Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver/Unbound is not resolving

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 568 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      2malH
      last edited by 2malH

      Hi guys,

      for some reason I can't get the DNS Resolver/Unbound to do it's job. It seems that over time I must have misconfigured something so that it stopped working in the default way: to resolve DNS locally via 127.0.0.1 without any external server. (Temporarily I've added a forwarding rule to 1.1.1.1 in the config just so that I can access the internet right now.)

      I've followed a lot of tipps and setting advices on this forum and reddit but nothing's working. So here I am, asking for help. I've disabled pfBlockerNG, removed every firewall rule that I temporarily tried to forward DNS traffic, removed the unbound_control and anbound_server files, restarted unbound and the system, tried to dig & trace the resolver. I'm lost. The system logs don't show anything suspicious to me (no errors), the DNS lookup just gives me a "Host "google.com" could not be resolved."

      Running latest version 2.4.5-RELEASE-p1 (amd64)

      Here's my unbound.config:

      ##########################
      # Unbound Configuration
      ##########################
      
      ##
      # Server configuration
      ##
      server:
      
      chroot: /var/unbound
      username: "unbound"
      directory: "/var/unbound"
      pidfile: "/var/run/unbound.pid"
      use-syslog: yes
      port: 53
      verbosity: 4
      hide-identity: yes
      hide-version: yes
      harden-glue: yes
      do-ip4: yes
      do-ip6: yes
      do-udp: yes
      do-tcp: yes
      do-daemonize: yes
      module-config: "validator iterator"
      unwanted-reply-threshold: 0
      num-queries-per-thread: 512
      jostle-timeout: 200
      infra-host-ttl: 900
      infra-cache-numhosts: 10000
      outgoing-num-tcp: 10
      incoming-num-tcp: 10
      edns-buffer-size: 4096
      cache-max-ttl: 86400
      cache-min-ttl: 0
      harden-dnssec-stripped: yes
      msg-cache-size: 4m
      rrset-cache-size: 8m
      
      num-threads: 4
      msg-cache-slabs: 4
      rrset-cache-slabs: 4
      infra-cache-slabs: 4
      key-cache-slabs: 4
      outgoing-range: 4096
      #so-rcvbuf: 4m
      auto-trust-anchor-file: /var/unbound/root.key
      prefetch: yes
      prefetch-key: yes
      use-caps-for-id: no
      serve-expired: no
      # Statistics
      # Unbound Statistics
      statistics-interval: 0
      extended-statistics: yes
      statistics-cumulative: yes
      
      # TLS Configuration
      tls-cert-bundle: "/etc/ssl/cert.pem"
      
      # Interface IP(s) to bind to
      interface-automatic: yes
      interface: 0.0.0.0
      interface: ::0
      
      # Outgoing interfaces to be used
      
      # DNS Rebinding
      # For DNS Rebinding prevention
      private-address: 127.0.0.0/8
      private-address: 10.0.0.0/8
      private-address: ::ffff:a00:0/104
      private-address: 172.16.0.0/12
      private-address: ::ffff:ac10:0/108
      private-address: 169.254.0.0/16
      private-address: ::ffff:a9fe:0/112
      private-address: 192.168.0.0/16
      private-address: ::ffff:c0a8:0/112
      private-address: fd00::/8
      private-address: fe80::/10
      # Set private domains in case authoritative name server returns a Private IP address
      
      
      # Access lists
      include: /var/unbound/access_lists.conf
      
      # Static host entries
      include: /var/unbound/host_entries.conf
      
      # dhcp lease entries
      include: /var/unbound/dhcpleases_entries.conf
      
      
      
      # Domain overrides
      include: /var/unbound/domainoverrides.conf
      
      
      # Unbound custom options
      server:
      log-queries: yes
      log-replies: yes
      forward-zone:
      name: "."
      forward-ssl-upstream: yes
      forward-addr: 1.1.1.1@853
      forward-addr: 1.0.0.1@853
      
      # ^^ I've added the forwarding part just temporarily to access the web right now.
      ####
      
      
      ###
      # Remote Control Config
      ###
      include: /var/unbound/remotecontrol.conf
      

      pfsense_resolver_settings3.png pfsense_resolver_settings2.png pfsense_resolver_settings1.png pfsense_general_setup.png
      unbound_control.png pfsense_sockstat2.png pfsense_sockstat3.png pfsense_sockstat.png pfsense_ps_aux.png pfsense_general_setup.png pfsense_dns_lookup.png pfsense_dig.png

      Thanks for your help in advance!!

      Edit: Added screenshots. I think that the output of sockstat | grep :953 is kind of suspicious as there seems to be something off? Multiple processes listening to the port?

      1 Reply Last reply Reply Quote 0
      • 2
        2malH
        last edited by

        So unfortunately no one has an idea on how to fix this or what I'm missing/overseeing in the configuration?

        I'd really appreciate any thoughts on what to try to get rid of the DNS forwarding. :)

        Thanks!

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @2malH
          last edited by Gertjan

          @2malH said in DNS Resolver/Unbound is not resolving:

          So unfortunately no one has an idea on how to fix this or what I'm missing/overseeing in the configuration?

          Can't really see why unbound refuses to work ....

          For testes, use the SSH (or console) access, it far more easier to work with.
          Like :

          dig @127.0.0.1 google.com ANY
          

          This :

          07b5db2b-30db-4f15-8cb9-fed61da9d83d-image.png

          both are set to "All", right ?

          Like ae34bc35-69c8-48d3-8657-db0f38d5b875-image.png

          218d37dc-37de-4cf2-8efe-7947f12097df-image.png

          Your unbound.conf mentions that you included other lines, like

          forward-zone:
          name: "."
          forward-ssl-upstream: yes
          forward-addr: 1.1.1.1@853
          forward-addr: 1.0.0.1@853
          

          What happens if you back your settings, and reset your settings, make you WAN work (and do nothing more) : does unbound work now ?
          If so, compare actual, resetted settings with your back up settings.

          Btw : you do not block TCP port 53 traffic with a floating firewall rule, right ? (DNS can also be TCP, not only UDP, especially if you ask DNSSEC info)

          These :

          log-queries: yes
          log-replies: yes
          

          will 'explode' your logs as there will be a huge number of log lines.
          Remember : to much info kills the info.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.