Unbound crashes when domain override added

wstocker

I have a strange behaviour when adding a domain override.

I am trying to resolve hosts in a lan the other end of an ipsec tunnel.

I add subdomainA.tld.co.uk to resolve via 192.168.1.1

when I save the unbound config unbound stops and wont restart, with zero logs.

192.168.1.1 is available via a vpn and confirm I can resolve from cli on machine end to end. (dig host.sub.tld @192.168.1.1 from other side of tunnel works)

pfsense devicesboth sides. behaviour is bilateral, if I add the same configuration but for resolving hosts for subdomainB.tld.co.uk via 192.168.60.1 unbound stops on save and wont restart.

I get the same issue if adding amazonaws.com to point to my route53 resolver endpoint at the end of a AWS VPN tunnel also.

Any pointers here, unbound config pretty vanilla other than

do-ip6: no

Frustrating problem to have.

Cheers,

Will

johnpoz

Well for starters what pfsense version are you using.

Do you have pfsense listening on all interfaces, and using all interfaces for outbound queries?

I set a domain override here and pfsense starts and stops just fine. When I hit apply.

As you can see from the log on the latest version of unbound running on

21.02-RELEASE-p1 (amd64)
built on Mon Feb 22 09:39:51 EST 2021
FreeBSD 12.2-STABLE

how exactly are you stetting do-ip6 to no? In your optional box? I tried putting that in mine and getting a parse error.. So exactly where are you setting that? And how? Are you trying to directly edit the unbound.conf in /var/unbound ?

wstocker

Sorry

version 2.5.0, both sides.

all interfaces in and out, as I said, I can resolve remote lan hosts directly from a linux host by digging at the remote pfsense lan ip and visa versa.

custom options
do-ip6: no
(this works fine without domain overrides, it just disables the resolver using any ipv6 root addresses for resolution)

unbound -V
Version 1.13.0

Configure line: --with-ssl=/usr --with-libexpat=/usr/local --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pyunbound=yes --with-pythonmodule=yes LDFLAGS=-L/usr/local/lib ac_cv_path_SWIG=/usr/local/bin/swig --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.2
Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1i-freebsd  8 Dec 2020
Linked modules: dns64 python respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

wstocker

This must be a bug.

Removing noipv6 resolves the issue, even though with the option enabled unbound starts as long as there is no domain override.

Removing noipv6 causes a new issue for me, in that I get time outs due to unbound trying to resolve to ipv6 root servers which I can't route to as I have no ipv6.

Any suggestions?

Will

johnpoz

@wstocker said in Unbound crashes when domain override added:

do-ip6: no

So you have to put server: in front of that

Like this

If you just do this..

I get a parse error..

But it should of popped up the parse error for you when you hit apply.

wstocker

Appreciated, that's solved it.

Interestingly, I got no parse error and had noipv6 working without the server: statement.

Either way, override now works and ipv6 disabled so thank you very much for your help.

I pray my ISPs may bless us with IPv6 soon.

Will

johnpoz

If you want IPv6 - you know you can just get it up and running in a few minutes with pfsense and a tunnel from Hurricane Electric... Get you own /48 for free, and even can set your own PTRs, etc.

https://tunnelbroker.net/

Been running tunnel with them for years and years..

edit: For completion of this thread - I have also validated that I can set that do-ip6: no, along with many other entries in options and add and remove domain overrides, etc..

When I tried it before, I think maybe I did do-ip6: no -- which would fail for sure, but again you should get a parse error popping up at the top of the unbound gui page.. Concerned that your not..

edit: hmmm, I thought 1.13.1 had been pushed to the CE version of pfsense 2.5.. Hmmm let me look up that thread where that was being discussed.

edit2: yeah it was pushed to 2.5 before it was pushed to 21.02 even.. You might want to do a pkg upgrade from cmd line

wstocker

pkg upgrade from cli, now getting parse error.

Will looking into HE ipv6, super interesting, thanks!!

Will

johnpoz

Glad its sorted - odd that 1.13.0 no parse error but 1.13.1 parse error.

If you have any questions with setting up tunnel from HE.. Just ask - be using them for like 11 some years..

I'm a big fan of just using tunnel vs what normally amounts to a shitty deployment from ISPs - because its static, you can take it with you no matter what ISP you move too.. And makes it very easy to setup whatever /64 prefixes you want on your local vlans, etc.

They have a great global IPv6 backbone with tons of great peering..