Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver/Unbound is not resolving

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    3
    479
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      2malH
      last edited by 2malH

      Hi guys,

      for some reason I can't get the DNS Resolver/Unbound to do it's job. It seems that over time I must have misconfigured something so that it stopped working in the default way: to resolve DNS locally via 127.0.0.1 without any external server. (Temporarily I've added a forwarding rule to 1.1.1.1 in the config just so that I can access the internet right now.)

      I've followed a lot of tipps and setting advices on this forum and reddit but nothing's working. So here I am, asking for help. I've disabled pfBlockerNG, removed every firewall rule that I temporarily tried to forward DNS traffic, removed the unbound_control and anbound_server files, restarted unbound and the system, tried to dig & trace the resolver. I'm lost. The system logs don't show anything suspicious to me (no errors), the DNS lookup just gives me a "Host "google.com" could not be resolved."

      Running latest version 2.4.5-RELEASE-p1 (amd64)

      Here's my unbound.config:

      ##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 4
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP(s) to bind to
interface-automatic: yes
interface: 0.0.0.0
interface: ::0

# Outgoing interfaces to be used

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf


# Unbound custom options
server:
log-queries: yes
log-replies: yes
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

# ^^ I've added the forwarding part just temporarily to access the web right now.
####


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

      pfsense_resolver_settings3.png pfsense_resolver_settings2.png pfsense_resolver_settings1.png pfsense_general_setup.png
      unbound_control.png pfsense_sockstat2.png pfsense_sockstat3.png pfsense_sockstat.png pfsense_ps_aux.png pfsense_general_setup.png pfsense_dns_lookup.png pfsense_dig.png

      Thanks for your help in advance!!

      Edit: Added screenshots. I think that the output of sockstat | grep :953 is kind of suspicious as there seems to be something off? Multiple processes listening to the port?

      1 Reply Last reply Reply Quote 0
      • 2
        2malH
        last edited by

        So unfortunately no one has an idea on how to fix this or what I'm missing/overseeing in the configuration?

        I'd really appreciate any thoughts on what to try to get rid of the DNS forwarding. :)

        Thanks!

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @2malH
          last edited by Gertjan

          @2malH said in DNS Resolver/Unbound is not resolving:

          So unfortunately no one has an idea on how to fix this or what I'm missing/overseeing in the configuration?

          Can't really see why unbound refuses to work ....

          For testes, use the SSH (or console) access, it far more easier to work with.
          Like :

          dig @127.0.0.1 google.com ANY

          This :

          07b5db2b-30db-4f15-8cb9-fed61da9d83d-image.png

          both are set to "All", right ?

          Like ae34bc35-69c8-48d3-8657-db0f38d5b875-image.png

          218d37dc-37de-4cf2-8efe-7947f12097df-image.png

          Your unbound.conf mentions that you included other lines, like

          forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

          What happens if you back your settings, and reset your settings, make you WAN work (and do nothing more) : does unbound work now ?
          If so, compare actual, resetted settings with your back up settings.

          Btw : you do not block TCP port 53 traffic with a floating firewall rule, right ? (DNS can also be TCP, not only UDP, especially if you ask DNSSEC info)

          These :

          log-queries: yes
log-replies: yes

          will 'explode' your logs as there will be a huge number of log lines.
          Remember : to much info kills the info.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.