Questions about UnBound DNS



  • I installed this package to try it out.  Followed the instructions to disable the built-in forwarder, etc..

    It doesn't seem to behave the way I am expecting.

    1:  I have several internal host entries in pfSense in the DNS settings.
    2: I have an internal domain also specified in the DNS settings.
    3: I have openDNS in the general setup.

    This has worked well.  The DHCP server tells the clients to use the pfSense box as their DNS, and if any of the static entries aren't matched, it uses openDNS to resolve the rest.

    When I disable the forwarder, and enable unbound (including it's forwarder option), everything basically stops working internally.
    None of the static entries are recognized for the clients.  unbound config shows the entries, but they don't work.  Internet does work, and resolves, however it doesn't seem to be using the opendns servers i configured in the general setup.

    I also find it odd that the I can't add more host entries to unbound within the pfsense page.



  • I haven't read all the latest comments on this thread on Unbound (which has support for DNSSEC): http://forum.pfsense.org/index.php/topic,29771.0.html However I seem to recall that installing Unbound currently disables the static and internal host entries, or some such issues, as Unbound is a brand new package that's only working experimentally at this point. I'd read and contribute to that thread with details but I believe at least some of what you're seeing is a known issue.



  • You might want to try the package again - I pushed a lot of fixes on the 17th which addressed some of the issues with domain overrides and internal host entries.



  • I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?



  • @prezmc:

    I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?

    It apparently has native DNSSEC support, so it should be more secure.

    More useful is that dnsmasq (the current default) is just a forwarder, unbound is a full local caching resolver so it isn't reliant on an external resolver at all.

    This will likely be faster than querying your ISP for non-cached queries, but should be more reliable since your ISP won't have a chance to tamper with NXDOMAINs and stuff (although obviously an ISP can still tamper with packets – but that's where DNSSEC comes in, or will once more than 4 domains* use it)

    • Yes, I know that more than 4 domains use it.  However it's not widely deployed just yet, and of those that are using it, apparently a lot have mis-configurations.


  • I just tried to use it again, it still seems to have issues with internal, static entries.



  • And seemingly there are issues with MultiWAN in terms of failover.  Still experimenting to find out if there are workarounds, but at this point it doesn't look like it.

    So while Unbound may be powerful, it's not (yet) a drop-in replacement.



  • @The:

    And seemingly there are issues with MultiWAN in terms of failover.  Still experimenting to find out if there are workarounds, but at this point it doesn't look like it.

    So while Unbound may be powerful, it's not (yet) a drop-in replacement.

    Correct - GeekGod and myself are under discussions regarding the MultiWan stuff. Look out for an update.



  • @prezmc:

    I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?

    It is full recursive caching name-server. So far more powerful and it supports DNSSEC. So signed zones can at least be authenticated/validated.



  • @prezmc:

    I just tried to use it again, it still seems to have issues with internal, static entries.

    Are your talking about host entries or domain overrides? Can you please provide me an example? What does dig @pfsense_ip <static host="" entry="">return?</static>



  • Anyone have step by step instructions to get Unbound to work properly?

    Running yesterday's 2.0 Pfsense Beta build and using the default Unbound config as per the Webgui.

    Borat does not show up.

    Unbound appears to be working somewhat as I notice faster browsing with hardly any of the "looking up whatever domain name" pause in the browser footer. Much faster than when I was not using Unbound.

    My Lan is the regular one installed by Pfsense and the Wan via DHCP.

    This may be anecdotal, but after installing Unbound my Squid disappeared. Reinstalled and working fine in transparent mode as usual.  ???

    @prezmc:

    I installed this package to try it out.  Followed the instructions to disable the built-in forwarder, etc..

    It doesn't seem to behave the way I am expecting.

    1:  I have several internal host entries in pfSense in the DNS settings.
    2: I have an internal domain also specified in the DNS settings.
    3: I have openDNS in the general setup.

    This has worked well.  The DHCP server tells the clients to use the pfSense box as their DNS, and if any of the static entries aren't matched, it uses openDNS to resolve the rest.

    When I disable the forwarder, and enable unbound (including it's forwarder option), everything basically stops working internally.
    None of the static entries are recognized for the clients.  unbound config shows the entries, but they don't work.  Internet does work, and resolves, however it doesn't seem to be using the opendns servers i configured in the general setup.

    I also find it odd that the I can't add more host entries to unbound within the pfsense page.



  • On today's Pfsense Beta 2.0 build I got this:

    "php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1292976182] unbound[47829:0] error: bind: address already in use [1292976182] unbound[47829:0] fatal error: could not open ports'"
    ???



  • In case anyone is interested I found this image of the Unbound Settings for Pfsense - apparently from a Pfsense developer:

    http://twitpic.com/3g6gq7

    For me cannot get Borat at:

    http://test.dnssec-or-not.org/



  • @mromero:

    On today's Pfsense Beta 2.0 build I got this:

    "php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1292976182] unbound[47829:0] error: bind: address already in use [1292976182] unbound[47829:0] fatal error: could not open ports'"
    ???

    Odd, this only happens if dnsmasq is still enabled and started. What version of the Unbound package you running?



  • @mromero:

    In case anyone is interested I found this image of the Unbound Settings for Pfsense - apparently from a Pfsense developer:

    http://twitpic.com/3g6gq7

    For me cannot get Borat at:

    http://test.dnssec-or-not.org/

    The page not possibly cached. As an alternative you can try this:

    dig @ <ip>edu +dnssec

    Look for the flags section which should contain 'ad' in them. For example:

    ; <<>> DiG 9.6.2-P2 <<>> @192.168.1.14 edu +dnssec
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60486
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;edu.                          IN      A

    ;; AUTHORITY SECTION:
    edu.                    900    IN      SOA    a.edu-servers.net. nstld.verisign-grs.com. 1290192544 1800 900 604800 86400
    edu.                    900    IN      RRSIG  SOA 7 1 900 20101126184904 20101119183904 44056 edu. tj/QsEt14ht17PeaydNQvSlsYt/vs9vj4y6OOICt1TcctDEwwNZ/1S+C mXpUZtYAyiIT8XUtFoSRhdMD0gpsLh6Qw+cBnBC4R//5khW9GJ+jHhU6 YA6aEPaQdmWt5i2TqLdxV8ebGQj3EP+rxe/GmFONoV4crT5aw+s5PTvZ QLc=
    9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN NSEC3 1 1 0 - 9F7PCDK9UL86ESUV8TM11L35AKSI4MB4 NS SOA RRSIG DNSKEY NSEC3PARAM
    9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN RRSIG NSEC3 7 2 86400 20101126182049 20101119181049 44056 edu. mLNYbHkzpQK3uJAZxkbhDHb1ZpPuhoVU3hBwAzUdCq41KWFyv8FL6CEA mshyGLs91asDcOtYatdC+EL6XB6tGOP4u1pio+rPH5NiMF3JDrGpBwiz qEcCglxeWArA3KZd1HYwoeDZ1fv8aODVgm9/ANPoyl+GWEPwKNn07V44 qiI=

    ;; Query time: 2614 msec
    ;; SERVER: 192.168.1.14#53(192.168.1.14)
    ;; WHEN: Fri Nov 19 20:49:35 2010
    ;; MSG SIZE  rcvd: 513</ip>



  • Package Install Weirdness from Webgui for unbound.

    After fooling around with Unbound for several days today I upgraded to the latest build pfSense-Full-Update-2.0-BETA4-20101225-2327.tgz

    On restart I noticed both SQUID and Unbound were not working deinstall / reinstall failed repeatedly.

    Thus did a fresh install of 1.23 on this box and upgraded to today's 2.0 Beta 4 (listed as 4 but the Dashboard Shows Beta 5?)

    Try to install Unbound and get

    –-Beginning package installation for Unbound...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading Unbound and its dependencies...
    Checking for package installation...
    Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  (extracting)
      Downloading http://files.pfsense.org/packages/8/All/expat-2.0.1_1.tbz ...  (extracting)
    openssl-1.0.0_4 already installed.
      Downloading http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/libevent-1.3e.tbz.
    of unbound-1.4.7 failed!

    Installation aborted.Backing up libraries...
    Removing package...
    Starting package deletion for unbound-1.4.7...done.
    Starting package deletion for expat-2.0.1_1...done.
    Starting package deletion for libevent-1.4.14b_1...done.
    Removing Unbound components...
    Tabs items... done.
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file unbound.inc could not be found for inclusion.
    Deinstall commands...
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.

    Installation halted.

    I go to the addresses in a separate window and find that:

    http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz does not exist only libevent-1.4.14b_1.tbz

    Why is the installation trying to download a non-existent file?

    Another problem with today's build is Squid:


    pfsense.local
    System
    Interfaces
    Firewall
    Services
    VPN
    Status
    Diagnostics
    Help
    Status: System logs: System

    SystemFirewallDHCPPortal AuthIPsecPPPVPNLoad BalancerOpenVPNOpenNTPDSettings
    Last 50 system log entries
    Dec 26 17:37:17 kernel: ugen0.2: <microsoft>at usbus0
    Dec 26 17:37:17 kernel: ukbd0: <microsoft 0="" 2="" microsoft="" digital="" media="" pro="" keyboard,="" class="" 0,="" rev="" 2.00="" 1.10,="" addr="">on usbus0
    Dec 26 17:37:17 kernel: kbd2 at ukbd0
    Dec 26 17:37:17 kernel: uhid0: <microsoft 0="" 2="" microsoft="" digital="" media="" pro="" keyboard,="" class="" 0,="" rev="" 2.00="" 1.10,="" addr="">on usbus0
    Dec 26 17:37:17 php: : rc.newwanip: Informational is starting rl0.
    Dec 26 17:37:17 php: : rc.newwanip: on (IP address: 10.0.0.6) (interface: wan) (real interface: rl0).
    Dec 26 17:37:17 kernel: pflog0: promiscuous mode enabled
    Dec 26 17:37:17 php: : ROUTING: add default route to 10.0.0.2
    Dec 26 17:37:18 check_reload_status: reloading filter
    Dec 26 17:37:18 apinger: Starting Alarm Pinger, apinger(26664)
    Dec 26 17:37:20 php: : ROUTING: change default route to 10.0.0.2
    Dec 26 17:37:20 dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1
    Dec 26 17:37:20 dhcpd: Copyright 2004-2010 Internet Systems Consortium.
    Dec 26 17:37:20 dhcpd: All rights reserved.
    Dec 26 17:37:20 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
    Dec 26 17:37:20 dnsmasq[47832]: started, version 2.55 cachesize 10000
    Dec 26 17:37:20 dnsmasq[47832]: compile time options: no-IPv6 GNU-getopt no-DBus I18N DHCP TFTP
    Dec 26 17:37:20 check_reload_status: updating all dyndns
    Dec 26 17:37:20 dnsmasq[47832]: reading /etc/resolv.conf
    Dec 26 17:37:20 dnsmasq[47832]: using nameserver 10.0.0.2#53
    Dec 26 17:37:20 dnsmasq[47832]: read /etc/hosts - 2 addresses
    Dec 26 17:37:25 php: : Creating rrd update script
    Dec 26 17:37:26 php: : Resyncing configuration for all packages.
    Dec 26 17:37:29 php: : Starting Squid
    Dec 26 17:37:29 squid[19418]: Squid Parent: child process 20128 started
    Dec 26 17:37:29 check_reload_status: reloading filter
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidcache of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidnac of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squid of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidtraffic of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidupstream of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidauth of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidusers of squid because some include files are missing.
    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidcache of squid because some include files are missing.
    Dec 26 17:37:31 login: login on ttyv0 as root
    Dec 26 17:37:31 sshlockout[36153]: sshlockout/webConfigurator v3.0 starting up
    Dec 26 17:37:34 Squid_Alarm[43936]: Squid has exited. Reconfiguring filter.
    Dec 26 17:37:34 Squid_Alarm[44490]: Attempting restart…
    Dec 26 17:37:34 squid[45954]: Squid Parent: child process 46742 started
    Dec 26 17:37:37 Squid_Alarm[47111]: Reconfiguring filter…
    Dec 26 17:37:37 Squid_Alarm[56822]: Squid has resumed. Reconfiguring filter.
    Dec 26 17:38:36 check_reload_status: syncing firewall
    Dec 26 17:38:37 php: /pkg_mgr_install.php: Beginning package installation for Unbound.
    Dec 26 17:38:37 check_reload_status: syncing firewall
    Dec 26 17:39:18 check_reload_status: syncing firewall
    Dec 26 17:39:18 check_reload_status: syncing firewall
    Dec 26 17:39:19 check_reload_status: syncing firewall
    Dec 26 17:39:19 check_reload_status: reloading filter
    Dec 26 17:41:29 check_reload_status: Linkup starting nfe0
    Dec 26 17:41:29 kernel: nfe0: link state changed to DOWN
    –--

    If I go back to December 23 snapshot Squid does not gives these errors.</microsoft></microsoft></microsoft>



  • Tried to install Unbound from the console:

    pkg_add http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz

    It starts and everything appears to be going fine then it barfs when it cannot find http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz



  • I believe the Pfsense 2.0 Beta 4 or 5 after the 23 December is broken as far as the package installer for Unbound is concerned  ???

    Did a fresh install of today's Beta and tried to install both:

    unbound-1.4.6.tbz 2010-Nov-03 16:16:49 6.0M application/x-bzip-compressed-tar
    unbound-1.4.7.tbz 2010-Dec-26 02:22:20 6.4M application/x-bzip-compressed-tar

    from the WebGui and from the Console and both failed complaining about not finding:

    Downloading http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz …  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/libevent-1.3e.tbz.
    of unbound-1.4.7 failed!

    Browsing the packages at http://files.pfsense.org/packages/8/All/ shows this file does not exist either deleted by accident or the Unbound install package is screwed up.

    The libevent-1.3e.tbz file is an old file from 07 - the current file at http://files.pfsense.org/packages/8/All/ is libevent-1.4.14b_1.tbz


  • Rebel Alliance Global Moderator

    Yup same error.. I just did a clean install of 2. latest

    Version 2.0-BETA5 (i386)
    built on Sun Dec 26 01:43:40 EST 2010

    You are on the latest version.

    Would really like to get this work.. how can we change the installer to use the newer version of libevent?


  • Rebel Alliance Developer Netgate

    Packages are recompiling now, should be uploading soon. Hopefully once they do it should pull libevent 1.4 instead of 1.3


  • Rebel Alliance Developer Netgate

    Should be OK…

    Information for /usr/ports/packages/All/unbound-1.4.7.tbz:

    Depends on:
    Dependency: expat-2.0.1_1
    Dependency: openssl-1.0.0_4
    Dependency: libevent-1.4.14b_1



  • As per my other post pfSense-Full-Update-2.0-BETA4-20101227-0643.tgz upgrade from the console today and Unbound DNS now installs. Thanks

    @jimp:

    Packages are recompiling now, should be uploading soon. Hopefully once they do it should pull libevent 1.4 instead of 1.3


Locked