DNS Resolver - Unable to save



  • pfsence Community:

    2.4.4-RELEASE-p2 (amd64) 
    built on Wed Dec 12 07:40:18 EST 2018 
    FreeBSD 11.2-RELEASE-p6 
    

    I am unable to save any changes to my DNS Resolver settings,

    While symptoms are similar to this thread: https://forum.netgate.com/topic/105345/dns-resolver-unbound-can-t-change-config they are also very different.

    The error I get is:

    The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/unbound_server.key: No such file or directory
    [1555454130] unbound-checkconf[25658:0] fatal error: server-key-file: "/var/unbound/test/unbound_server.key" does not exist
    

    These files exist under /var/unbound (Along with the root.key)

    mkdir /var/unbound/test/
    cp -ax /var/unbound/*.{key,pem} /var/unbound/test/
    

    Does not work
    Rebooting the system does not work.
    Regenerating the keys also did not work.

    From looking at the source of /etc/inc/unbound.inc in the function do_as_unbound_user, The following line doesn't appear to be executing correctly
    mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}{$param1}' | /usr/bin/su -m unbound", true); and running this command manually from an SSH or console session (Changing to use paths instead of variables) also seems to fail:

    [2.4.4-RELEASE][root@firewall.REDACTED]/etc/inc: echo '/usr/local/sbin/unbound-control-setup -d /var/unbound/test' | /usr/bin/su -m unbound
    pfSense - Netgate Device ID: REDACTED
    
    *** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***
    
     WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
     LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
     HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
     GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
     VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24
    
     0) Logout (SSH only)                  9) pfTop
     1) Assign Interfaces                 10) Filter Logs
     2) Set interface(s) IP address       11) Restart webConfigurator
     3) Reset webConfigurator password    12) PHP shell + pfSense tools
     4) Reset to factory defaults         13) Update from console
     5) Reboot system                     14) Disable Secure Shell (sshd)
     6) Halt system                       15) Restore recent configuration
     7) Ping host                         16) Restart PHP-FPM
     8) Shell
    
    
    pfSense - Netgate Device ID: REDACTED
    
    *** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***
    
     WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
     LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
     HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
     GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
     VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24
    
     0) Logout (SSH only)                  9) pfTop
     1) Assign Interfaces                 10) Filter Logs
     2) Set interface(s) IP address       11) Restart webConfigurator
     3) Reset webConfigurator password    12) PHP shell + pfSense tools
     4) Reset to factory defaults         13) Update from console
     5) Reboot system                     14) Disable Secure Shell (sshd)
     6) Halt system                       15) Restore recent configuration
     7) Ping host                         16) Restart PHP-FPM
     8) Shell
    
    
    kill: 25694: Operation not permitted
    

    However if i switch to the unbound user using su -m unbound and then run /usr/local/sbin/unbound-control-setup -d /var/unbound/test the command succeeds.

    Furthermore, if I edit /etc/in/unbound.inc and modify function test_unbound_config and comment out the
    rmdir_recursive($cfgdir); line, then su to the unbound user and then run the above command. The Web GUI will save once. Which brings me back to the mwexec call not running correctly, and i suspect its the piping to the su command (Since this doesn't work for me from the ssh or console either).

    The DNS Resolver Web GUI options I have enabled are:
    General:

    • DNS Query Forwarding
    • DHCP Registration
    • Static DHCP

    Advanced:

    • Hide Identity
    • Hide Version

    pfblocker is NOT installed.
    The system logs also do not show any errors or anything relating to the DNS Resolver.



  • @PrimusNZ I am having a similar error with the latest PfSense 2.4.4_3. Did you figure out how to get past this issue?



  • I don't have a "real" solution but have you tried backing up your config, reinstalling pfSense and then restoring your config? Sometimes brute force works :-)



  • @nfld_republic Thanks for the suggestion. I may try that if all else fails. However, I have recently had to do just that for a different issue, so not looking forward to re-installing again.

    Right now, it seems that unbound-checkconf does not copy the keys to the ./test directory, so when it goes to check, the keys are missing with the following error:

    The following input errors were detected:

    The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/root.key: No such file or directory
    [1561931530] unbound-checkconf[36495:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

    I am running the latest version of PfSense 2.4.4-RELEASE-p3, so someone must have had this issue already. I found a couple of other related threads, but there were no definite solutions in there.



  • @apara (Sounding like I know what I'm talking about 😋 ) If you think that this is a repeatable bug you should post it to the pfSense bugtracker - https://redmine.pfsense.org/



  • @apara said in DNS Resolver - Unable to save:

    it seems that unbound-checkconf does not copy the keys to the ./test directory,

    It's /etc/inc/unbound.inc : line 116 :

    do_as_unbound_user("unbound-anchor", $cfgsubdir);
    

    ( $cfgsubdir being "/test" here)
    that should create a root.key file in /var/unbound/test.

    I admit that I have not the slightes idea why this works great on all my fSense systems and not yours.
    Just a wild guess : not enough entropy ? (creating keys consumes entropy).



  • @Gertjan is there a way to increase the enthropy?

    Are there any logs I can look at or increase verbosity to diagnose any issues?



  • @apara said in DNS Resolver - Unable to save:

    @Gertjan is there a way to increase the enthropy?

    Dono .... if that's the case.

    What I did to check things was commenting this line : /etc/inc/unbound.inc line 123 :

    rmdir_recursive($cfgdir);
    

    Now you can inspect the /var/unbound/test directory yourself.

    You could even create this missing root.key (/var/unbound/test/root.key) as it is created by /etc/inc/unbound.inc - see line 564

    True, this one :

    mwexec("echo '/usr/local/sbin/unbound-anchor -a {$root_key_file}' | /usr/bin/su -m unbound", true);
    

    comes back with a ....

    kill: 25188: Operation not permitted

    When I run it like this :

    /usr/bin/su -m unbound
    

    (switch to suer unbond)

    and then

    /usr/local/sbin/unbound-anchor -a /var/unbound/test/root.key
    

    my root key is created (in /var/unbound/test/)


Log in to reply