DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953

SnowmanUT

I can't get this to work properly as I continue to get this error below. I have look around forum and internet to try a few things but have not found anything that works yet. Newbie to PfblockerNG but would like to get it working if anyone can help.

Reloading Unbound Resolver..
DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
[1549436537] unbound-control[77716:0] error: connect: Can't assign requested address for 127.0.0.1 port 953.... Not completed.

I found this page talking about the same issue but no resolution besides resetting and starting over which I would prefer not to do.
https://www.reddit.com/r/pfBlockerNG/comments/a9lgnx/unboundcontrol_error_cant_assign_address/

johnpoz

And did you follow the steps in that thread were they ask you to look what is running on that port.. Lets see your sockstat output

example here is mine

[2.4.4-RELEASE][root@sg4860.local.lan]/root: sockstat | grep :953
unbound  unbound    68997 29 tcp4   127.0.0.1:953         *:*
[2.4.4-RELEASE][root@sg4860.local.lan]/root:

SnowmanUT

@johnpoz said in DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953:

sockstat

It shows this:

unbound unbound 92099 22 tcp4 127.0.0.1:953 :

johnpoz

so unbound is already listening, if it doesn't stop when asked, etc. then sure you can have issues if your trying to run another instance for example.

Lets see your logs, can you stop unbound and restart it from the gui, does it stop and start - can you do it from the cmd line... The info on how to do that is in the thread you linked to.

Saying there is no solution there is because you have not given the info required to figure out what the problem actually is. Just like the guy in that thread. The person asking all the questions and giving great advice is the writer of pfblocker ;) bcan177 if anyone can help it would be him. But without details nobody can help.

SnowmanUT

Sorry, I am a newbie. Which logs do you want, from PFblockerNG logs or system logs? How do I download system logs?

I can stop and start it from the GUI. I just stopped it from the GUI and tried force reloading DNSBL update which then started unbound again. Message now is this.

Saving DNSBL database... completed

Assembling DNSBL database... completed [ 02/06/19 10:21:36 ]
Starting Unbound Service.... Not completed. [ 02/06/19 10:21:43 ]

*** DNSBL update [ 155652 ] [ 141171 ] ... OUT OF SYNC ! ***

BBcan177

@snowmanut

Try to go to pfSense Resolver, Advanced page, and change the Log Level to "2" , then hit save.

Then review the resolver.log in pfSense system logs to see if you have any other errors? If there are, try to address those first.

Otherwise, there could be a bit of a race condition with the widget. So first try the above, if that doesn't pan out, goto the pfSense dashboard and click the wrench icon in the pfB widget. Change the Resolver query setting from "5" to "60" seconds. then save. Then run a Force Reload - DNSBL.

@johnpoz Thanks! Am on holidays but still on duty :)

SnowmanUT

I have a bunch of the same error on the Resolver log. This is just a part of the error but they all say duplicate forward zone. Not sure what that means??

Feb 5 21:44:13 unbound 84341:1 error: duplicate forward zone . ignored.
Feb 5 21:49:31 unbound 84341:1 error: duplicate forward zone . ignored.
Feb 5 21:49:31 unbound 84341:3 error: duplicate forward zone . ignored.
Feb 5 21:49:31 unbound 84341:2 error: duplicate forward zone . ignored.
Feb 5 21:49:31 unbound 84341:0 error: duplicate forward zone . ignored.
Feb 5 22:14:57 unbound 84341:2 error: duplicate forward zone . ignored.
Feb 5 22:14:57 unbound 84341:1 error: duplicate forward zone . ignored.
Feb 5 22:14:57 unbound 84341:3 error: duplicate forward zone . ignored.
Feb 5 22:14:57 unbound 84341:0 error: duplicate forward zone . ignored.

SnowmanUT

Got rid of errors in DNS resolver log by removing all my DNS servers in the general setup page.

I changed the Resolver query setting from "5" to "60" seconds and did the reload but back to the same error:

Assembling DNSBL database... completed [ 02/06/19 14:36:44 ]
Reloading Unbound Resolver..
DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
[1549489005] unbound-control[64031:0] error: connect: Can't assign requested address for 127.0.0.1 port 953.... Not completed. [ 02/06/19 14:36:45 ]

RonpfS

Maybe you should do a Force Reload All then post your pfblockerng.log to see what happens.

SnowmanUT

0_1549494634044_pfblockerng.log.txt

Ok, removed the package completely and reinstalled it just to try. Went through the wizard again and back to the same error.

pfblockerng.log attached

RonpfS

How did you configure DNS Resolver ?
What pfsense version, platform, pfblockerng version, which package are you using?

SnowmanUT

PFsense version: 2.4.4-RELEASE-p2 (amd64)
pfBlockerNG-devel net 2.2.5_21
Platform: HP T620 Plus Thin Client

DNS Resolver setting:
-Network Interfaces: all
-Outgoing Network Interfaces: WAN
-System Domain Local Zone Type: Transparent
-DNSSEC Support: Enabled
-Custom Options: server:include: /var/unbound/pfb_dnsbl.*conf
-Host override for a duckdns domain I have setup.

RonpfS

@snowmanut said in DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953:

-Host override for a duckdns domain I have setup.

And if you remove the host override do you still have the same symptoms?

SnowmanUT

Deleted host override, no change. Same error after force reload.

RonpfS

@snowmanut
Do you have DNS Forwarder disabled ?
Do you have DNS Resolver DNS Query Forwarding disabled?

What is the output of :

ls -al /var/unbound
ls -al /var/db/pfblockerng
ls -al /var/db/pfblockerng/dnsbl
ls -al /var/db/pfblockerng/dnsblorig

SnowmanUT

Do you have DNS Forwarder disabled? Yes
Do you have DNS Resolver DNS Query Forwarding disabled? Yes

ls -al /var/unbound:
total 120
drwxr-xr-x 3 unbound unbound 1024 Feb 6 17:50 .
drwxr-xr-x 27 root wheel 512 Dec 12 05:42 ..
-rw-r--r-- 1 root unbound 292 Feb 6 17:44 access_lists.conf
drwxr-xr-x 2 unbound unbound 512 Dec 12 05:42 conf.d
-rw-r--r-- 1 root unbound 175 Feb 6 17:44 dhcpleases_entries.conf
-rw-r--r-- 1 root unbound 3355 Feb 6 15:58 dnsbl_cert.pem
-rw-r--r-- 1 root unbound 0 Feb 6 17:44 domainoverrides.conf
-rw-r--r-- 1 root unbound 398 Feb 6 17:44 host_entries.conf
-rw-r--r-- 1 root unbound 0 Feb 6 17:49 pfb_dnsbl.conf
-rw-r--r-- 1 root unbound 1498 Feb 6 15:58 pfb_dnsbl_lighty.conf
-rw-r--r-- 1 root unbound 300 Oct 22 08:11 remotecontrol.conf
-rw-r--r-- 1 unbound unbound 1252 Feb 6 17:44 root.key
-rw-r--r-- 1 root unbound 2056 Feb 6 17:49 unbound.conf
-rw-r----- 1 unbound unbound 2455 Oct 22 08:11 unbound_control.key
-rw-r----- 1 unbound unbound 1330 Oct 22 08:11 unbound_control.pem
-rw-r----- 1 unbound unbound 2455 Oct 22 08:11 unbound_server.key
-rw-r----- 1 unbound unbound 1318 Oct 22 08:11 unbound_server.pem

ls -al /var/db/pfblockerng
total 1768
drwxr-xr-x 11 root wheel 512 Feb 6 18:00 .
drwxr-xr-x 14 root wheel 1024 Feb 6 16:48 ..
drwxr-xr-x 2 root wheel 512 Feb 6 15:57 ET
drwxr-xr-x 2 root wheel 1024 Feb 6 18:00 deny
drwxr-xr-x 2 root wheel 1024 Feb 6 17:49 dnsbl
-rw-r--r-- 1 root wheel 8192 Feb 6 17:49 dnsbl.sqlite
-rw-r--r-- 1 root wheel 8192 Feb 6 15:58 dnsbl_levent.sqlite
drwxr-xr-x 2 root wheel 512 Feb 6 15:58 dnsblalias
drwxr-xr-x 2 root wheel 1024 Feb 6 15:58 dnsblorig
-rw-r--r-- 1 root wheel 10001 Feb 6 15:49 geoip.txt
-rw-r--r-- 1 root wheel 266386 Feb 6 18:00 mastercat
-rw------- 1 root wheel 508197 Feb 6 18:00 masterfile
drwxr-xr-x 2 root wheel 512 Feb 6 15:57 match
drwxr-xr-x 2 root wheel 512 Feb 6 15:57 native
drwxr-xr-x 2 root wheel 512 Feb 6 18:00 original
drwxr-xr-x 2 root wheel 512 Feb 6 15:57 permit
-rw-r--r-- 1 root wheel 2152 Feb 6 18:00 pfbdnsblsuppression.txt

ls -al /var/db/pfblockerng/dnsbl
total 15704
drwxr-xr-x 2 root wheel 1024 Feb 6 17:49 .
drwxr-xr-x 11 root wheel 512 Feb 6 18:00 ..
-rw-r--r-- 1 root wheel 113986 Feb 6 17:49 Abuse_DOMBL.txt
-rw-r--r-- 1 root wheel 385663 Feb 6 17:49 Abuse_URLBL.txt
-rw-r--r-- 1 root wheel 2422 Feb 6 17:49 Abuse_Zeus_BD.txt
-rw-r--r-- 1 root wheel 20707 Feb 6 17:49 Adaway.txt
-rw-r--r-- 1 root wheel 34779 Feb 6 17:49 BBC_DC2.txt
-rw-r--r-- 1 root wheel 769139 Feb 6 17:49 Cameleon.txt
-rw-r--r-- 1 root wheel 128691 Feb 6 17:49 D_Me_ADs.txt
-rw-r--r-- 1 root wheel 4251 Feb 6 17:49 D_Me_Malv.txt
-rw-r--r-- 1 root wheel 0 Feb 6 17:49 D_Me_Malw.txt
-rw-r--r-- 1 root wheel 1488 Feb 6 17:49 D_Me_Tracking.txt
-rw-r--r-- 1 root wheel 49294 Feb 6 17:49 EasyList.txt
-rw-r--r-- 1 root wheel 138299 Feb 6 17:49 EasyPrivacy.txt
-rw-r--r-- 1 root wheel 0 Feb 6 17:49 ISC_SDH.txt
-rw-r--r-- 1 root wheel 56852 Feb 6 17:49 MDL.txt
-rw-r--r-- 1 root wheel 1471173 Feb 6 17:49 MDS.txt
-rw-r--r-- 1 root wheel 128220 Feb 6 17:49 MDS_Immortal.txt
-rw-r--r-- 1 root wheel 46827 Feb 6 17:49 MVPS.txt
-rw-r--r-- 1 root wheel 93081 Feb 6 17:49 SBL_ADs.txt
-rw-r--r-- 1 root wheel 752123 Feb 6 17:49 SFS_Toxic_BD.txt
-rw-r--r-- 1 root wheel 545387 Feb 6 17:49 SWC.txt
-rw-r--r-- 1 root wheel 362322 Feb 6 17:49 Spam404.txt
-rw-r--r-- 1 root wheel 37106 Feb 6 17:49 Yoyo.txt
-rw-r--r-- 1 root wheel 2638905 Feb 6 17:49 hpHosts_ATS.txt

RonpfS

ls -al /var/db/pfblockerng/dnsblalias
ls -al /var/db/pfblockerng/dnsblorig
cat /var/db/pfblockerng/pfbdnsblsuppression.txt

Can you try to disable DNSBL, then run a force Update.
Enable DNSBL then run Force Update.

If you still have errors, then enable only on DNSBL group with only one URL enabled, run a Force Reload DNSBL and see if it reload unbound.

johnpoz

@snowmanut said in DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953:

by removing all my DNS servers in the general setup page.

Why would you have DNS servers listed in the general setup page if your using unbound in resolver mode? Having there sure would not cause any errors since they would never be used, unless you told pfsense not to use 127.0.0.1?

SnowmanUT

When I deleted all the DNS servers in there it wouldn't download any packages from the package manager. When I put 1 back the package manager worked again. Others reported similar behavior on other posts.

I don't think I have told it not to use 127.0.0.1, where would I do that besides the DNS resolver which we already checked?

johnpoz

Lets forget pfblocker for a second... Does unbound work when not using pfblocker? Disable pfblocker does your resolver work as it should..

Its right there in the general setup - where you would of set extra dns

I would also uncheck allowing your ISP to hand you dns via dhcp... That checkbox above the one I point out.

Pfsense out of the box resolves, and the only thing it should point to for dns is itself

If you are having issues with unbound working, I would figure that out before you worry about package like pfblocker

SnowmanUT

None of those were checked on general setup. If I remove all DNS servers from the DNS server list the package manager fails to download anything.
0_1549517545649_DNS Section.JPG

Package Manager Blank with no DNS Server listed in setup:
0_1549517573819_Package manager.JPG

Would having comcast have anything to do with this?

RonpfS

Did you try to do nslookup from the pfsense ?

johnpoz

Sure your isp could be doing something - but I was on comcast for years and they never dicked with dns that I recall.

Yes try to look up something else, does google resolve? Go to diag, dns lookup - try some stuff in there does anything work?

What does your status resolver show you?

What does the log show is unbound actually starting and listening on 53?

You have pfblocker disabled right? Lets actually validate the resolver is working how it should before you try and throw pfblocker on top of it. Not able to list packages doesn't bode well for a fully functional resolver.

You don't have some vpn setup - what other packages are you running? This should be a clean out of the box pfsense setup!

You don't go throwing extra toys onto something that isn't working in the first place ;) If your ISP is dicking with DNS then you could always use forwarding mode with unbound. But lets actually validate that first, etc.

SnowmanUT

PfblockerNG is off. Ran DNS Lookup and no response on google or pfsense. I can still go to websites when browsing though, weird.

0_1549553606883_Google-no resolve.JPG

Status of DNS Resolver is blank too:
0_1549553633372_DNS Resolver Status.JPG

I have OpenVPN setup for access by my phone to my network. I can disable it. Used this video guide to do it on Lawrence Systems / PC Pickup: https://www.youtube.com/watch?v=7rQ-Tgt3L18&t=656s Works fine for when I need access.

Packages:

johnpoz

well from that unbound is not running... So how would your clients resolve anything unless they were suing something else for dns..

Unbound is not working... Get unbound working before you attempt to get pfblocker working.

Restart unbound - what does the unbound log say. UP the log level in unbound.

SnowmanUT

Already have log level at 2, do I need to go higher?

Looks like it is resolving??

0_1549558669749_Unbound logs.JPG

SnowmanUT

Still trying figure this out. Unbound is stopping and starting all the time per the logs. Still have forwarder off and no DNS servers in general setup. Pfblocker is turned off. DNS resolver status blank and dnslookup doesn't resolve anything? Is my boxed just messed up or is there issue with unbound or how do I fix this?

0_1550078285444_Unbound stopping.JPG

Grimson

https://forum.netgate.com/topic/104772/unbound-restarting
https://forum.netgate.com/topic/138449/unbound-restarting-more-frequently

Also if you use the Service Watchdog package make sure it does not monitor unbound.

SnowmanUT

@BBcan177 fixed my issue which was unrelated to pfblocker. Somehow my Pfsense became corrupted related to the unbound_control.key and unbound_server.pem. He got it to generate new ones that fixed unbound which in turn got Pfblocker working. We are not sure why it happened but he is reporting issues to them. Owe him for sure, great guy.

themadsalvi

@SnowmanUT said in DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953:

@BBcan177 fixed my issue which was unrelated to pfblocker. Somehow my Pfsense became corrupted related to the unbound_control.key and unbound_server.pem. He got it to generate new ones that fixed unbound which in turn got Pfblocker working. We are not sure why it happened but he is reporting issues to them. Owe him for sure, great guy.

Can you please post how you were able to get it to generate new unbound_control.key and unbound_server.pem? Mine seems to have the same issue, and it doesn't resolve itself when I restore older known working configs.

freebs

lol I have the same thing happening as well..

SnowmanUT

@BBcan177 helped me fix it through some remote support. Not sure of the exact commands he ran on the console to fix it. If he sees this post maybe he can provide them.

freebs

Hope he sees it.. I can't figure this out

RonpfS

@SnowmanUT said in DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953:

unbound_control.key

Guys why don't you use the search "unbound_control.key" feature of the forum ?

https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/12

Basically remove the cert files, restart unbound or reboot.

freebs

@RonpfS I did exactly that.. removed keys firstly... didn't work.. renamed /var/unbound to unbound.bak.. restarted same thing.. very stange

freebs

fixed.. would not work on just restarting DNS.. had to reboot the box.

RonpfS

@freebs
Maybe save DNS Resolver settings then Apply settings would do the trick.

DSNBL error: connect: Can't assign requested address for 127.0.0.1 port 953

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter