Unbound requests: IPv6 features enabled and update to 1.4.10


  • Rebel Alliance Global Moderator

    So have been using unbound on 2.0 ipv6 version and works great, I don't have any complaints but would like to see IPv6 options either turned on by default or better yet be able to enable or disable from the unbound UI.

    I have currently been changing
    usr/local/pkg/unbound.inc

    Server config

    do-ip6: yes

    Interface IP(s) to bind to

    interface: 2001:470:snipped:b85::1

    Access Control

    access-control: 2001:470:snipped:b85::/64 allow

    So IPv6 works, but when do an update and package gets reinstalled have to make the changes again.

    Also just noticed 1.4.10 is out – can we get an update to this version please.

    And thanks for such a GREAT Package!!



  • Ok version bumped, new advanced section for finer tuning and 1.4.10. I have also added initial IPv6 support. It just needs some additional changes which i hope to have done in the next hour or so before it will be visible in the webGUI.

    Apologies for the long delay in a new release, been busy with life, wedding etc. :)


  • Rebel Alliance Global Moderator

    No apologies need that is for sure - its a great package!!  Thanks for the update, but will wait to update it until you have the stuff setup to be able to turn on ipv6 stuff in the package options..

    The way I read your post you would have those changes out real soon.  I see a 1.4.10_1 available in the package section - does this have ability to enable ipv6 or no?

    BTW - been playing with muin to get unbound stats graphed, you can install munin node on pfsense.. But what would be really really kewl is have the stats part of the built in RRD graphs




  • Just tried it.  I used the package reinstallation button to try and upgrade but that failed and then Unbound disappeared from my package list.  Trying to reinstall the package wasnt successful either because Unbound wasnt installed anymore so I couldnt resolve the pfsense packages site.  Re-enabled dnsmasq and used some opendns servers to get dns resolving, rebooted and then reinstalled Unbound worked.

    Working good now, thx for the advanced section.  Going to try a new snapshot and see how the upgrade goes with Unbound enabled.

    Update:  Ok snapshot upgrade went fine but it got stuck while booting on 'starting openntp' for about a minute, I assume because Unbound hasnt started yet and OpenNTP cannot resolve the NTP Time Server so you have to wait until it times out.  Right after that, the snapshot upgrade attempts to reinstall packages and pops an error on the screen that says:

    'Unable to communicate with www.pfsense.com.  Please verify DNS and interface configuration, and that pfSense has functional internet connectivity.'

    The Unbound service then starts and the boot completes successfully and everything seems to work fine after that.

    For your consideration.


  • Rebel Alliance Global Moderator

    Yeah the package upgrade HUNG the web gui, it would not even restart.  I finally just rebooted, and package was there and everything seems to be working.. Thanks for the update to 1.4.10, but still had to manually edit unbound.inc to get ipv6 working.  See you added variable for do ipv6, etc.

    And just have not had time to add it to the gui so can turn on I guess..

    Clearly understand real life, and clearly was not expecting all the added advanced config items which is GREAT, thanks.



  • finally! IPv6 support is added. I removed the IPv6 checkbox as there was no point for it (unless someone says otherwise). So it will automatically set Unbound to listen on the v6 address and answer for v6 dns queries. It will also setup the relevant ACLs for the v6 clients. The only thing left to do is the ACL section in case you want to add other v6 networks but for now it should be fine.

    By the way those munin graphs are cool, it has been on my to do list for awhile now. As I have mentioned before, the devs want to replace dnsmasq with unbound which I'll be working on in the v6 branch - so expect to see some work there and the addition of graphs similar to the below.

    Otherwise let me know if you have any problems.


  • Rebel Alliance Global Moderator

    Well just updated the package, when really smooth this time.  And yup working on ipv6 without any need to modify any config.

    Looking forward to having some built in RRD graphs in the future though, munin is working - but much rather have it part of the distro vs having to add stuff.



  • Failed again for me, reinstalling seems to get forwarding mode enabled even though i had it disabled.  Unchecking and hitting save has no effect, always remains enabled.  Deleted package, then downloaded the backup config file and edited it to remove all Unbound entries and then restored the config, reinstalled Unbound but same thing, forwarding mode remains enabled.



  • @onhel:

    Failed again for me, reinstalling seems to get forwarding mode enabled even though i had it disabled.  Unchecking and hitting save has no effect, always remains enabled.  Deleted package, then downloaded the backup config file and edited it to remove all Unbound entries and then restored the config, reinstalled Unbound but same thing, forwarding mode remains enabled.

    You mean the DNS Forwarder i.e. dnsmasq remains enabled?



  • No, the enable forwarding mode in the Unbound settings page.  That check box will not go unchecked.



  • Yes, same issue on mainstream 2.0 RC3 Unbound 1.4.10_02 either with Firefox or Chrome (Iron)
    Those boxes stay checked :

    • Enable DNSSEC
    • Enable forwarding mode
    • Private Address support
    • TXT Comment Support


  • @GLR:

    Yes, same issue on mainstream 2.0 RC3 Unbound 1.4.10_02 either with Firefox or Chrome (Iron)
    Those boxes stay checked :

    • Enable DNSSEC
    • Enable forwarding mode
    • Private Address support
    • TXT Comment Support

    So you can uncheck the box - but after you click save it is still checked? Or you cant uncheck the box at all?


  • Rebel Alliance Global Moderator

    Yeah I just checked on the forwarding one.. I do not want it to doing forwarding requests.  I should look up on its own, I uncheck the box click save and then box is still checked.  Seems I might have to change it in the config by hand for now.

    Ok I just took a look at the config and I don't see forwarding setup..  So not sure why the check mark is set on the web gui interface for unbound?

    I also verified by doing a few packet captures on the wan to see where dns was going.. And did not see any packets to what I have setup for pfsense to use in general 4.2.2.2

    09:01:43.491932 IP 24.13.xxx.xxx.48910 > 192.5.6.30.53: UDP, length 55
    09:01:43.564438 IP 192.5.6.30.53 > 24.13.xxx.xxx.48910: UDP, length 382
    09:01:43.565179 IP 24.13.xxx.xxx.15487 > 216.69.185.26.53: UDP, length 55
    09:01:43.565470 IP 24.13.xxx.xxx.7590 > 216.69.185.35.53: UDP, length 51
    09:01:43.565709 IP 24.13.xxx.xxx.25867 > 216.69.185.35.53: UDP, length 51
    09:01:43.603711 IP 216.69.185.26.53 > 24.13.xxx.xxx.15487: UDP, length 126
    09:01:43.604282 IP 24.13.xxx.xxx.50531 > 216.69.185.26.53: UDP, length 51

    192.5.6.30 =  a.gtld-servers.net.

    And then others are clearly dns servers themselves – so clearly its not forwarding to the 4.2.2.2 address I have setup in general.. But odd why the check mark in the gui is stuck in place.



  • Ok i just managed to replicate the problem. Let me investigate why…



  • Ok there was a change in pfSense a few days ago, I have reverted that change so upgrade to the next snap (which will probably be only available tomorrow). This will fix these checkboxes from been enabled when they shouldn't be. In the meantime, you can uncheck them and save. Unbound will still operate correctly in the background with the options you selected.


  • Rebel Alliance Global Moderator

    Do you have link to the commit, guess I could look it up but wondering when it will merge with the ipv6 line.  So I can run just run a gitsync



  • gitsynced and reinstalled package, all is good now, thank you.



  • @johnpoz:

    Do you have link to the commit, guess I could look it up but wondering when it will merge with the ipv6 line.  So I can run just run a gitsync

    https://github.com/bsdperimeter/pfsense/commit/91c31339104f424dad3de75f815697994b68a7c3


  • Rebel Alliance Global Moderator

    Thanks for that, I ran a gitsync and now that forwarder is unchecked.  I also show RC3 now ;)



  • Yeah the IPv6 branch was updated yesterday. Also note there was a bug in the interface handling on the latest Unbound package, which I have just fixed and bumped the version number. It wouldn't have affected you unless you were selecting multiple interfaces.


Locked