Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSSEC on pfSense

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    178 Posts 18 Posters 73.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _ Offline
      _igor_
      last edited by

      I was looking at the freebsd-ftp and the only libevent is libevent.tgz, which is libevent-1.4.13.tbz.
      I installed it manually, but didn't help.

      1 Reply Last reply Reply Quote 0
      • S Offline
        serangku
        last edited by

        today i install unbound package …
        still libevent-1.3e  could not download.

        here full message on package install :
        Beginning package installation for Unbound...
        Downloading package configuration file... done.
        Saving updated package information... done.
        Downloading Unbound and its dependencies...
        Checking for package installation...
        unbound-1.4.7  (extracting)
          expat-2.0.1_1  (extracting)
        openssl-1.0.0_3 already installed.
          libevent-1.3e  could not download.
        of unbound-1.4.7 failed!

        Installation aborted.Removing package...
        Starting package deletion for unbound-1.4.7...done.
        Starting package deletion for expat-2.0.1_1...done.
        Skipping package deletion for openssl-1.0.0_2 because it is required by other packages.
        Starting package deletion for libevent-1.4.14b_1...done.
        Removing Unbound components...
        Tabs items... done.
        Menu items... done.
        Services... done.
        Loading package instructions...
        Include file unbound.inc could not be found for inclusion.
        Deinstall commands...
        Not executing custom deinstall hook because an include is missing.
        Removing package instructions...done.
        Auxiliary files... done.
        Package XML... done.
        Configuration... done.
        Failed to install package.

        Installation halted.

        meanwhile, stick to dnsmasq
        i really appreciate for provide this package

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Can you try one more time (I just uploaded a freshly recompiled set of packages) and if that fails, try to do this:

          pkg_delete -f openssl-1.0.0_2
          

          And then try to reinstall Unbound (Or maybe hit the 'x' to delete it and then re-add it from the list)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • _ Offline
            _igor_
            last edited by

            Great! Installation works! I'm so excited!!! Thanx a lot!!

            edit: second note) unbound works great! ping of hosts inside my LAN works. Name resolution is somewhat slower than before, but thats no problem…

            last edit: Borat smiles into my face...

            :-)

            1 Reply Last reply Reply Quote 0
            • J Offline
              jlepthien
              last edited by

              Thanks jimp! Now the install works and also a DNSSEC Test works. But I cannot ping hosts by name on my LAN. Everything works great from the pfSense box itself (eg. ping by name to every host), but not from my LAN hosts. I am only able to ping pfSense.domain.lan but no other hosts from my iMac on LAN.

              I also clicked save on the Unbound tab more than once…

              | apple fanboy | music lover | network and security specialist | in love with cisco systems |

              1 Reply Last reply Reply Quote 0
              • J Offline
                jlepthien
                last edited by

                Ok. I can see in the unbound.conf that my hosts do not get written into it. Also I want Unbound to listen on three interfaces but it only listens on my main LAN. So WLAN cannot be used at the moment…

                Any ideas? I really have checked all three interfaces on the Unbound tab...

                | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wagonza
                  last edited by

                  Ok I gather nothing has changed in your config that you sent me originally, so let me check and I'll come back to you tomorrow.

                  Follow me on twitter http://twitter.com/wagonza
                  http://www.thepackethub.co.za

                  1 Reply Last reply Reply Quote 0
                  • W Offline
                    wagonza
                    last edited by

                    @_igor_:

                    Great! Installation works! I'm so excited!!! Thanx a lot!!

                    edit: second note) unbound works great! ping of hosts inside my LAN works. Name resolution is somewhat slower than before, but thats no problem…

                    Are you using forwarders or letting Unbound do all the name resolution? Also, is it slow just the 1st time or all the time?

                    Follow me on twitter http://twitter.com/wagonza
                    http://www.thepackethub.co.za

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jlepthien
                      last edited by

                      @wagonza:

                      Ok I gather nothing has changed in your config that you sent me originally, so let me check and I'll come back to you tomorrow.

                      Yeah, nothing changed in my config. How should I actually use these static dns mappings? Before it was done by dnsmasq and now with Unbound it says that I shouldn't activate the forwarder when using DNSSEC. So how should I configure this?

                      | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                      1 Reply Last reply Reply Quote 0
                      • _ Offline
                        _igor_
                        last edited by

                        The forwarder is disabled. Unbound does all the job. As i can say - very subjective opinion - it was only the first call, say some minutes slow with every DNS-query, but then its mostly like before. I'm happy. Thats the best description of the actual state.

                        You did a really great work! Thanx again!

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          serangku
                          last edited by

                          yup … give it try for now ...
                          resolve more faster than before

                          @igor ...
                          can isee your syslog when firs time boot ?

                          thanks

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            wagonza
                            last edited by

                            @jlepthien:

                            Yeah, nothing changed in my config. How should I actually use these static dns mappings? Before it was done by dnsmasq and now with Unbound it says that I shouldn't activate the forwarder when using DNSSEC. So how should I configure this?

                            You can use the static dns mappings, its just the upstream DNS servers (forwarders) that it says you should ideally not use unless you are certain that they handle DNSSEC correctly. These static DNS mappings will be created as as local-zone in unbound and the relevant A and PTR record will be configured included a TXT record if you supplied a description.

                            So a simple dig zone @pfsense_ip will return the A record and a dig -x IP @pfsense_ip will return the PTR record. Likewise can be done for a TXT record.

                            Hope that answers your question.

                            Follow me on twitter http://twitter.com/wagonza
                            http://www.thepackethub.co.za

                            1 Reply Last reply Reply Quote 0
                            • L Offline
                              lyserge
                              last edited by

                              Are you using forwarders or letting Unbound do all the name resolution? Also, is it slow just the 1st time or all the time?

                              If someone is interested in measuring DNS performance: http://code.google.com/p/namebench/

                              Just uncheck the other servers that are included by defalt, then do the test on your pfSense IP :)

                              It should give some numbers to compare the overall performance…

                              pfSense 2.0.3 nanoBSD (i386) on Soekris net5501

                              1 Reply Last reply Reply Quote 0
                              • _ Offline
                                _igor_
                                last edited by

                                @serangku:

                                Dec 11 00:56:43	unbound: [32918:0] info: start of service (unbound 1.4.7).
                                Dec 11 00:56:43	unbound: [32918:0] notice: init module 1: iterator
                                Dec 11 00:56:43	unbound: [32918:0] notice: init module 0: validator
                                Dec 11 00:56:43	unbound: [37916:0] info: 2.000000 4.000000 1
                                Dec 11 00:56:43	unbound: [37916:0] info: 1.000000 2.000000 1
                                Dec 11 00:56:43	unbound: [37916:0] info: 0.524288 1.000000 2
                                Dec 11 00:56:43	unbound: [37916:0] info: 0.262144 0.524288 2
                                Dec 11 00:56:43	unbound: [37916:0] info: 0.131072 0.262144 3
                                Dec 11 00:56:43	unbound: [37916:0] info: 0.065536 0.131072 4
                                Dec 11 00:56:43	unbound: [37916:0] info: 0.016384 0.032768 1
                                Dec 11 00:56:43	unbound: [37916:0] info: lower(secs) upper(secs) recursions
                                Dec 11 00:56:43	unbound: [37916:0] info: [25%]=0.04096 median[50%]=0.0873813 [75%]=0.118928
                                Dec 11 00:56:43	unbound: [37916:0] info: histogram of recursion processing times
                                Dec 11 00:56:43	unbound: [37916:0] info: average recursion processing time 0.507960 sec
                                Dec 11 00:56:43	unbound: [37916:0] info: server stats for thread 0: requestlist max 1 avg 0.142857 exceeded 0
                                Dec 11 00:56:43	unbound: [37916:0] info: server stats for thread 0: 14 queries, 0 answers from cache, 14 recursions, 0 prefetch
                                
                                1 Reply Last reply Reply Quote 0
                                • W Offline
                                  wagonza
                                  last edited by

                                  Who else here has multiple interfaces and has Unbound listening on them all?
                                  Also anyone here with domain overrides (Services->DNS Forwarder) specified? If so are they working?

                                  Follow me on twitter http://twitter.com/wagonza
                                  http://www.thepackethub.co.za

                                  1 Reply Last reply Reply Quote 0
                                  • W Offline
                                    wagonza
                                    last edited by

                                    Ok domain overrides are working. I still need to add an option for DNS Rebinding (enabling/disabling) as that was affecting domain overrides.
                                    Currently it is enabled by default.

                                    Besides @jlepthien's problem of multiple interfaces been selected and for some unknown reason not been saved - any other requests/problems?

                                    Follow me on twitter http://twitter.com/wagonza
                                    http://www.thepackethub.co.za

                                    1 Reply Last reply Reply Quote 0
                                    • _ Offline
                                      _igor_
                                      last edited by

                                      hi wagonza, on my side its running fine and stressless. Really a good thing of Software you created! Thanks a lot!!!
                                      I don't have multiple gateways here to test that special funktions.

                                      1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        jlepthien
                                        last edited by

                                        Now it is working for me. I found the problem why he wasn't saving all my interfaces to the conf…

                                        When I looked at the logfile I saw the following:

                                        Dec 15 11:59:58 voldemort unbound: [9464:0] error: Could not open autotrust file for writing, /usr/local/etc/unbound/root-trust-anchor: Read-only file system
                                        

                                        I am on embedded so I just mounted / rw and then clicked save. I guess you just have to implement the mounting rw on embedded with the Unbound package and everything should be fine then…

                                        | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                                        1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          jlepthien
                                          last edited by

                                          Oh, but wait. My OpenDNS is not working anymore… I have configured 208.67.222.222 and 208.67.220.220 as my global DNS servers but when Unbound is running, no urls get blocked anymore. Which DNS servers does Unbound contact for resolving?

                                          | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            sullrich
                                            last edited by

                                            @jlepthien:

                                            Oh, but wait. My OpenDNS is not working anymore… I have configured 208.67.222.222 and 208.67.220.220 as my global DNS servers but when Unbound is running, no urls get blocked anymore. Which DNS servers does Unbound contact for resolving?

                                            Did you check "Enable forwarding mode" in the unbound configuration screen?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.