. Thanks for you help!



  • :( I hate having to do this, but I have to bump this topic.

    I don't believe I mentioned that I have multi-wan going with two TWC cable modems and yes they are on two completely separate gateway/subnet combinations. It works and it's NICE

    As far as I can tell, there is zero DNS resolution occurring on the pfSense server. The only way I have sort of been able to at least get pkg updated was adding a /etc/hosts entry, but after a few seconds to minutes, that fails as well. FilterDNS command cannot resolve DNS entries, it's basically like the system has lost all DNS functionality. I have an internal DNS server which DHCP servers as the DNS server, so all client machines are resolving perfectly. I have even tried putting the internal IP as one of the resolver IPs as well as now using my ISP's DNS servers. I completely reinstalled pfSense 2.3.2 from scratch, but unfortunately, I used a backup configuration to get my system back up and going.

    I'm honestly not looking for a solution, I'm looking for possible places to start with and I'd rather not start the whole thing over from scratch… Any ideas would help!


  • Rebel Alliance Developer Netgate

    Make sure you have a default gateway. Check Diag > Routes, make sure you have a "default" line there. If you don't, then go to System > Routing, edit one of the gateways and mark it default, then save/apply and check it again.

    Try to ping out from the firewall by IP address, see if that works.

    If you can ping to 8.8.8.8, perhaps set that as a DNS server under System > General Setup and enable forwarding mode in the DNS Resolver.
    Also you could try disabling DNSSEC.