[SOLVED] New SG-1100 DNS Resolver not working



  • Problem
    Just purchased a new SG-1100, and went through the setup multiple times, but could never get DNS resolution on my LAN clients.

    Setup
    I have a Frontier FIOS ONT passing CAT5 into my home. That is connected to the WAN on the SG-1100 and my desktop is connected to the LAN. The SG-1100 has an IP address of 10.0.1.1 and is currently handing my PC an address of 10.0.1.10. Gateway is 10.0.1.1 and DNS is 10.0.1.1. I am using Google's DNS servers configured in General Setup and the DNS Resolver (unbound) as shown in the images below. I have been following this article mostly (Troubleshooting Network Connectivity) and discovered the following.

    • Diagnostics / Ping 8.8.8.8 works from both WAN and LAN
    • Diagnositcs / Ping google.com works from both WAN and LAN
    • Diagnostics / DNS Lookup for pfsense.org seems to work (see image below)
    • My client can ping the SG-1100 LAN IP
    • My client can ping the SG-1100 WAN IP
    • My client can ping 8.8.8.8
    • My client cannot ping google.com

    I found this error in Status / System Logs / System / General

    /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1549232565] unbound[11670:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1549232565] unbound[11670:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1549232565] unbound[11670:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1549232565] unbound[11670:0] fatal error: could not set up remote-control'
    

    Under Services / DNS Resolver / Advanced Settings - I set the Log Level to 2.
    If I go to Status / System Logs / System / DNS Resolver there doesn't seem to be a lot of activity but I may not understand what I am looking at.

    Feb 2 19:49:48	dnsmasq	40988	reading /etc/resolv.conf
    Feb 2 19:49:48	dnsmasq	40988	ignoring nameserver 127.0.0.1 - local interface
    Feb 2 19:49:48	dnsmasq	40988	using nameserver 8.8.8.8#53
    Feb 2 19:49:48	dnsmasq	40988	using nameserver 8.8.4.4#53
    Feb 2 19:49:48	dnsmasq	40988	read /etc/hosts - 3 addresses
    Feb 2 19:50:46	dnsmasq	40988	exiting on receipt of SIGTERM
    Feb 2 19:50:47	dnsmasq	96352	started, version 2.79 cachesize 10000
    Feb 2 19:50:47	dnsmasq	96352	compile time options: IPv6 GNU-getopt no-DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify
    Feb 2 19:50:47	dnsmasq	96352	reading /etc/resolv.conf
    Feb 2 19:50:47	dnsmasq	96352	ignoring nameserver 127.0.0.1 - local interface
    Feb 2 19:50:47	dnsmasq	96352	using nameserver 8.8.8.8#53
    Feb 2 19:50:47	dnsmasq	96352	using nameserver 8.8.4.4#53
    Feb 2 19:50:47	dnsmasq	96352	read /etc/hosts - 3 addresses
    Feb 2 20:00:13	dnsmasq	96352	exiting on receipt of SIGTERM
    

    What I have tried
    Two things I've found to "work"

    • Manually setting the DNS in my network settings to 8.8.8.8. Not really ideal.
    • Disabling the DNS Resolver and enabling the DNS Forwarder. This does work but it bugs me that the resolver doesn't work and I'd rather fix it.

    Help
    Does anyone have any idea what my problem might be or where I can start looking? I've gone through numerous forum and reddit posts where people had DNS issues similar to mine but none of the solutions seemed to work for me.

    General Setup
    0_1549235179717_general_setup_2019-02-03 15-04-53.png

    DNS Resolver Settings
    0_1549234438902_dns_resolver_2019-02-03 14-53-16.png

    DNS Lookup
    0_1549234301278_diagnostics_dnslookup_2019-02-03 14-36-10.png



  • Another thing I forgot to mention was that in Status / Services, it appears that unbound is not running.
    0_1549237745995_status_services_2019-02-03 15-48-12.png





  • Thank you! That was the solution. Copy instructions below.

    Under /var/unbound delete the following and reboot.
    unbound_control.key
    unbound_control.pem
    unbound_server.key
    unbound_server.pem


Log in to reply