Unbound fails to parse config if DNS Query Forwarding and custom options are enabled
-
If DNS Query Forwarding is enabled, custom options may not work (config parsing error is reported)
Config example (error):
# Forwarding forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853 forward-addr: 8.8.4.4@853 # Unbound custom options log-servfail: yes
Config example (good):
# Unbound custom options log-servfail: yes # Forwarding forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853 forward-addr: 8.8.4.4@853
For some weird reason order matters.. and the web UI orders them in the wrong way :(
Filed https://redmine.pfsense.org/issues/11263, will see if that gets fixed
-
Are you putting in the server: entry in the custom option box that needs to be there?
-
Looks like that's exactly what was missing :(
I hope the devs can add some help text near that section, feels like I already had this problem before (my other config includes "server:" prefix line)
-
That's prob not a bad idea, I could see how that might not be obvious..
-
Because their are many option, a link to the doc should be best as it covers all the options:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
Server Options These options are part of the server: clause. ..... ..... log-servfail: <yes or no> Print log lines that say why queries return SERVFAIL to clients. This is separate from the verbosity debug logs, much smaller, and printed at the error level, not the info level of debug info from verbosity.
-
I think he means it should maybe have a note by the custom option box that server: is a required entry..
-
In simplest form, something like "Section headers are required, see <doc link>." would help a lot.
-
It's no a link, but half way the Services > DNS Resolver > General Settings we find :
the info is out in the world : pfSense uses 'unbound' as the Resolver. It's said. That should ring a bell.
Probably for space reasons, pfSense doesn't include man pages.
But : throwing in "unbound.conf(5)" into your favourite browser will show as the first proposition : the official unbound config file doc.If, at that moment, the reader doesn't know that config files uses some formatting, like the known (?) windows INI files, then the "custom options" just shouldn't be used at all.
A red text with : "Know what you are doing" would also be very appropriate here ;)
But isn't such a phrase always applicable ? So no need to show that neither ....
The manual :
doesn't link to the unbound man pages neither. Happy enough, some of us see the format right away :
It'sserver:
and not, for example,
[server]
but I presume here that the user should know what a 'section' is. Or, as unbound (NLLabs) calls them : 'clauses'.
The "Custom options" box exists, but it seems like Netgate/pfSense doesn't want you to actually use it (as then they have to support it ?) . That will open a new can of worms.
Anyway, this is just me thinking out loud.
-
@gertjan said in Unbound fails to parse config if DNS Query Forwarding and custom options are enabled:
A red text with : "Know what you are doing" would also be very appropriate here ;)
Dude I'm dying.. hehehehehe ROFL... Yeah that should really be everywhere in blinking red text ;) hehehehehehehe