Unbound Forward and ACL issue
-
I am presently running Unbound 1.4.13_04 on a pfsense 2.0 (i386) box. Unbound will resolve addresses listed under DNS Forwarder and set in the DHCP server configuration but will not forward requests for addresses it has no information for (ie: google.com) Unbound will not respond when I issue a request for non-local addresses with nslookup.
Also when I attempt to add an acl under the "Unbound DNS ACLs" tab I get the following error.
Fatal error: Call to undefined function is_ipaddrv4() in /usr/local/www/unbound_acls.php on line 86
The information I entered was as follows
ACL name:"Home"Action:"Allow"
Network:"192.168.0.0"
CIDR:"16"
Description:"Home"Description:"Home"
If it makes any difference I am using Firefox 8.0.
-
sorry my bad. Ive bumper the version to 1.4.13_05 with a fix for that error you were hitting.
So try again and let me know -
The ACL issue is fixed but i'm still having some strange issue with Unbound not forwarding even when the "Enable forwarding mode" box is checked. As stated prior Unbound will resolve locally configured names.
Edit: It appears that enabling dnssec has something to do with this. Also (with dnssec off) some attempts to resolve a name result in a timeout but on a second request Unbound responds with an appropriate response.
-
Are you sure the upstream DNS servers (which unbound will use) correctly answer for every request?
You can try up the verbosity of the log file(under advanced settings) to see what Unbound is doing when the requests are failing. -
I just set the verbosity higher. If I find anything interesting I will post it in this thread.
-
Can an option be added to allow the file /var/log/unbound.log to be longer? It appears to truncate too quickly with high verbosity. The truncation is so short that a single problematic lookup spanned at least two truncation lengths.
-
Any particular reason why even with forwarding enabled in the web gui the command "unbound-control forward" outputs "off (using root hints)" and "unbound-control list_forwards" outputs nothing even with 4 servers configured in my general setup? lol
-
Can an option be added to allow the file /var/log/unbound.log to be longer? It appears to truncate too quickly with high verbosity. The truncation is so short that a single problematic lookup spanned at least two truncation lengths.
unfortunately its not an unbound package thing - the size of the log file is determined by the base. I will add a feature request on redmine but not sure whether it will be considered since one has to worry about what the impact would be on the smaller boxes.
-
Any particular reason why even with forwarding enabled in the web gui the command "unbound-control forward" outputs "off (using root hints)" and "unbound-control list_forwards" outputs nothing even with 4 servers configured in my general setup? lol
How do you have your DNS servers configured under System->General Setup? Do you have 'Allow DNS server list to be overridden by DHCP/PPP on WAN' enabled?
-
BTW when I say high verbosity I was using level 5, It provides very good information but I can only get fragments of it at a time (due to the previously stated logging issue)
How do you have your DNS servers configured under System->General Setup? Do you have 'Allow DNS server list to be overridden by DHCP/PPP on WAN' enabled?
At present "Allow DNS server list to be overridden by DHCP/PPP on WAN" and "Do not use the DNS Forwarder as a DNS server for the firewall " are unchecked.
It might be of use to you but I use a two Linksys E2000 routers with DD-WRT on them as wireless bridges for my internet access as the dorm room where I presently live during the week has no wired connections. The lans of each bridge are the wans of my pfsense box. As such pfsense has two wans, both with static, private addresses.
I can make Unbound work as expected by running "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222" and with the following configuration
Enabled: True (obviously lol)
Network interface: Lan (I don't think this matters much)
Query interfaces: Nothing selected
Enable DNSSEC: false #Appears to cause issues, may be caused by private wan addresses
Enable forwarding: true
Private address support: true
Register DHCP static mappings: true
Txt comment support: false
Cache restoration: false
Enable stats: true
Statistics: enabled
Interval:5 minutes
Extended stats:truehide identity:false
hide version:false
prefetch support:true
prefetch key support:true
harden glue:false
harden dnssec: false
log verbo.: level 1
message cache size: 4MB
Outgoing TCP buff:10
Incomming TCP buff:10
EDNS buff:4096
Queries per thread:1024
jostle:200
Max ttl for RRsets:86400
min ttl for RRsets:0
ttl for host cache:900
ttl for lame:900
hosts to cache:10000
unwanted reply:disabledpresently I have no ACL's and no custom options. Unbound is likely stable with different configurations, this is just what I am presently running.
-
Adding the following to the "Custom Options" area will add the forwarders without the need to run "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222"
forward-zone:; name: "."; forward-addr: 141.210.62.3; forward-addr: 8.8.8.8; forward-addr: 4.2.2.2; forward-addr: 208.67.220.220;
*I slightly changed the order
Also I noticed that the font size of the Unbound tabs appears to change when your on the acl tab relative to the others.
-
Adding the following to the "Custom Options" area will add the forwarders without the need to run "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222"
forward-zone:; name: "."; forward-addr: 141.210.62.3; forward-addr: 8.8.8.8; forward-addr: 4.2.2.2; forward-addr: 208.67.220.220;
*I slightly changed the order
Also I noticed that the font size of the Unbound tabs appears to change when your on the acl tab relative to the others.
ahh. must be a bug somewhere, hence the big fonts. I'll check it out.
-
Can you give the latest package a go and let me know how it goes.
-
Just give it a couple of hours before trying - the builder is still in the process of building the package.
-
Just in case you havent tried, the package is available now.