Unbound DNS Resolver not starting

patient0

@KKIT said in Unbound DNS Resolver not starting:

@Gertjan

Thanks, I get this:

root 64053 0.0 0.0 13412 3064 - S 14:46 0:00.00 sh -c ps aux | fgrep -i unbound 2>&1
root 64286 0.0 0.0 12840 2532 - S 14:46 0:00.00 fgrep -i unbound

Ok, that means no Unbound instance is running at that time. Next I'd set the LogLevel to > 1.

Do you have a fairly standard Unbound config? Running as a resolver or forwarder? Nothing else listening to port 53?

KKIT

@Gertjan

Unfortunately absolutely nothing happens when I set it to 5, I am still connected via SSH and within the logfile with tail, I also made sure to apply the settings as well as manually start the service under the "Services" section, nothing :(

KKIT

@patient0

I set the log level to 5 and still nothing, only the second node is listening on port 53 and the resolver is running as expected. No custom configuration on unbound and no DNS forwarder active.

Gertjan

@KKIT

I've just :

tail -f /var/log/resolver.log

and then :

and then

and oh boy .... the tail command had a hard time keeping up with the pace. tens of lines a second, impossible to follow.

Btw : I've no HA setup, just one box, and about 5 PC connected and some other stuff.
I know that every device in my network uses my 'pfSense' as a DNS source, not some 1.1.1.1 or 8.8.8.8 or other data collector.

If your unbound doesn't log anything on level 5 : isn't that a sign that LAN devices uses another device, and not (this !) pfSense, to do DNS requests ?

Another trick : GUI this time ^^

Set interface to your LAN interface, or any other LAN type interface.
Set the port to '53' (DNS, recall)
And hit Start.

Now you should see "destination port 53".

Add the IP of your pfSense, so now you'll see what LAN devices want to talk to your pfSense for DNS needs :

Btw : I presume the default 192.168.1.1
if there is no ore little DNS traffic, its normal that unbound doesn't 'log' ^^

KKIT

@Gertjan
I appreciate the input, but I think we are looking at the wrong end here. The Unbound service is not running at all, as confirmed above. Additionally, the node is currently in maintenance mode, I already tried putting it back into production but I wouldn't accept any requests. At this point I assume that either pfBlocker messed it up or I improperly shut the service down. I will go for a reinstall and see from there. THanks so far, really appreciate it and will keep you guys updated!

KKIT

@KKIT

So I wanted to give a followup on this issue, I dug a little deeper and looking at this post:
https://forum.netgate.com/topic/154372/unbound-dns-resolver-will-not-start/3

I am pretty sure it has something to do with pfBLockerNG messing up my config file. I checked the directory of the config file and see that there are two with one having a ".error" added to it:

Screenshot 2024-06-20 at 14.19.06.png

Trying to reload unbound via shell shows this error:
unbound-control[85585:0] error: connect: Connection refused for 127.0.0.1 port 953

Unfortunately I lost my backups after the reinstall so my question is if I can transfer the unbound.conf from my functioning pfSense (Node B) to make it work again?

Gertjan

@KKIT said in Unbound DNS Resolver not starting:

I am pretty sure it has something to do with pfBLockerNG messing up my config file.

Easy to test.
Remove pfBlockerng from your pfSEnse, and get a copy from the unbound config file.
/var/unbound/unbound.conf

Install pfBlockerng, activate it, give it some DNSBL feeds and get a copy again from the unbound config file.

Compare the two copies.

You'll find a single difference, at the end :
If you use Python mode :

# Python Module
python:
python-script: pfb_unbound.py

IMHO : this small python script file is very well tested by now.

Not python mode :
It "includes" a (one) 'master DNSBL' file ... forget about that file, as I switched to python mode (after years asking for it).

So, no, sorry, dead end.

pfBlockerng can restart unbound ones in a while (you decide how often).
But pfBlockerng isn't the only one doing so, other, network events for example, can also restart many services.

Edit :

Your unbound. conf file is rather big = 4k.
Mine is just over 2k.
Can you show it ?

KKIT

@Gertjan

Sure

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-keep-probing: yes
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 1432
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no
sock-queue-timeout: 0
aggressive-nsec: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP addresses to bind to

interface: WAN NODE B
interface: 172.16.71.2
interface: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
interface: 172.16.1.2
interface: 10.0.20.2
interface: 10.0.30.2
interface: 10.0.90.2
interface: 10.0.91.2
interface: 10.0.31.2
interface: 172.16.71.1
interface: WAN NODE A
interface: 10.0.20.1
interface: 10.0.30.1
interface: 10.0.90.1
interface: 10.172.17.1
interface: 10.0.91.1
interface: NETWORK A
interface: NETWORK B
interface: NETWORK C
interface: 10.0.40.1
interface: NETWORK D
interface: NETWORK E
interface: 10.0.31.1
interface: NETWORK F
interface: 127.0.0.1
interface: ::1

Outgoing interfaces to be used

outgoing-interface: WAN NODE B
outgoing-interface: 172.16.71.2
outgoing-interface: xxx
outgoing-interface: 172.16.1.2
outgoing-interface: 10.0.20.2
outgoing-interface: 10.0.30.2
outgoing-interface: 10.0.90.2
outgoing-interface: 10.0.91.2
outgoing-interface: 10.0.31.2
outgoing-interface: 172.16.71.1
outgoing-interface: WAN NODE A
outgoing-interface: 10.0.20.1
outgoing-interface: 10.0.30.1
outgoing-interface: 10.0.90.1
outgoing-interface: 10.172.17.1
outgoing-interface: 10.0.91.1
outgoing-interface: NETWORK A
outgoing-interface: NETWORK B
outgoing-interface: NETWORK C
outgoing-interface: 10.0.40.1
outgoing-interface: NETWORK D
outgoing-interface: NETWORK E
outgoing-interface: 10.0.31.1
outgoing-interface: NETWORK F
outgoing-interface: 127.0.0.1
outgoing-interface: ::1

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: ::1@853
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google

Remote Control Config

include: /var/unbound/remotecontrol.conf

Gertjan

@KKIT

Worth trying for a while : instead of detailing all interface roles, go for the simple :

KKIT

@Gertjan

Unbelievable, it worked. I can't wrap my head around why that would be the case though. Thank you so much for taking the time man