Should unbound-control work by default?



  • I have seen people use unbound-control to get statistics out of the performance of the cache hits for example. But when i try i get an error message. The function seems to be turned off. Is this function disabled by default and has to be enabled by me? I have tried searching for the same issue but not found this specific question.

    Last entries of /var/unbound/unbound.conf contains this:

    ###
    # Remote Control Config
    ###
    include: /var/unbound/remotecontrol.conf
    

    The file remotecontrol.conf is 0 bytes.

    [2.4.4-RELEASE][admin@Fenix.localdomain]/root: unbound-control -c /var/unbound/unbound.conf stats_noreset
    [1554920137] unbound-control[36436:0] warning: control-enable is 'no' in the config file.
    

    I found a guide how to configure it.. Just want to check first so that i dont mess anything up.. :)
    https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control


  • Rebel Alliance Developer Netgate

    You have to pass it the location of the config file, but otherwise it should work. The second command you showed, unbound-control -c /var/unbound/unbound.conf <command>, works fine here.

    /var/unbound/remotecontrol.conf shouldn't be zero bytes, so it's also possible something corrupted that. Easy test is to rm /var/unbound/remotecontrol.conf and then save/apply in the resolver settings.

    Anything special about your setup? Any custom options in unbound? DNSBL or other pfBlocker things enabled?


  • Rebel Alliance Developer Netgate

    Looks like the file being empty is an edge case that wasn't covered. Looks like it should be rewritten then, too. I opened https://redmine.pfsense.org/issues/9470 and pushed a fix.



  • @jimp said in Should unbound-control work by default?:

    /var/unbound/remotecontrol.conf shouldn't be zero bytes, so it's also possible something corrupted that. Easy test is to rm /var/unbound/remotecontrol.conf and then save/apply in the resolver settings.

    That solved the problem!! What would i do without you guys! I would have tried to add my own settings in that file and that would not have been good i guess.. :)

    EDIT: whops.. it looked good from the beginning.. check my screenshots below.. The file got re-created and it looked good.. But now the unbound service won't start up, i noticed because wife started complain about Netflix not working anymore... HAHA..

    Here is the error message from the General log:
    4b701f3c-d920-4ca6-ba62-955f54935525-image.png

    Status before:
    9c331089-1e32-4771-92eb-a17eb9676ff3-image.png

    After save:
    d540a11b-671b-4e50-b3ee-8acf6b42e370-image.png

    Content of the new file:
    3ee2dafb-5861-41a6-bc50-ef7191f5d13d-image.png

    Anything special about your setup? Any custom options in unbound? DNSBL or other pfBlocker things enabled?

    Only addition im running at the moment is Bandwithd. Before i have changed outgoing network interfaces to my VPN tunnel to internet but i have since then changed it back to "All" again.

    I have enabled "Serve Expired" yesterday and also removed "Enable SSL/TLS Service. But that was after i noticed the file was 0 bytes.

    The pfsense hardware is pretty new. 2 months old SG-1100. I have restored configurations from my old system, or i just restored the VPN part, dont remember wich one i did now :)


  • Rebel Alliance Developer Netgate

    Something is definitely unhappy in those files. run rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.key and save/apply, see if that helps. That should force unbound to regenerate those files as well.



  • @jimp said in Should unbound-control work by default?:

    Something is definitely unhappy in those files

    Files are empty 😌



  • @jimp said in Should unbound-control work by default?:

    Something is definitely unhappy in those files. run rm /var/unbound/unbound_*.pem /var/unbound/unbound_*.key and save/apply, see if that helps. That should force unbound to regenerate those files as well.

    Holy **** ... That was a fast answer from your side!!! :)

    I tried it. and it works! :) Unbound service is running now and i can do DNS lookups again :)

    Files has been re-created and is not empty anymore.. Strange problem.. And also the file date of those files with 0 bytes were 7th Jan.. That was before i got my SG-1100... I guess the restore i did would not create files that way (with an old date)..

    f3af4b4c-2889-4f72-ac10-ea4ea71ecb1a-image.png


  • Rebel Alliance Developer Netgate

    Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.

    Worst case there you can rm -rf /var/unbound and save/apply and it should generate everything again.

    The older date may be from when the system was initially imaged at the factory.



  • This also solved other issues i had... Now Status -> DNS Resolver is working

    d474d8de-df7c-42b1-8a4a-31f0d5addeca-image.png

    AND! unbound-control works too! .. I'm a Happy panda now.. Thanks Jimp!!!!

    eb42382d-e136-4b8a-93d4-4e0e7f9b7814-image.png



  • The root.key.57361-0 file should not be there.


  • Rebel Alliance Developer Netgate

    @Taz79 said in Should unbound-control work by default?:

    This also solved other issues i had... Now Status -> DNS Resolver is working

    Not surprising since that page uses data output from unbound-control :-)



  • @jimp said in Should unbound-control work by default?:

    Did you maybe have a power event or otherwise unclean shutdown? It might have happened when pfSense was writing those files or they hadn't fully synchronized to disk yet. You might want to reboot it and run a disk check to be certain.

    Worst case there you can rm -rf /var/unbound and save/apply and it should generate everything again.

    The older date may be from when the system was initially imaged at the factory.

    We very seldom have power fails here.. Last time was 2 years ago actually.. Some power fails are planned work but then i always shutdown stuff first. I will buy a UPS for my router and other equipment soon though since power fails cause a lot of issues for sure! :)

    Can i schedule a diskcheck at reboot? and see the results later from "remote (web)"? .. or must i have a display connected to the router?



  • @jimp can i ask you about the feature "Serve Expired"?

    5846fdd3-3731-423a-8c33-82996c1c2a09-image.png

    I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.



  • @Taz79 said in Should unbound-control work by default?:

    @jimp can i ask you about the feature "Serve Expired"?

    5846fdd3-3731-423a-8c33-82996c1c2a09-image.png

    I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

    I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.



  • @tman222 said in Should unbound-control work by default?:

    @Taz79 said in Should unbound-control work by default?:

    @jimp can i ask you about the feature "Serve Expired"?

    5846fdd3-3731-423a-8c33-82996c1c2a09-image.png

    I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

    I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.

    Seems like i have to create a separate thread for this to get it sorted out :) .. It defenatly helps me though looking at the statistics. Thanks for your reply!


Log in to reply