Unbound - Forwarding Mode and Custom Options Issue



  • Hello all,

    I have a problem with Unbound Custom Options and Forwarding Mode. I'm using OpenDNS for pfSense DNS resolution; Unbound forwarding to OpenDNS. It happens that I cannot enable Forwarding Mode if Custom Options are set in Unbound.

    Let me explain, I have a blacklist.conf file saved under /var/unbound/conf.d/blacklist.conf

    Then I use Unbound Custom Options (GUI) to include the file:

    include: /var/unbound/blacklist.conf
    

    Up to this point everything works. Now as soon as I attempt to enable Forwarding Mode in unbound to use the OpenDNS servers I have defined under general options instead of my ISP's DNS, I get a configuration error.

    I do NOT have DNSSEC enabled (OpenDNS does not supports DNSSEC).

    When I remove Custom Options (meaning not loading my blacklist) or any custom option for that matter, DNS forwarding works without problems.

    As it seems right now, the issue happens ONLY when enabling Forwarding Mode while having Custom Options also set in Unbound.

    Could this be a bug or is it just my specific configuration? Can anyone else duplicate this or help me understand why it is failing? I'm running latest stable 2.4.



  • Just for the shake of it, I disabled unbound and went with dnsmasq instead.

    dnsmasq does work as expected in terms of forwarding to OpenDNS. Not issues free though… The only way to make dnsmasq to apply changes is to execute dnsmasq onerestart from SHELL. Saving and Applying changes via GUI simply renders dnsmasq unusable - this is likely because my blacklist has @42,000 domain records in it.

    Yet, I wonder if anyone else has ran into these issues because it isn't specific to my install. I have tested these scenarios in 2 different boxes with different installs; with same results.


  • Moderator

    Looks like the include path is wrong or maybe just a typo?

    Try:

    server: include: /var/unbound/conf.d/blacklist.conf
    
    

    Also the format of the include file could be incorrect. See unbound docs for the syntax.



  • ~~@BBcan177, thanks for adding your two cents, I appreciate it :)

    The include path was correct in the configuration. It was just a typo in my post. The screenshot shows the correct path and the error. Irrespective, the error only occurs when Forwarding Mode and Custom Options are both enabled. For example, I can leave Forwarding Mode disabled (unchecked) and unbound will work and my filter format is parsed without any complaint; also a checkconf confirms that there are no errors in the format.

    When unbound works with my filters and without Forwarding Mode, it resolves just fine, uses my filters but it will default to my ISP's WAN DNS instead of using OpenDNS.

    I can remove the filters and enable Forwarding Mode and it will also work as expected, passing to the upstream DNS servers I have set under General Setup.

    It only refuses to work when both, Forwarding Mode and Custom Options, are configured. That's the issue I would like for someone else to try to replicate. I pushed it on 2 different boxes and I got the same result.

    It is my believe that the filters are fine, otherwise unbound would've just refused to load my configuration or checkconf would've thrown an error, which is not the case.~~

    @BBcan177, THANK YOU for helping see this old dumb man => ME.

    Your post is absolutely correct. My Custom Options was missing the server: statement in both of my boxes:

    server: include: /var/unbound/conf.d/blacklist.conf
    ```  <= Correct
    
    

    include: /var/unbound/conf.d/blacklist.conf

    
    Indeed!

  • Moderator

    The pfBlockerNG pkg uses an include file in unbound with the Resolver set to either Forwarder or Resolver mode. So there must be something else that's causing your issue. Try adding the "server:" setting as indicated to see if that fixes it.



  • @BBcan177:

    The pfBlockerNG pkg uses an include file in unbound with the Resolver set to either Forwarder or Resolver mode. So there must be something else that's causing your issue. Try adding the "server:" setting as indicated to see if that fixes it.

    Looks like you posted while I was editing my previous post.

    Yes, your suggestion was absolutely spot on. It was exactly what I had missed all along. Cheers!


Log in to reply