Unbound Error | syntax error

posix · Apr 13, 2024, 2:33 AM

Hi,

I am running 23.09.1-RELEASE and recently updated the pfBlockerNG-devel package to 3.2.0_8. After doing so unbound service would not restart. I found the following errors :

/status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1712974777] unbound[75736:0] fatal error: Could not read config file: /var/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf'

Turns out line 106 is

access-control-view: 192.168.40.0/24 blockRBLX

view:
name:"blockRBLX"
local-zone: "rbxcdn.com" static
local-zone: "roblox.com" static
local-zone: "minecraftskins.com" static
server:include: /var/unbound/pfb_dnsbl.*conf

I remove this and unboud service works. Whats strange is that it worked all this time before up updating to the latest pfblockerng package. Now I cannot get this rule to be accepted.

Unbound configuration:

/var/unbound: more unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "python validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-keep-probing: yes
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 1432
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
sock-queue-timeout: 0
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP addresses to bind to
interface-automatic: yes


# DNS Rebinding




# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 9.9.9.9@853#dns.quad9.net
        forward-addr: 149.112.112.112@853#dns.quad9.net
        forward-addr: 1.1.1.2@853
        forward-addr: 1.0.0.2@853


# Unbound custom options
server:
private-domain: "plex.direct"

access-control-view: 192.168.30.16/32 blockYT

view:
name:"blockYT"
local-zone: "youtube.com" static

access-control-view: 192.168.40.0/24 blockRBLX

view:
name:"blockRBLX"
local-zone: "rbxcdn.com" static
local-zone: "roblox.com" static
local-zone: "minecraftskins.com" static
server:include: /var/unbound/pfb_dnsbl.*conf


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

# Python Module
python:
python-script: pfb_unbound.py

SteveITS · Apr 13, 2024, 3:45 AM

@posix guessing, “server:include:” looks like an extra “server:” in there

posix · Apr 13, 2024, 9:23 PM

@SteveITS

EDITED: to show complete configuration.

Thanks for the response. I tried a different combination

server:
private-domain: "plex.direct"

access-control-view: 192.168.30.16/32 blockYT

view:
name:"blockYT"
local-zone: "youtube.com" static

server:include: /var/unbound/pfb_dnsbl.*conf

It accepts the line above.

But the system rejects when I try to apply:

server:
private-domain: "plex.direct"

access-control-view: 192.168.30.16/32 blockYT

view:
name:"blockYT"
local-zone: "youtube.com" static

access-control-view: 192.168.40.0/24 blockRBLX

view:
name:"blockRBLX"
local-zone: "rbxcdn.com" static
local-zone: "roblox.com" static
local-zone: "minecraftskins.com" static

include: /var/unbound/pfb_dnsbl.*conf

Still rejects. I admit I am not a expert with this syntax.

But the goal is to block any host .30.16 from accessing youtube. Any any host in the .40.0/24 net to access roblox and minecraft skins.

posix · Apr 16, 2024, 6:24 AM

I resolved the issue by formatting it the following way:

server:
private-domain: "plex.direct"
access-control-view: 192.168.30.16/32 blockYT
access-control-view: 192.168.40.0/24 blockRBLX

view:
name:"blockYT"
local-zone: "youtube.com" static

view:
name:"blockRBLX"
local-zone: "rbxcdn.com" static
local-zone: "roblox.com" static
local-zone: "minecraftskins.com" static

include: /var/unbound/pfb_dnsbl.*conf

This configuration above was accepted without error.

Reference:
https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/