4. unbound does not start when named (bind) is running - kills connectivity at a PPPoE restart

unbound does not start when named (bind) is running - kills connectivity at a PPPoE restart

  • J

    Hi,

    I'm having a serious issue with my pfSense router. I'm using unbound as the local DNS server/resolver, but I'm also running named (bind) on a different interface which can be reached from the WAN side to manage some of my zones (primary because the ACME keeps some certificates up to date).

    So not a very special setup, but I'm facing serious issues when the WAN interface is restarted (i.e. a PPPoE resync happens in the nightly maintenance window of my ISP when he pushed updates to the MSAN).

    In that case unbound seems to be restarted by pfSense, but when bind is already running (what it usually is), unbound could not restart because of a blocked remote port 953:

    servicewatchdog_cron.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1528285441] unbound[11551:0] error: can't bind socket: Address already in use for 127.0.0.1 [1528285441] unbound[11551:0] error: cannot open control interface 127.0.0.1 953 [1528285441] unbound[11551:0] fatal error: could not open ports'

    I've found this bug thread: https://redmine.pfsense.org/issues/7271
    This points into the direction that bind and unbound seem to use the same remote control port, but it appeared to me that issue is fixed.

    In my situation I need to manually stop named, then start unbound (which is working) and finally restart bind.

    I'm not sure if this issue only appears when the service watchdog monitors (and restarts) unbound - but as I found unbound stopped some weeks ago and Snort also sometimes just stopped by itself, I'm monitoring essential services with the watchdog.

    I also issued the rndc-confgen command to relocate the control port of bind, but that seemed not to be persistent (or maybe it's killed with pfSense updates?)

    Any ideas how to solve this are highly appreciated.

    Edit:
    Additional question - is the remote port for unbound really needed in pfSense?
    Does it harm to just change it in /var/unbound/remotecontrol.conf to:

    remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-port: 7953
    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy