Unbound crashes when domain override added
-
I have a strange behaviour when adding a domain override.
I am trying to resolve hosts in a lan the other end of an ipsec tunnel.
I add subdomainA.tld.co.uk to resolve via 192.168.1.1
when I save the unbound config unbound stops and wont restart, with zero logs.
192.168.1.1 is available via a vpn and confirm I can resolve from cli on machine end to end. (dig host.sub.tld @192.168.1.1 from other side of tunnel works)
pfsense devicesboth sides. behaviour is bilateral, if I add the same configuration but for resolving hosts for subdomainB.tld.co.uk via 192.168.60.1 unbound stops on save and wont restart.
I get the same issue if adding amazonaws.com to point to my route53 resolver endpoint at the end of a AWS VPN tunnel also.
Any pointers here, unbound config pretty vanilla other than
do-ip6: no
Frustrating problem to have.
Cheers,
Will
-
Well for starters what pfsense version are you using.
Do you have pfsense listening on all interfaces, and using all interfaces for outbound queries?
I set a domain override here and pfsense starts and stops just fine. When I hit apply.
As you can see from the log on the latest version of unbound running on
21.02-RELEASE-p1 (amd64)
built on Mon Feb 22 09:39:51 EST 2021
FreeBSD 12.2-STABLEhow exactly are you stetting do-ip6 to no? In your optional box? I tried putting that in mine and getting a parse error.. So exactly where are you setting that? And how? Are you trying to directly edit the unbound.conf in /var/unbound ?
-
Sorry
version 2.5.0, both sides.
all interfaces in and out, as I said, I can resolve remote lan hosts directly from a linux host by digging at the remote pfsense lan ip and visa versa.
custom options
do-ip6: no
(this works fine without domain overrides, it just disables the resolver using any ipv6 root addresses for resolution)unbound -V Version 1.13.0 Configure line: --with-ssl=/usr --with-libexpat=/usr/local --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pyunbound=yes --with-pythonmodule=yes LDFLAGS=-L/usr/local/lib ac_cv_path_SWIG=/usr/local/bin/swig --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.2 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1i-freebsd 8 Dec 2020 Linked modules: dns64 python respip validator iterator BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
-
This must be a bug.
Removing noipv6 resolves the issue, even though with the option enabled unbound starts as long as there is no domain override.
Removing noipv6 causes a new issue for me, in that I get time outs due to unbound trying to resolve to ipv6 root servers which I can't route to as I have no ipv6.
Any suggestions?
Will
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Mar 25, 2021, 10:18 PM Mar 25, 2021, 10:17 PM
@wstocker said in Unbound crashes when domain override added:
do-ip6: no
So you have to put server: in front of that
Like this
If you just do this..
I get a parse error..
But it should of popped up the parse error for you when you hit apply.
-
Appreciated, that's solved it.
Interestingly, I got no parse error and had noipv6 working without the server: statement.
Either way, override now works and ipv6 disabled so thank you very much for your help.
I pray my ISPs may bless us with IPv6 soon.
Will
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Aug 11, 2022, 2:02 PM Mar 25, 2021, 10:26 PM
If you want IPv6 - you know you can just get it up and running in a few minutes with pfsense and a tunnel from Hurricane Electric... Get you own /48 for free, and even can set your own PTRs, etc.
Been running tunnel with them for years and years..
edit: For completion of this thread - I have also validated that I can set that do-ip6: no, along with many other entries in options and add and remove domain overrides, etc..
When I tried it before, I think maybe I did do-ip6: no -- which would fail for sure, but again you should get a parse error popping up at the top of the unbound gui page.. Concerned that your not..
edit: hmmm, I thought 1.13.1 had been pushed to the CE version of pfsense 2.5.. Hmmm let me look up that thread where that was being discussed.
edit2: yeah it was pushed to 2.5 before it was pushed to 21.02 even.. You might want to do a pkg upgrade from cmd line
-
pkg upgrade from cli, now getting parse error.
Will looking into HE ipv6, super interesting, thanks!!
Will
-
Glad its sorted - odd that 1.13.0 no parse error but 1.13.1 parse error.
If you have any questions with setting up tunnel from HE.. Just ask - be using them for like 11 some years..
I'm a big fan of just using tunnel vs what normally amounts to a shitty deployment from ISPs - because its static, you can take it with you no matter what ISP you move too.. And makes it very easy to setup whatever /64 prefixes you want on your local vlans, etc.
They have a great global IPv6 backbone with tons of great peering..