unbound does not start when named (bind) is running - kills connectivity at a PPPoE restart



  • Hi,

    I'm having a serious issue with my pfSense router. I'm using unbound as the local DNS server/resolver, but I'm also running named (bind) on a different interface which can be reached from the WAN side to manage some of my zones (primary because the ACME keeps some certificates up to date).

    So not a very special setup, but I'm facing serious issues when the WAN interface is restarted (i.e. a PPPoE resync happens in the nightly maintenance window of my ISP when he pushed updates to the MSAN).

    In that case unbound seems to be restarted by pfSense, but when bind is already running (what it usually is), unbound could not restart because of a blocked remote port 953:

    servicewatchdog_cron.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1528285441] unbound[11551:0] error: can't bind socket: Address already in use for 127.0.0.1 [1528285441] unbound[11551:0] error: cannot open control interface 127.0.0.1 953 [1528285441] unbound[11551:0] fatal error: could not open ports'
    

    I've found this bug thread: https://redmine.pfsense.org/issues/7271
    This points into the direction that bind and unbound seem to use the same remote control port, but it appeared to me that issue is fixed.

    In my situation I need to manually stop named, then start unbound (which is working) and finally restart bind.

    I'm not sure if this issue only appears when the service watchdog monitors (and restarts) unbound - but as I found unbound stopped some weeks ago and Snort also sometimes just stopped by itself, I'm monitoring essential services with the watchdog.

    I also issued the rndc-confgen command to relocate the control port of bind, but that seemed not to be persistent (or maybe it's killed with pfSense updates?)

    Any ideas how to solve this are highly appreciated.

    Edit:
    Additional question - is the remote port for unbound really needed in pfSense?
    Does it harm to just change it in /var/unbound/remotecontrol.conf to:

    remote-control:
    	control-enable: yes
    	control-interface: 127.0.0.1
    	control-port: 7953