Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about UnBound DNS

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    22 Posts 7 Posters 16.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prezmc
      last edited by

      I installed this package to try it out.  Followed the instructions to disable the built-in forwarder, etc..

      It doesn't seem to behave the way I am expecting.

      1:  I have several internal host entries in pfSense in the DNS settings.
      2: I have an internal domain also specified in the DNS settings.
      3: I have openDNS in the general setup.

      This has worked well.  The DHCP server tells the clients to use the pfSense box as their DNS, and if any of the static entries aren't matched, it uses openDNS to resolve the rest.

      When I disable the forwarder, and enable unbound (including it's forwarder option), everything basically stops working internally.
      None of the static entries are recognized for the clients.  unbound config shows the entries, but they don't work.  Internet does work, and resolves, however it doesn't seem to be using the opendns servers i configured in the general setup.

      I also find it odd that the I can't add more host entries to unbound within the pfsense page.

      1 Reply Last reply Reply Quote 0
      • D
        dszp
        last edited by

        I haven't read all the latest comments on this thread on Unbound (which has support for DNSSEC): http://forum.pfsense.org/index.php/topic,29771.0.html However I seem to recall that installing Unbound currently disables the static and internal host entries, or some such issues, as Unbound is a brand new package that's only working experimentally at this point. I'd read and contribute to that thread with details but I believe at least some of what you're seeing is a known issue.

        David Szpunar

        1 Reply Last reply Reply Quote 0
        • W
          wagonza
          last edited by

          You might want to try the package again - I pushed a lot of fixes on the 17th which addressed some of the issues with domain overrides and internal host entries.

          Follow me on twitter http://twitter.com/wagonza
          http://www.thepackethub.co.za

          1 Reply Last reply Reply Quote 0
          • P
            prezmc
            last edited by

            I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?

            1 Reply Last reply Reply Quote 0
            • thedaveCAT
              thedaveCA
              last edited by

              @prezmc:

              I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?

              It apparently has native DNSSEC support, so it should be more secure.

              More useful is that dnsmasq (the current default) is just a forwarder, unbound is a full local caching resolver so it isn't reliant on an external resolver at all.

              This will likely be faster than querying your ISP for non-cached queries, but should be more reliable since your ISP won't have a chance to tamper with NXDOMAINs and stuff (although obviously an ISP can still tamper with packets – but that's where DNSSEC comes in, or will once more than 4 domains* use it)

              • Yes, I know that more than 4 domains use it.  However it's not widely deployed just yet, and of those that are using it, apparently a lot have mis-configurations.
              1 Reply Last reply Reply Quote 0
              • P
                prezmc
                last edited by

                I just tried to use it again, it still seems to have issues with internal, static entries.

                1 Reply Last reply Reply Quote 0
                • thedaveCAT
                  thedaveCA
                  last edited by

                  And seemingly there are issues with MultiWAN in terms of failover.  Still experimenting to find out if there are workarounds, but at this point it doesn't look like it.

                  So while Unbound may be powerful, it's not (yet) a drop-in replacement.

                  1 Reply Last reply Reply Quote 0
                  • W
                    wagonza
                    last edited by

                    @The:

                    And seemingly there are issues with MultiWAN in terms of failover.  Still experimenting to find out if there are workarounds, but at this point it doesn't look like it.

                    So while Unbound may be powerful, it's not (yet) a drop-in replacement.

                    Correct - GeekGod and myself are under discussions regarding the MultiWan stuff. Look out for an update.

                    Follow me on twitter http://twitter.com/wagonza
                    http://www.thepackethub.co.za

                    1 Reply Last reply Reply Quote 0
                    • W
                      wagonza
                      last edited by

                      @prezmc:

                      I'll try it again.  What's the benefit of it over the default?  Better performance? More secure?

                      It is full recursive caching name-server. So far more powerful and it supports DNSSEC. So signed zones can at least be authenticated/validated.

                      Follow me on twitter http://twitter.com/wagonza
                      http://www.thepackethub.co.za

                      1 Reply Last reply Reply Quote 0
                      • W
                        wagonza
                        last edited by

                        @prezmc:

                        I just tried to use it again, it still seems to have issues with internal, static entries.

                        Are your talking about host entries or domain overrides? Can you please provide me an example? What does dig @pfsense_ip <static host="" entry="">return?</static>

                        Follow me on twitter http://twitter.com/wagonza
                        http://www.thepackethub.co.za

                        1 Reply Last reply Reply Quote 0
                        • M
                          mromero
                          last edited by

                          Anyone have step by step instructions to get Unbound to work properly?

                          Running yesterday's 2.0 Pfsense Beta build and using the default Unbound config as per the Webgui.

                          Borat does not show up.

                          Unbound appears to be working somewhat as I notice faster browsing with hardly any of the "looking up whatever domain name" pause in the browser footer. Much faster than when I was not using Unbound.

                          My Lan is the regular one installed by Pfsense and the Wan via DHCP.

                          This may be anecdotal, but after installing Unbound my Squid disappeared. Reinstalled and working fine in transparent mode as usual.  ???

                          @prezmc:

                          I installed this package to try it out.  Followed the instructions to disable the built-in forwarder, etc..

                          It doesn't seem to behave the way I am expecting.

                          1:  I have several internal host entries in pfSense in the DNS settings.
                          2: I have an internal domain also specified in the DNS settings.
                          3: I have openDNS in the general setup.

                          This has worked well.  The DHCP server tells the clients to use the pfSense box as their DNS, and if any of the static entries aren't matched, it uses openDNS to resolve the rest.

                          When I disable the forwarder, and enable unbound (including it's forwarder option), everything basically stops working internally.
                          None of the static entries are recognized for the clients.  unbound config shows the entries, but they don't work.  Internet does work, and resolves, however it doesn't seem to be using the opendns servers i configured in the general setup.

                          I also find it odd that the I can't add more host entries to unbound within the pfsense page.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mromero
                            last edited by

                            On today's Pfsense Beta 2.0 build I got this:

                            "php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1292976182] unbound[47829:0] error: bind: address already in use [1292976182] unbound[47829:0] fatal error: could not open ports'"
                            ???

                            1 Reply Last reply Reply Quote 0
                            • M
                              mromero
                              last edited by

                              In case anyone is interested I found this image of the Unbound Settings for Pfsense - apparently from a Pfsense developer:

                              http://twitpic.com/3g6gq7

                              For me cannot get Borat at:

                              http://test.dnssec-or-not.org/

                              1 Reply Last reply Reply Quote 0
                              • W
                                wagonza
                                last edited by

                                @mromero:

                                On today's Pfsense Beta 2.0 build I got this:

                                "php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1292976182] unbound[47829:0] error: bind: address already in use [1292976182] unbound[47829:0] fatal error: could not open ports'"
                                ???

                                Odd, this only happens if dnsmasq is still enabled and started. What version of the Unbound package you running?

                                Follow me on twitter http://twitter.com/wagonza
                                http://www.thepackethub.co.za

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wagonza
                                  last edited by

                                  @mromero:

                                  In case anyone is interested I found this image of the Unbound Settings for Pfsense - apparently from a Pfsense developer:

                                  http://twitpic.com/3g6gq7

                                  For me cannot get Borat at:

                                  http://test.dnssec-or-not.org/

                                  The page not possibly cached. As an alternative you can try this:

                                  dig @ <ip>edu +dnssec

                                  Look for the flags section which should contain 'ad' in them. For example:

                                  ; <<>> DiG 9.6.2-P2 <<>> @192.168.1.14 edu +dnssec
                                  ; (1 server found)
                                  ;; global options: +cmd
                                  ;; Got answer:
                                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60486
                                  ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

                                  ;; OPT PSEUDOSECTION:
                                  ; EDNS: version: 0, flags: do; udp: 4096
                                  ;; QUESTION SECTION:
                                  ;edu.                          IN      A

                                  ;; AUTHORITY SECTION:
                                  edu.                    900    IN      SOA    a.edu-servers.net. nstld.verisign-grs.com. 1290192544 1800 900 604800 86400
                                  edu.                    900    IN      RRSIG  SOA 7 1 900 20101126184904 20101119183904 44056 edu. tj/QsEt14ht17PeaydNQvSlsYt/vs9vj4y6OOICt1TcctDEwwNZ/1S+C mXpUZtYAyiIT8XUtFoSRhdMD0gpsLh6Qw+cBnBC4R//5khW9GJ+jHhU6 YA6aEPaQdmWt5i2TqLdxV8ebGQj3EP+rxe/GmFONoV4crT5aw+s5PTvZ QLc=
                                  9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN NSEC3 1 1 0 - 9F7PCDK9UL86ESUV8TM11L35AKSI4MB4 NS SOA RRSIG DNSKEY NSEC3PARAM
                                  9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN RRSIG NSEC3 7 2 86400 20101126182049 20101119181049 44056 edu. mLNYbHkzpQK3uJAZxkbhDHb1ZpPuhoVU3hBwAzUdCq41KWFyv8FL6CEA mshyGLs91asDcOtYatdC+EL6XB6tGOP4u1pio+rPH5NiMF3JDrGpBwiz qEcCglxeWArA3KZd1HYwoeDZ1fv8aODVgm9/ANPoyl+GWEPwKNn07V44 qiI=

                                  ;; Query time: 2614 msec
                                  ;; SERVER: 192.168.1.14#53(192.168.1.14)
                                  ;; WHEN: Fri Nov 19 20:49:35 2010
                                  ;; MSG SIZE  rcvd: 513</ip>

                                  Follow me on twitter http://twitter.com/wagonza
                                  http://www.thepackethub.co.za

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mromero
                                    last edited by

                                    Package Install Weirdness from Webgui for unbound.

                                    After fooling around with Unbound for several days today I upgraded to the latest build pfSense-Full-Update-2.0-BETA4-20101225-2327.tgz

                                    On restart I noticed both SQUID and Unbound were not working deinstall / reinstall failed repeatedly.

                                    Thus did a fresh install of 1.23 on this box and upgraded to today's 2.0 Beta 4 (listed as 4 but the Dashboard Shows Beta 5?)

                                    Try to install Unbound and get

                                    –-Beginning package installation for Unbound...
                                    Downloading package configuration file... done.
                                    Saving updated package information... done.
                                    Downloading Unbound and its dependencies...
                                    Checking for package installation...
                                    Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  (extracting)
                                      Downloading http://files.pfsense.org/packages/8/All/expat-2.0.1_1.tbz ...  (extracting)
                                    openssl-1.0.0_4 already installed.
                                      Downloading http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/libevent-1.3e.tbz.
                                    of unbound-1.4.7 failed!

                                    Installation aborted.Backing up libraries...
                                    Removing package...
                                    Starting package deletion for unbound-1.4.7...done.
                                    Starting package deletion for expat-2.0.1_1...done.
                                    Starting package deletion for libevent-1.4.14b_1...done.
                                    Removing Unbound components...
                                    Tabs items... done.
                                    Menu items... done.
                                    Services... done.
                                    Loading package instructions...
                                    Include file unbound.inc could not be found for inclusion.
                                    Deinstall commands...
                                    Not executing custom deinstall hook because an include is missing.
                                    Removing package instructions...done.
                                    Auxiliary files... done.
                                    Package XML... done.
                                    Configuration... done.
                                    Cleaning up... Failed to install package.

                                    Installation halted.

                                    I go to the addresses in a separate window and find that:

                                    http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz does not exist only libevent-1.4.14b_1.tbz

                                    Why is the installation trying to download a non-existent file?

                                    Another problem with today's build is Squid:


                                    pfsense.local
                                    System
                                    Interfaces
                                    Firewall
                                    Services
                                    VPN
                                    Status
                                    Diagnostics
                                    Help
                                    Status: System logs: System

                                    SystemFirewallDHCPPortal AuthIPsecPPPVPNLoad BalancerOpenVPNOpenNTPDSettings
                                    Last 50 system log entries
                                    Dec 26 17:37:17 kernel: ugen0.2: <microsoft>at usbus0
                                    Dec 26 17:37:17 kernel: ukbd0: <microsoft 0="" 2="" microsoft="" digital="" media="" pro="" keyboard,="" class="" 0,="" rev="" 2.00="" 1.10,="" addr="">on usbus0
                                    Dec 26 17:37:17 kernel: kbd2 at ukbd0
                                    Dec 26 17:37:17 kernel: uhid0: <microsoft 0="" 2="" microsoft="" digital="" media="" pro="" keyboard,="" class="" 0,="" rev="" 2.00="" 1.10,="" addr="">on usbus0
                                    Dec 26 17:37:17 php: : rc.newwanip: Informational is starting rl0.
                                    Dec 26 17:37:17 php: : rc.newwanip: on (IP address: 10.0.0.6) (interface: wan) (real interface: rl0).
                                    Dec 26 17:37:17 kernel: pflog0: promiscuous mode enabled
                                    Dec 26 17:37:17 php: : ROUTING: add default route to 10.0.0.2
                                    Dec 26 17:37:18 check_reload_status: reloading filter
                                    Dec 26 17:37:18 apinger: Starting Alarm Pinger, apinger(26664)
                                    Dec 26 17:37:20 php: : ROUTING: change default route to 10.0.0.2
                                    Dec 26 17:37:20 dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1
                                    Dec 26 17:37:20 dhcpd: Copyright 2004-2010 Internet Systems Consortium.
                                    Dec 26 17:37:20 dhcpd: All rights reserved.
                                    Dec 26 17:37:20 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
                                    Dec 26 17:37:20 dnsmasq[47832]: started, version 2.55 cachesize 10000
                                    Dec 26 17:37:20 dnsmasq[47832]: compile time options: no-IPv6 GNU-getopt no-DBus I18N DHCP TFTP
                                    Dec 26 17:37:20 check_reload_status: updating all dyndns
                                    Dec 26 17:37:20 dnsmasq[47832]: reading /etc/resolv.conf
                                    Dec 26 17:37:20 dnsmasq[47832]: using nameserver 10.0.0.2#53
                                    Dec 26 17:37:20 dnsmasq[47832]: read /etc/hosts - 2 addresses
                                    Dec 26 17:37:25 php: : Creating rrd update script
                                    Dec 26 17:37:26 php: : Resyncing configuration for all packages.
                                    Dec 26 17:37:29 php: : Starting Squid
                                    Dec 26 17:37:29 squid[19418]: Squid Parent: child process 20128 started
                                    Dec 26 17:37:29 check_reload_status: reloading filter
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidcache of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidnac of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squid of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidtraffic of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidupstream of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidauth of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidusers of squid because some include files are missing.
                                    Dec 26 17:37:29 php: : Not calling package sync code for dependency squidcache of squid because some include files are missing.
                                    Dec 26 17:37:31 login: login on ttyv0 as root
                                    Dec 26 17:37:31 sshlockout[36153]: sshlockout/webConfigurator v3.0 starting up
                                    Dec 26 17:37:34 Squid_Alarm[43936]: Squid has exited. Reconfiguring filter.
                                    Dec 26 17:37:34 Squid_Alarm[44490]: Attempting restart…
                                    Dec 26 17:37:34 squid[45954]: Squid Parent: child process 46742 started
                                    Dec 26 17:37:37 Squid_Alarm[47111]: Reconfiguring filter…
                                    Dec 26 17:37:37 Squid_Alarm[56822]: Squid has resumed. Reconfiguring filter.
                                    Dec 26 17:38:36 check_reload_status: syncing firewall
                                    Dec 26 17:38:37 php: /pkg_mgr_install.php: Beginning package installation for Unbound.
                                    Dec 26 17:38:37 check_reload_status: syncing firewall
                                    Dec 26 17:39:18 check_reload_status: syncing firewall
                                    Dec 26 17:39:18 check_reload_status: syncing firewall
                                    Dec 26 17:39:19 check_reload_status: syncing firewall
                                    Dec 26 17:39:19 check_reload_status: reloading filter
                                    Dec 26 17:41:29 check_reload_status: Linkup starting nfe0
                                    Dec 26 17:41:29 kernel: nfe0: link state changed to DOWN
                                    –--

                                    If I go back to December 23 snapshot Squid does not gives these errors.</microsoft></microsoft></microsoft>

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mromero
                                      last edited by

                                      Tried to install Unbound from the console:

                                      pkg_add http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz

                                      It starts and everything appears to be going fine then it barfs when it cannot find http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        mromero
                                        last edited by

                                        I believe the Pfsense 2.0 Beta 4 or 5 after the 23 December is broken as far as the package installer for Unbound is concerned  ???

                                        Did a fresh install of today's Beta and tried to install both:

                                        unbound-1.4.6.tbz 2010-Nov-03 16:16:49 6.0M application/x-bzip-compressed-tar
                                        unbound-1.4.7.tbz 2010-Dec-26 02:22:20 6.4M application/x-bzip-compressed-tar

                                        from the WebGui and from the Console and both failed complaining about not finding:

                                        Downloading http://files.pfsense.org/packages/8/All/libevent-1.3e.tbz …  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/libevent-1.3e.tbz.
                                        of unbound-1.4.7 failed!

                                        Browsing the packages at http://files.pfsense.org/packages/8/All/ shows this file does not exist either deleted by accident or the Unbound install package is screwed up.

                                        The libevent-1.3e.tbz file is an old file from 07 - the current file at http://files.pfsense.org/packages/8/All/ is libevent-1.4.14b_1.tbz

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Yup same error.. I just did a clean install of 2. latest

                                          Version 2.0-BETA5 (i386)
                                          built on Sun Dec 26 01:43:40 EST 2010

                                          You are on the latest version.

                                          Would really like to get this work.. how can we change the installer to use the newer version of libevent?

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            Packages are recompiling now, should be uploading soon. Hopefully once they do it should pull libevent 1.4 instead of 1.3

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.