DNSSEC on pfSense



  • Are there any plans to implement DNSSEC in a near/far future or would it be a big problem to implement/activate that feature?



  • Our built in resolver (DNSMASQ) already follows the guidelines for proxying DNS-Sec.  Please see http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4221

    PS: we are looking at replacing dnsmasq in 2.1 with something else.  Stay tuned.



  • pfSense doesn't have a full-fledged DNS server. I don't think there are plans to add one.



  • Oh, i was thinking in ways like here explained: http://lacnic.net/documentos/lacnicxiii/presentaciones/tutorial-DNSSEC-en-32.pdf
    and howto: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf.
    I didn't think about dnsmasq.



  • My ISP uses DNSSEC and Firefox DNSSEC Validator add-on http://www.dnssec-validator.cz/ works well through dnsmasq on pfSense :)

    http://test.dnssec-or-not.org/ :D




  • Sounds good, but my intention was/is to have DNSSEC at router-side, not at client-side.



  • @_igor_:

    Sounds good, but my intention was/is to have DNSSEC at router-side, not at client-side.

    We are looking at adding Unbound DNS Resolver which supports this.  It might end up as a package before it makes it's way into 2.1.



  • Oh, thanks much for your answer. I'll stay tuned! Thats great news



  • Unbound package is in testing.  Stay tuned!  Borat is happy at least with it :)



  • Unbound package has been added.  Currently working on fixing a bug when you have host overrides / domain overrides in Services -> DNS Forwarder.

    Our Unbound package written by Warren Baker is designed to drop right in and replace DNSmasq so you will find that it uses the defined entries in the DNS Forwarder screen.

    If you are not using host /domain overrides go ahead and install the package and try it out if your running 2.0-Beta4.  You'll want to visit Services -> Unbound and enable DNSSSec and click save after package installation.



  • All known issues in the unbound package are fixed!  Give it a try!



  • Hmmm, this looks interesting.  Will this be capable of serving up zone changes to a secondary?  I have pfsense running as a virtual machine under virtualbox, but a downside of that is if pfsense is down, nothing (including the main server) can access any hosts on the lan by name, which sucks.  I would like to run a secondary on the main server that would pull from the primary (unbound on pfsense.)  Am I out to lunch or would this work?



  • Yes, this would work fine if you define the servers under services -> dns forwarder.



  • sweet!  i'm going to take a shot at this tonight :)



  • Package installed fine on my Alix box. I have set up DNS with google servers 8.8.8.8 and 8.8.4.4. How can I check if this is running ok? Also now my local DNS is not resolving anymore. See screenshot for the DNS configuration. The DNS forwarder under services was automatically disabled btw…

    Edit: Well, I disabled forwarding mode, because it is said so when enabling DNSSEC...

    ![Bildschirmfoto 2010-11-19 um 00.35.40.png](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png)
    ![Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb)



  • Installed fine here too, but Name-resolving of my PCs on LAN doesn't work too. I tested with "Enable forwarding mode" enabled and disabled.

    Here are the respective log-entries:

    Nov 19 13:07:17	unbound: [42280:0] info: start of service (unbound 1.4.7).
    Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
    Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
    Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
    Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
    Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
    Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
    Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 19 13:07:17	unbound: [42280:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:07:16	unbound: [42280:0] info: start of service (unbound 1.4.7).
    Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
    Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
    Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
    Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
    Nov 19 13:07:16	check_reload_status: syncing firewall
    Nov 19 13:07:16	unbound: [7052:0] info: 0.131072 0.262144 1
    Nov 19 13:07:16	unbound: [7052:0] info: lower(secs) upper(secs) recursions
    Nov 19 13:07:16	unbound: [7052:0] info: [25%]=0 median[50%]=0 [75%]=0
    Nov 19 13:07:16	unbound: [7052:0] info: histogram of recursion processing times
    Nov 19 13:07:16	unbound: [7052:0] info: average recursion processing time 0.139544 sec
    Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch
    Nov 19 13:07:16	unbound: [7052:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:06:26	unbound: [7052:0] info: start of service (unbound 1.4.7).
    Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
    Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
    Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
    Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
    Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
    Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
    Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 19 13:06:26	unbound: [7052:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:06:25	unbound: [7052:0] info: start of service (unbound 1.4.7).
    Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
    Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
    Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
    Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
    Nov 19 13:06:24	check_reload_status: syncing firewall
    Nov 19 13:06:24	unbound: [57813:0] info: 1.000000 2.000000 2
    Nov 19 13:06:24	unbound: [57813:0] info: 0.524288 1.000000 1
    Nov 19 13:06:24	unbound: [57813:0] info: lower(secs) upper(secs) recursions
    Nov 19 13:06:24	unbound: [57813:0] info: [25%]=0 median[50%]=0 [75%]=0
    Nov 19 13:06:24	unbound: [57813:0] info: histogram of recursion processing times
    Nov 19 13:06:24	unbound: [57813:0] info: average recursion processing time 1.129489 sec
    Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: requestlist max 2 avg 0.666667 exceeded 0
    Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: 3 queries, 0 answers from cache, 3 recursions, 0 prefetch
    Nov 19 13:06:24	unbound: [57813:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:06:04	unbound: [57813:0] info: start of service (unbound 1.4.7).
    Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
    Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
    Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
    Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
    Nov 19 13:06:03	check_reload_status: syncing firewall
    Nov 19 13:06:03	unbound: [35917:0] info: 0.524288 1.000000 1
    Nov 19 13:06:03	unbound: [35917:0] info: 0.262144 0.524288 1
    Nov 19 13:06:03	unbound: [35917:0] info: 0.131072 0.262144 2
    Nov 19 13:06:03	unbound: [35917:0] info: 0.065536 0.131072 1
    Nov 19 13:06:03	unbound: [35917:0] info: 0.032768 0.065536 1
    Nov 19 13:06:03	unbound: [35917:0] info: lower(secs) upper(secs) recursions
    Nov 19 13:06:03	unbound: [35917:0] info: [25%]=0.032768 median[50%]=0.065536 [75%]=0.131072
    Nov 19 13:06:03	unbound: [35917:0] info: histogram of recursion processing times
    Nov 19 13:06:03	unbound: [35917:0] info: average recursion processing time 0.325781 sec
    Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: 10 queries, 4 answers from cache, 6 recursions, 2 prefetch
    Nov 19 13:06:03	unbound: [35917:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:04:46	php: /pkg_mgr_install.php: Successful login for user 'admin' from: 10.112.35.2
    Nov 19 13:02:17	check_reload_status: reloading filter
    Nov 19 13:02:12	unbound: [35917:0] info: start of service (unbound 1.4.7).
    Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
    Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
    Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
    Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
    Nov 19 13:02:00	unbound: [29695:0] info: 0.524288 1.000000 1
    Nov 19 13:02:00	unbound: [29695:0] info: 0.016384 0.032768 1
    Nov 19 13:02:00	unbound: [29695:0] info: lower(secs) upper(secs) recursions
    Nov 19 13:02:00	unbound: [29695:0] info: [25%]=0 median[50%]=0 [75%]=0
    Nov 19 13:02:00	unbound: [29695:0] info: histogram of recursion processing times
    Nov 19 13:02:00	unbound: [29695:0] info: average recursion processing time 0.279019 sec
    Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: 4 queries, 2 answers from cache, 2 recursions, 0 prefetch
    Nov 19 13:02:00	unbound: [29695:0] info: service stopped (unbound 1.4.7).
    Nov 19 13:01:59	check_reload_status: syncing firewall
    Nov 19 13:01:47	unbound: [29695:0] info: start of service (unbound 1.4.7).
    Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
    Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
    Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
    Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
    Nov 19 13:01:47	dnsmasq[50197]: exiting on receipt of SIGTERM
    


  • Hmmm, I had other things going on last night, so I didn't get a chance to install and test this.  Looks like that was a good thing, as there seem to still be issues.



  • @_igor_:

    
    Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
    Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
    Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
    Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
    
    

    Looks like the default root.hints file was not downloaded correctly. You can see if it has data in it by ls -l /usr/local/etc/unbound/
    Unbound should still use internal hints for resolving - although its slightly slower. When saving/restarting unbound it will check that file and download it again if needs be.

    With regards to your non PC resolving - try install the pkg again. I have fixed both host and domain overrides.
    Let me know if you have any other problems please.



  • Oh and I fixed some XML problem which would have caused some other problems:)



  • Will try it…

    And how can I check if the DNSSEC is working correctly?



  • Go to http://test.dnssec-or-not.org/ and Borat should give you the thumbs up or

    dig @ <ip>edu +dnssec

    Look for the flags section which should contain 'ad' in them. For example:

    ; <<>> DiG 9.6.2-P2 <<>> @192.168.1.14 edu +dnssec
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60486
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;edu.                          IN      A

    ;; AUTHORITY SECTION:
    edu.                    900    IN      SOA    a.edu-servers.net. nstld.verisign-grs.com. 1290192544 1800 900 604800 86400
    edu.                    900    IN      RRSIG  SOA 7 1 900 20101126184904 20101119183904 44056 edu. tj/QsEt14ht17PeaydNQvSlsYt/vs9vj4y6OOICt1TcctDEwwNZ/1S+C mXpUZtYAyiIT8XUtFoSRhdMD0gpsLh6Qw+cBnBC4R//5khW9GJ+jHhU6 YA6aEPaQdmWt5i2TqLdxV8ebGQj3EP+rxe/GmFONoV4crT5aw+s5PTvZ QLc=
    9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN NSEC3 1 1 0 - 9F7PCDK9UL86ESUV8TM11L35AKSI4MB4 NS SOA RRSIG DNSKEY NSEC3PARAM
    9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN RRSIG NSEC3 7 2 86400 20101126182049 20101119181049 44056 edu. mLNYbHkzpQK3uJAZxkbhDHb1ZpPuhoVU3hBwAzUdCq41KWFyv8FL6CEA mshyGLs91asDcOtYatdC+EL6XB6tGOP4u1pio+rPH5NiMF3JDrGpBwiz qEcCglxeWArA3KZd1HYwoeDZ1fv8aODVgm9/ANPoyl+GWEPwKNn07V44 qiI=

    ;; Query time: 2614 msec
    ;; SERVER: 192.168.1.14#53(192.168.1.14)
    ;; WHEN: Fri Nov 19 20:49:35 2010
    ;; MSG SIZE  rcvd: 513</ip>



  • Hey wagonza,

    thanks for the answer. I now get Borat, so this looks good. Still, I can't resolve my local hostnames as before with dnsmasq.
    What kind of info do you need? It is working with dnsmasq…

    Thanks for your help!



  • Plz PM me the contents of your unbound.conf file (/usr/local/etc/unbound/unbound.conf) also the output of unbound-checkconf



  • thanks for unbound package …

    theres alternative with unbound or dnsmasq



  • Here it does NOT run. Say, at http://test.dnssec-or-not.org/ i don't see Borat. I reinstalled unbound, no change.
    Nor local hosts resolve.

    unbound-checkconf shows this:
    unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf

    Logs here:

    Nov 20 17:35:49	unbound: [63765:0] info: start of service (unbound 1.4.7).
    Nov 20 17:35:49	unbound: [63765:0] notice: init module 1: iterator
    Nov 20 17:35:49	unbound: [63765:0] notice: init module 1: iterator
    Nov 20 17:35:49	unbound: [63765:0] notice: init module 0: validator
    Nov 20 17:35:49	unbound: [63765:0] notice: init module 0: validator
    Nov 20 17:35:49	check_reload_status: syncing firewall
    Nov 20 17:35:49	unbound: [53712:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 20 17:35:49	unbound: [53712:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 20 17:35:49	unbound: [53712:0] info: service stopped (unbound 1.4.7).
    Nov 20 17:35:40	unbound: [53712:0] info: start of service (unbound 1.4.7).
    Nov 20 17:35:40	unbound: [53712:0] notice: init module 1: iterator
    Nov 20 17:35:40	unbound: [53712:0] notice: init module 1: iterator
    Nov 20 17:35:40	unbound: [53712:0] notice: init module 0: validator
    Nov 20 17:35:40	unbound: [53712:0] notice: init module 0: validator
    Nov 20 17:35:39	check_reload_status: syncing firewall
    Nov 20 17:35:39	unbound: [37568:0] info: 1.000000 2.000000 1
    Nov 20 17:35:39	unbound: [37568:0] info: lower(secs) upper(secs) recursions
    Nov 20 17:35:39	unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0
    Nov 20 17:35:39	unbound: [37568:0] info: histogram of recursion processing times
    Nov 20 17:35:39	unbound: [37568:0] info: average recursion processing time 1.647413 sec
    Nov 20 17:35:39	unbound: [37568:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 20 17:35:39	unbound: [37568:0] info: server stats for thread 0: 2 queries, 1 answers from cache, 1 recursions, 0 prefetch
    Nov 20 17:35:39	unbound: [37568:0] info: service stopped (unbound 1.4.7).
    Nov 20 17:34:38	check_reload_status: reloading filter
    Nov 20 17:34:37	php: /pkg_edit.php: Reloading Squid for configuration sync
    Nov 20 17:33:04	check_reload_status: syncing firewall
    Nov 20 17:33:10	unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0
    Nov 20 17:33:10	unbound: [37568:0] info: server stats for thread 0: 5 queries, 5 answers from cache, 0 recursions, 2 prefetch
    Nov 20 17:33:03	check_reload_status: syncing firewall
    Nov 20 17:29:08	kernel: xl0: tx underrun, increasing tx start threshold to 180 bytes
    Nov 20 17:29:08	kernel: xl0: transmission error: 90
    Nov 20 17:28:10	unbound: [37568:0] info: 1.000000 2.000000 1
    Nov 20 17:28:10	unbound: [37568:0] info: 0.524288 1.000000 1
    Nov 20 17:28:10	unbound: [37568:0] info: lower(secs) upper(secs) recursions
    Nov 20 17:28:10	unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0
    Nov 20 17:28:10	unbound: [37568:0] info: histogram of recursion processing times
    Nov 20 17:28:10	unbound: [37568:0] info: average recursion processing time 1.237340 sec
    Nov 20 17:28:10	unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0
    Nov 20 17:28:10	unbound: [37568:0] info: server stats for thread 0: 3 queries, 1 answers from cache, 2 recursions, 0 prefetch
    


  • Had another problem with the package. Sometimes after the dhcp lease is over, the client doesn't get my pfSense box as a DNS server, but the DNS servers I provided in general settings. Then my clients can't connect to the internet, because dns is not allowed for them, only to the pfSense box. Why do these servers sometimes get pushed to the clients?



  • Updated to version 1.2.2 and still my clients do not get the pfSense LAN ip address as the dns server but the ones configured in general dns settings. Why is that? dnsmasq correctly pushes my pfSense LAN IP to the clients…



  • Sorry im currently on vacation until Sunday so will try do as much as I can while away. @jlepthien - will investigate.



  • Take your time m8…



  • I updated today pfSense 2.0-BETA4 (i386) built on Mon Nov 22 02:54:15 EST 2010 and unbound to v 1.22. But no luck:

    Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err```
    or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
    Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 22 19:50:52 unbound: [56312:0] info: service stopped (unbound 1.4.7).
    Nov 22 19:50:52 check_reload_status: syncing firewall
    Nov 22 19:50:16 unbound: [56312:0] info: start of service (unbound 1.4.7).
    Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
    Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
    Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
    Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
    Nov 22 19:50:15 check_reload_status: reloading filter
    Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 22 19:50:14 unbound: [53850:0] info: service stopped (unbound 1.4.7).
    Nov 22 19:50:13 check_reload_status: syncing firewall
    Nov 22 19:49:58 unbound: [53850:0] info: start of service (unbound 1.4.7).
    Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
    Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
    Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
    Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
    Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
    Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
    Nov 22 19:49:58 check_reload_status: syncing firewall
    Nov 22 19:48:27 check_reload_status: reloading filter
    Nov 22 19:48:26 php: : Reloading Squid for configuration sync
    Nov 22 19:48:14 check_reload_status: syncing firewall
    Nov 22 19:48:14 php: /pkg_mgr_install.php: Beginning package installation for Unbound.

    
    After starting unbound manually (via console didn't work: unbound-control start, stop or status resulted in nothing. No output nor the program exited. Had to kill it via ctrl-c.
    But starting via Webif worked:
    
    

    Nov 22 20:00:04 unbound: [22972:0] info: start of service (unbound 1.4.7).
    Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
    Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
    Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator
    Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator

    
    But i still don't get Borat, only Picard on the dnssec-test-site. :(


  • @jlepthien:

    Take your time m8…

    heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.



  • @_igor_:

    
    Nov 22 19:50:52	php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err[code]or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
    [/code]
    
    Looks like DNSMasq wasnt shutdown - will have to add some additional safety belts.
    
    [quote]
    But i still don't get Borat, only Picard on the dnssec-test-site. :(
    [/quote]
    
    What does dig @ <ip>edu +dnssec return? Have a look at the flags section in the returned output it should contain a 'ad' flag.
    Piccard could be cached.</ip>
    


  • @wagonza:

    @jlepthien:

    Take your time m8…

    heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.

    Cool! Waiting for an update then. Until then I'll just use dnsmasq as before…



  • after reboot, syslog ui :

    Nov 30 09:41:58 unbound: [669:0] info: service stopped (unbound 1.4.7).
    Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
    Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
    Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
    Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
    Nov 30 09:41:58 unbound: [687:0] info: start of service (unbound 1.4.7).
    Nov 30 09:42:00 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1291084920] unbound[704:0] error: bind: address already in use [1291084920] unbound[704:0] fatal error: could not open ports'

    manualy save on gui syslog, its look running :
    Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: 73 queries, 0 answers from cache, 73 recursions, 0 prefetch
    Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: requestlist max 7 avg 3.23288 exceeded 0
    Nov 30 09:46:58 unbound: [687:0] info: average recursion processing time 1.453108 sec
    Nov 30 09:46:58 unbound: [687:0] info: histogram of recursion processing times
    Nov 30 09:46:58 unbound: [687:0] info: [25%]=0.182044 median[50%]=0.261905 [75%]=0.289474
    Nov 30 09:46:58 unbound: [687:0] info: lower(secs) upper(secs) recursions
    Nov 30 09:46:58 unbound: [687:0] info: 0.032768 0.065536 1
    Nov 30 09:46:58 unbound: [687:0] info: 0.065536 0.131072 3
    Nov 30 09:46:58 unbound: [687:0] info: 0.131072 0.262144 8
    Nov 30 09:46:58 unbound: [687:0] info: 0.262144 0.524288 9
    Nov 30 09:46:58 unbound: [687:0] info: 0.524288 1.000000 10
    Nov 30 09:46:58 unbound: [687:0] info: 1.000000 2.000000 21
    Nov 30 09:46:58 unbound: [687:0] info: 2.000000 4.000000 19
    Nov 30 09:46:58 unbound: [687:0] info: 4.000000 8.000000 2

    on console, still get error message
    [2.0-BETA4][root@rserver.local]/root(4): unbound -v
    [1291085668] unbound[2106:0] notice: Start of unbound 1.4.7.
    [1291085668] unbound[2106:0] error: bind: address already in use
    [1291085668] unbound[2106:0] fatal error: could not open ports

    coonection to net works, but resolve still slow then with dnsmasq

    i think use dnsmasq till get update
    thanks to provide unbound package



  • Ok I am back from vacation. Will look into the various bugs and let you guys know when an update is committed.



  • hello wagonza! Hope your vacation was nice and groovy…

    I have a little(?) proposal: Could you put the unbound-logs separate? Maybe in that section "package-logs"?
    It is logging really lot and so the normal syslog is full of unbound-log-entries, which make it somewhat difficult to find special entries. Say, i have to open a console to view directly at the log. 1000 lines are not enough at the webgui... (Not a big clue, but would make that thing easier.)



  • I hear you - will add this. Otherwise Im winning with all the other changes. Hopefully will commit some time tomorrow.
    Off to lala land for tonight.



  • Woot!



  • Guys I have committed some changes which include Unbound getting its own log file. This will require a recent snapshot (later than Thursday last week) as there were some bugs in package log handling. I have also added some extra 'statistics' options, so that it is up to the user to decide on what he/she wants to see and how often.

    I can add debugging verbosity as well if you guys think that would help you?

    There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.

    Lastly, if you make use of DHCP and you assign pfSense as your DNS server (i.e. DNS servers field is left blank) then you will need to specify the IP address of the respective DHCP interface so that existing behaviour is kept. The reason for this is that in the base of pfSense it will automatically assign the Systems: General DNS servers to the dhcp client if DNSMasq is disabled.

    So just reinstall and please let me know what else is still not working.



  • @wagonza:

    There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.

    Hey,

    great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?


Locked