Should unbound-control work by default?
-
I have seen people use unbound-control to get statistics out of the performance of the cache hits for example. But when i try i get an error message. The function seems to be turned off. Is this function disabled by default and has to be enabled by me? I have tried searching for the same issue but not found this specific question.
Last entries of /var/unbound/unbound.conf contains this:
### # Remote Control Config ### include: /var/unbound/remotecontrol.confThe file remotecontrol.conf is 0 bytes.
[2.4.4-RELEASE][admin@Fenix.localdomain]/root: unbound-control -c /var/unbound/unbound.conf stats_noreset [1554920137] unbound-control[36436:0] warning: control-enable is 'no' in the config file.I found a guide how to configure it.. Just want to check first so that i dont mess anything up.. :)
https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control -
You have to pass it the location of the config file, but otherwise it should work. The second command you showed,
unbound-control -c /var/unbound/unbound.conf <command>, works fine here./var/unbound/remotecontrol.confshouldn't be zero bytes, so it's also possible something corrupted that. Easy test is torm /var/unbound/remotecontrol.confand then save/apply in the resolver settings.Anything special about your setup? Any custom options in unbound? DNSBL or other pfBlocker things enabled?
-
Looks like the file being empty is an edge case that wasn't covered. Looks like it should be rewritten then, too. I opened https://redmine.pfsense.org/issues/9470 and pushed a fix.
-
@jimp said in Should unbound-control work by default?:
/var/unbound/remotecontrol.confshouldn't be zero bytes, so it's also possible something corrupted that. Easy test is torm /var/unbound/remotecontrol.confand then save/apply in the resolver settings.That solved the problem!! What would i do without you guys! I would have tried to add my own settings in that file and that would not have been good i guess.. :)
EDIT: whops.. it looked good from the beginning.. check my screenshots below.. The file got re-created and it looked good.. But now the unbound service won't start up, i noticed because wife started complain about Netflix not working anymore... HAHA..
Here is the error message from the General log:
Status before:
After save:
Content of the new file:
Anything special about your setup? Any custom options in unbound? DNSBL or other pfBlocker things enabled?
Only addition im running at the moment is Bandwithd. Before i have changed outgoing network interfaces to my VPN tunnel to internet but i have since then changed it back to "All" again.
I have enabled "Serve Expired" yesterday and also removed "Enable SSL/TLS Service. But that was after i noticed the file was 0 bytes.
The pfsense hardware is pretty new. 2 months old SG-1100. I have restored configurations from my old system, or i just restored the VPN part, dont remember wich one i did now :)
-
Something is definitely unhappy in those files. run
rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.keyand save/apply, see if that helps. That should force unbound to regenerate those files as well. -
@jimp said in Should unbound-control work by default?:
Something is definitely unhappy in those files
Files are empty
-
@jimp said in Should unbound-control work by default?:
Something is definitely unhappy in those files. run
rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.keyand save/apply, see if that helps. That should force unbound to regenerate those files as well.Holy **** ... That was a fast answer from your side!!! :)
I tried it. and it works! :) Unbound service is running now and i can do DNS lookups again :)
Files has been re-created and is not empty anymore.. Strange problem.. And also the file date of those files with 0 bytes were 7th Jan.. That was before i got my SG-1100... I guess the restore i did would not create files that way (with an old date)..
-
Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.
Worst case there you can
rm -rf /var/unboundand save/apply and it should generate everything again.The older date may be from when the system was initially imaged at the factory.
-
This also solved other issues i had... Now Status -> DNS Resolver is working
AND! unbound-control works too! .. I'm a Happy panda now.. Thanks Jimp!!!!
-
The root.key.57361-0 file should not be there.
-
@Taz79 said in Should unbound-control work by default?:
This also solved other issues i had... Now Status -> DNS Resolver is working
Not surprising since that page uses data output from
unbound-control:-) -
@jimp said in Should unbound-control work by default?:
Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.
Worst case there you can
rm -rf /var/unboundand save/apply and it should generate everything again.The older date may be from when the system was initially imaged at the factory.
We very seldom have power fails here.. Last time was 2 years ago actually.. Some power fails are planned work but then i always shutdown stuff first. I will buy a UPS for my router and other equipment soon though since power fails cause a lot of issues for sure! :)
Can i schedule a diskcheck at reboot? and see the results later from "remote (web)"? .. or must i have a display connected to the router?
-
@jimp can i ask you about the feature "Serve Expired"?
I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.
-
@Taz79 said in Should unbound-control work by default?:
@jimp can i ask you about the feature "Serve Expired"?
I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.
I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.
-
@tman222 said in Should unbound-control work by default?:
@Taz79 said in Should unbound-control work by default?:
@jimp can i ask you about the feature "Serve Expired"?
I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.
I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.
Seems like i have to create a separate thread for this to get it sorted out :) .. It defenatly helps me though looking at the statistics. Thanks for your reply!
