Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound Forward and ACL issue

    Scheduled Pinned Locked Moved pfSense Packages
    15 Posts 2 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      foxale08
      last edited by

      I am presently running Unbound 1.4.13_04 on a pfsense 2.0 (i386) box. Unbound will resolve addresses listed under DNS Forwarder and set in the DHCP server configuration but will not forward requests for addresses it has no information for (ie: google.com) Unbound will not respond when I issue a request for non-local addresses with nslookup.

      Also when I attempt to add an acl under the "Unbound DNS ACLs" tab I get the following error.
      Fatal error: Call to undefined function is_ipaddrv4() in /usr/local/www/unbound_acls.php on line 86
      The information I entered was as follows
      ACL name:"Home"

      Action:"Allow"

      Network:"192.168.0.0"
      CIDR:"16"
      Description:"Home"

      Description:"Home"

      If it makes any difference I am using Firefox 8.0.

      1 Reply Last reply Reply Quote 0
      • W
        wagonza
        last edited by

        sorry my bad. Ive bumper the version to 1.4.13_05 with a fix for that error you were hitting.
        So try again and let me know

        Follow me on twitter http://twitter.com/wagonza
        http://www.thepackethub.co.za

        1 Reply Last reply Reply Quote 0
        • F
          foxale08
          last edited by

          The ACL issue is fixed but i'm still having some strange issue with Unbound not forwarding even when the "Enable forwarding mode" box is checked. As stated prior Unbound will resolve locally configured names.

          Edit: It appears that enabling dnssec has something to do with this. Also (with dnssec off) some attempts to resolve a name result in a timeout but on a second request Unbound responds with an appropriate response.

          1 Reply Last reply Reply Quote 0
          • W
            wagonza
            last edited by

            Are you sure the upstream DNS servers (which unbound will use) correctly answer for every request?
            You can try up the verbosity of the log file(under advanced settings) to see what Unbound is doing when the requests are failing.

            Follow me on twitter http://twitter.com/wagonza
            http://www.thepackethub.co.za

            1 Reply Last reply Reply Quote 0
            • F
              foxale08
              last edited by

              I just set the verbosity higher. If I find anything interesting I will post it in this thread.

              1 Reply Last reply Reply Quote 0
              • F
                foxale08
                last edited by

                Can an option be added to allow the file /var/log/unbound.log to be longer? It appears to truncate too quickly with high verbosity. The truncation is so short that a single problematic lookup spanned at least two truncation lengths.

                1 Reply Last reply Reply Quote 0
                • F
                  foxale08
                  last edited by

                  Any particular reason why even with forwarding enabled in the web gui the command "unbound-control forward" outputs "off (using root hints)" and "unbound-control list_forwards" outputs nothing even with 4 servers configured in my general setup? lol

                  1 Reply Last reply Reply Quote 0
                  • W
                    wagonza
                    last edited by

                    @foxale08:

                    Can an option be added to allow the file /var/log/unbound.log to be longer? It appears to truncate too quickly with high verbosity. The truncation is so short that a single problematic lookup spanned at least two truncation lengths.

                    unfortunately its not an unbound package thing - the size of the log file is determined by the base. I will add a feature request on redmine but not sure whether it will be considered since one has to worry about what the impact would be on the smaller boxes.

                    Follow me on twitter http://twitter.com/wagonza
                    http://www.thepackethub.co.za

                    1 Reply Last reply Reply Quote 0
                    • W
                      wagonza
                      last edited by

                      @foxale08:

                      Any particular reason why even with forwarding enabled in the web gui the command "unbound-control forward" outputs "off (using root hints)" and "unbound-control list_forwards" outputs nothing even with 4 servers configured in my general setup? lol

                      How do you have your DNS servers configured under System->General Setup? Do you have 'Allow DNS server list to be overridden by DHCP/PPP on WAN' enabled?

                      Follow me on twitter http://twitter.com/wagonza
                      http://www.thepackethub.co.za

                      1 Reply Last reply Reply Quote 0
                      • F
                        foxale08
                        last edited by

                        BTW when I say high verbosity I was using level 5, It provides very good information but I can only get fragments of it at a time (due to the previously stated logging issue)

                        @wagonza:

                        How do you have your DNS servers configured under System->General Setup? Do you have 'Allow DNS server list to be overridden by DHCP/PPP on WAN' enabled?

                        At present "Allow DNS server list to be overridden by DHCP/PPP on WAN" and "Do not use the DNS Forwarder as a DNS server for the firewall " are unchecked.

                        It might be of use to you but I use a two Linksys E2000 routers with DD-WRT on them as wireless bridges for my internet access as the dorm room where I presently live during the week has no wired connections. The lans of each bridge are the wans of my pfsense box. As such pfsense has two wans, both with static, private addresses.

                        I can make Unbound work as expected by running "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222" and with the following configuration

                        Enabled: True (obviously lol)
                        Network interface: Lan (I don't think this matters much)
                        Query interfaces: Nothing selected
                        Enable DNSSEC: false #Appears to cause issues, may be caused by private wan addresses
                        Enable forwarding: true
                        Private address support: true
                        Register DHCP static mappings: true
                        Txt comment support: false
                        Cache restoration: false
                        Enable stats: true
                        Statistics: enabled
                        Interval:5 minutes
                        Extended stats:true

                        hide identity:false
                        hide version:false
                        prefetch support:true
                        prefetch key support:true
                        harden glue:false
                        harden dnssec: false
                        log verbo.: level 1
                        message cache size: 4MB
                        Outgoing TCP buff:10
                        Incomming TCP buff:10
                        EDNS buff:4096
                        Queries per thread:1024
                        jostle:200
                        Max ttl for RRsets:86400
                        min ttl for RRsets:0
                        ttl for host cache:900
                        ttl for lame:900
                        hosts to cache:10000
                        unwanted reply:disabled

                        presently I have no ACL's and no custom options. Unbound is likely stable with different configurations, this is just what I am presently running.

                        1 Reply Last reply Reply Quote 0
                        • F
                          foxale08
                          last edited by

                          Adding the following to the "Custom Options" area will add the forwarders without the need to run "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222"

                          forward-zone:; name: "."; forward-addr: 141.210.62.3; forward-addr: 8.8.8.8; forward-addr: 4.2.2.2; forward-addr: 208.67.220.220;

                          *I slightly changed the order

                          Also I noticed that the font size of the Unbound tabs appears to change when your on the acl tab relative to the others.

                          1 Reply Last reply Reply Quote 0
                          • W
                            wagonza
                            last edited by

                            @foxale08:

                            Adding the following to the "Custom Options" area will add the forwarders without the need to run "unbound-control forward 141.210.62.3 8.8.8.8 4.2.2.2 208.67.222.222"

                            forward-zone:; name: "."; forward-addr: 141.210.62.3; forward-addr: 8.8.8.8; forward-addr: 4.2.2.2; forward-addr: 208.67.220.220;

                            *I slightly changed the order

                            Also I noticed that the font size of the Unbound tabs appears to change when your on the acl tab relative to the others.

                            ahh. must be a bug somewhere, hence the big fonts. I'll check it out.

                            Follow me on twitter http://twitter.com/wagonza
                            http://www.thepackethub.co.za

                            1 Reply Last reply Reply Quote 0
                            • W
                              wagonza
                              last edited by

                              Can you give the latest package a go and let me know how it goes.

                              Follow me on twitter http://twitter.com/wagonza
                              http://www.thepackethub.co.za

                              1 Reply Last reply Reply Quote 0
                              • W
                                wagonza
                                last edited by

                                Just give it a couple of hours before trying - the builder is still in the process of building the package.

                                Follow me on twitter http://twitter.com/wagonza
                                http://www.thepackethub.co.za

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wagonza
                                  last edited by

                                  Just in case you havent tried, the package is available now.

                                  Follow me on twitter http://twitter.com/wagonza
                                  http://www.thepackethub.co.za

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.