DNSSEC on pfSense
-
On the latest snapshot of today i386 still getting:
Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???Is this still a problem? I can only assume DNSMasq was re-enabled.
I have been away for the last week - hence the late reply.
-
On latest snapshot of today 4 January same old:
Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'
On the latest snapshot of today i386 still getting:
Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???Is this still a problem? I can only assume DNSMasq was re-enabled.
I have been away for the last week - hence the late reply.
-
It appears we are close to a RC1 candidate with so many things broken?
One of the developers tweeted:
"DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet"
Could this be why no one seems to care about the Unbound package?
-
I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".
-
Here is the original Tweet, but I notice the URL goes to a 404 - do not known what to make of it:
sullrich Scott Ullrich
DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet. -DJB http://ha.cx/DJB.mp429 Dec
I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".
-
On latest snapshot of today 4 January same old:
Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'
Can you check if this happens next time and if so issue the following command when you see this error:
sockstat -4 -p 53
-
Found something about the "denial of service amplifier" of DNSSEC: There was a discussion at the 27c3 in Berlin at the end of 2010… Was about the weakness of DNSSEC and the glory of dnscurve...
It can be found here: http://events.ccc.de/congress/2010/wiki/Conference_Recordings (Its Number 4295)
http://events.ccc.de/congress/2010/Fahrplan/attachments/1773_slides.pdfAnd here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/
Maybe all this clears some things up (or not ;-)
-
Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 22871 12 udp4 192.168.1.1:53 :
unbound unbound 22871 13 tcp4 192.168.1.1:53 :On latest snapshot of today 4 January same old:
Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'
Can you check if this happens next time and if so issue the following command when you see this error:
sockstat -4 -p 53
-
And here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/
Maybe all this clears some things up (or not ;-)
This was a great read from Dan Kaminsky. I'm a DNSSEC convert! :)
Check out his slides from his BlackHat talk too. http://dankaminsky.com/phreebird/
Time to check out Unbound . . .
GB
-
just install Unbound on 2.0beta5 full install, install went good with no errors Its up and running but when i go to test.dnssec-or-not.org I get No, you are not using DNSSEC,
If you guys dont mind Can someone with Unbound working up and running post pics of their Unbound DNS Settings thanks. -
Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 22871 12 udp4 192.168.1.1:53 :
unbound unbound 22871 13 tcp4 192.168.1.1:53 :hmm … this shows that Unbound is listening - in this instance did you get a log entry with the failure to start for Unbound?
If so then it appears that for some reason Unbound is trying to be started twice on your system. -
@ ToxIcon:
Enable unbound
choose LAN (and your additional Interfaces maybe)
enable DNSSEC
This should work instantly.I have the forwarding mode disabled, but should not make any difference as i have seen here
Do you have squid installed? If you have tested before, it could be that squid is "answering" or your local browser-cache. I had this too. Its working fine here since the beginning. I don't have any errors. Nor double starting of unbound. That was only at an early stage here. But may be different depending on whatever. You see, wagonza is working.
-
If you are using squid, go to the config page for squid then add your pfsense IP to this line:
"Use alternate DNS-servers for the proxy-server"
Fixed it for me, no more sad Picard.
-
Also check http://doc.pfsense.org/index.php/Unbound_package for a bit more detail on the setup of Unbound.
Please let me know if you spot any mistakes/grammer errors or have suggestions.thx
-
THANKS! This did the trick. I am still getting errors as per below but Unbound is now giving me the Borat Smile.
This on AMD 64of today. Will work on the other i386 box now.
Jan 8 18:31:59 php: : SQUID is installed but not started. Not installing "nat" rules.
Jan 8 18:32:00 php: : SQUID is installed but not started. Not installing "filter" rules.
Jan 8 18:32:04 php: : Creating rrd update script
Jan 8 18:32:04 php: : Resyncing configuration for all packages.
Jan 8 18:32:09 php: : Starting Squid
Jan 8 18:32:09 squid[22968]: Squid Parent: child process 23503 started
Jan 8 18:32:09 check_reload_status: reloading filter
Jan 8 18:32:09 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294511529] unbound[31067:0] error: bind: address already in use [1294511529] unbound[31067:0] fatal error: could not open ports'
Jan 8 18:32:10 login: login on ttyv0 as root
Jan 8 18:32:10 sshlockout[38992]: sshlockout/webConfigurator v3.0 starting up
Jan 8 18:32:14 Squid_Alarm[45562]: Squid has exited. Reconfiguring filter.
Jan 8 18:32:14 Squid_Alarm[45854]: Attempting restart…
Jan 8 18:32:14 squid[46948]: Squid Parent: child process 47334 started
Jan 8 18:32:17 Squid_Alarm[47945]: Reconfiguring filter…
Jan 8 18:32:17 Squid_Alarm[56094]: Squid has resumed. Reconfiguring filter.If you are using squid, go to the config page for squid then add your pfsense IP to this line:
"Use alternate DNS-servers for the proxy-server"
Fixed it for me, no more sad Picard.
-
O.K. I upgraded to today's snapshot on another box with i386 and it wiped out my Squid. Reinstalled Squid and Squid and Unbound working now with Borat Smiling.
I guess the kinks will be worked out eventually…
-
wagonza thanks for giving us Unbound
igor thanks for the squid tip
adrianhensler thanks for pointing me to the squid then add your pfsense IP to this line:
"Use alternate DNS-servers for the proxy-server"
Fixed it for me alsoYes, you are using DNSSEC
-
great job … :)
have tested on pf 2.0 32 bit and 64 bit
on new package now have a bit custom on gui ...
really appreciate ... -
Thanks wagonza, adrianhensler and jimp and all the other techno Gods on PFSENSE for making this work ;D
Have just upgraded to today's second snapshot build on i386 and it took very long to go through the process. Apparently de-installed Squid and Unbound and re-installed them but in the end everything ran through smoothly.
I did not have to manually install any package or anything like that.
Still get the Unbound error on the logs but Squid and Unbound are working fine and Borat is smiling.
From the console I glimpsed something like Unbound log in already exists or something like that.
Where I am ALL the ISPs we tested including satellite are not running DNSSEC thus I am humbled by maybe being the first :o
P.S. Working good also on Saturday's second snapshot on 64 bit.
great job … :)
have tested on pf 2.0 32 bit and 64 bit
on new package now have a bit custom on gui ...
really appreciate ... -
Does Unbound have an equivalent to the host override section of DNS Forwarder?