DNS Resolver - Unable to save

PrimusNZ · Jun 30, 2019, 7:58 PM

pfsence Community:

2.4.4-RELEASE-p2 (amd64) 
built on Wed Dec 12 07:40:18 EST 2018 
FreeBSD 11.2-RELEASE-p6

I am unable to save any changes to my DNS Resolver settings,

While symptoms are similar to this thread: https://forum.netgate.com/topic/105345/dns-resolver-unbound-can-t-change-config they are also very different.

The error I get is:

The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/unbound_server.key: No such file or directory
[1555454130] unbound-checkconf[25658:0] fatal error: server-key-file: "/var/unbound/test/unbound_server.key" does not exist

These files exist under /var/unbound (Along with the root.key)

mkdir /var/unbound/test/
cp -ax /var/unbound/*.{key,pem} /var/unbound/test/

Does not work
Rebooting the system does not work.
Regenerating the keys also did not work.

From looking at the source of /etc/inc/unbound.inc in the function do_as_unbound_user, The following line doesn't appear to be executing correctly
mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}{$param1}' | /usr/bin/su -m unbound", true); and running this command manually from an SSH or console session (Changing to use paths instead of variables) also seems to fail:

[2.4.4-RELEASE][root@firewall.REDACTED]/etc/inc: echo '/usr/local/sbin/unbound-control-setup -d /var/unbound/test' | /usr/bin/su -m unbound
pfSense - Netgate Device ID: REDACTED

*** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***

 WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
 LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
 HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
 GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
 VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell


pfSense - Netgate Device ID: REDACTED

*** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***

 WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
 LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
 HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
 GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
 VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell


kill: 25694: Operation not permitted

However if i switch to the unbound user using su -m unbound and then run /usr/local/sbin/unbound-control-setup -d /var/unbound/test the command succeeds.

Furthermore, if I edit /etc/in/unbound.inc and modify function test_unbound_config and comment out the
rmdir_recursive($cfgdir); line, then su to the unbound user and then run the above command. The Web GUI will save once. Which brings me back to the mwexec call not running correctly, and i suspect its the piping to the su command (Since this doesn't work for me from the ssh or console either).

The DNS Resolver Web GUI options I have enabled are:
General:

DNS Query Forwarding
DHCP Registration
Static DHCP

Advanced:

Hide Identity
Hide Version

pfblocker is NOT installed.
The system logs also do not show any errors or anything relating to the DNS Resolver.

apara · Jun 30, 2019, 7:58 PM

@PrimusNZ I am having a similar error with the latest PfSense 2.4.4_3. Did you figure out how to get past this issue?

nfld_republic · Jun 30, 2019, 9:14 PM

I don't have a "real" solution but have you tried backing up your config, reinstalling pfSense and then restoring your config? Sometimes brute force works :-)

apara · Jun 30, 2019, 9:53 PM

@nfld_republic Thanks for the suggestion. I may try that if all else fails. However, I have recently had to do just that for a different issue, so not looking forward to re-installing again.

Right now, it seems that unbound-checkconf does not copy the keys to the ./test directory, so when it goes to check, the keys are missing with the following error:

The following input errors were detected:

The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1561931530] unbound-checkconf[36495:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

I am running the latest version of PfSense 2.4.4-RELEASE-p3, so someone must have had this issue already. I found a couple of other related threads, but there were no definite solutions in there.

nfld_republic · Jun 30, 2019, 10:50 PM

@apara (Sounding like I know what I'm talking about ) If you think that this is a repeatable bug you should post it to the pfSense bugtracker - https://redmine.pfsense.org/

Gertjan · Jul 1, 2019, 2:34 PM

@apara said in DNS Resolver - Unable to save:

it seems that unbound-checkconf does not copy the keys to the ./test directory,

It's /etc/inc/unbound.inc : line 116 :

do_as_unbound_user("unbound-anchor", $cfgsubdir);

( $cfgsubdir being "/test" here)
that should create a root.key file in /var/unbound/test.

I admit that I have not the slightes idea why this works great on all my fSense systems and not yours.
Just a wild guess : not enough entropy ? (creating keys consumes entropy).

apara · Jul 1, 2019, 3:15 PM

@Gertjan is there a way to increase the enthropy?

Are there any logs I can look at or increase verbosity to diagnose any issues?

Gertjan · Jul 1, 2019, 3:30 PM

@apara said in DNS Resolver - Unable to save:

@Gertjan is there a way to increase the enthropy?

Dono .... if that's the case.

What I did to check things was commenting this line : /etc/inc/unbound.inc line 123 :

rmdir_recursive($cfgdir);

Now you can inspect the /var/unbound/test directory yourself.

You could even create this missing root.key (/var/unbound/test/root.key) as it is created by /etc/inc/unbound.inc - see line 564

True, this one :

mwexec("echo '/usr/local/sbin/unbound-anchor -a {$root_key_file}' | /usr/bin/su -m unbound", true);

comes back with a ....

kill: 25188: Operation not permitted

When I run it like this :

/usr/bin/su -m unbound

(switch to suer unbond)

and then

/usr/local/sbin/unbound-anchor -a /var/unbound/test/root.key

my root key is created (in /var/unbound/test/)

bbrendon · Jun 14, 2020, 8:17 PM

Has anyone gotten past this? Is seems like it should be so simple. I can't figure it out either! (v 2.4.5-p1)

bbrendon · Jun 14, 2020, 8:39 PM

I got past it somehow. I "think" either messing with /root/.profile or a reboot fixed it.