DNS Resolver

wagonza

@stompro:

Can someone point me to the reasoning/discussion on why dnsmasq is being replaced?  I've always been happy with it.

Well Unbound is now in base of FreeBSD 10.X so it makes it (pfSense) easier to maintain.

Raul Ramos

Hi

2.2-ALPHA (amd64)
built on Tue Jul 22 01:18:23 CDT 2014 (Full)

• Settings are sticking, i don't test if are working or not.

• Can delete networks when edit one access list (what access list is for? been there or not is the same thing, some check box to only allow allowed lists? or i need one to reject all networks first?).

• Hosts seems OK.

• Host Override works but aliases don't.

• Only the first domain works on Host Override. If i configure multiple domains to a IP or multiple IPs only the first one seems to work.

• Not tested yet domain override. I'll.

Edit: My DNS clients take the DNS from General Setup -> DNS Servers (the first-one) and not the pfsense IP. My DNS Servers in system information and in interface are 127.0.0.1 and those in General Setup -> DNS Servers (should have my ISP to from my pppoe connection).

Edit2: For some reason My Ubuntu server 14.04 in VirtualBox doesn't resolve any host or domain said:

"xxxxx@BoxHost:/etc$ nslookup
> pfsense
;; reply from unexpected source: 10.0.30.1#53, expected 10.0.0.1#53"

10.0.0.1 is Lan IP (vlan) and 10.0.30.1 is another Vlan where My ubuntu server network are.

Guest

@wagonza:

@stompro:

Can someone point me to the reasoning/discussion on why dnsmasq is being replaced?  I've always been happy with it.

Well Unbound is now in base of FreeBSD 10.X so it makes it (pfSense) easier to maintain.

and dnsmasq has some really poor failure modes.

and … dense support is completely missing for dnsmasq

m3usv0x

@mais_um:

Hi

2.2-ALPHA (amd64)
built on Tue Jul 22 01:18:23 CDT 2014 (Full)

• Settings are sticking, i don't test if are working or not.

• Can delete networks when edit one access list (what access list is for? been there or not is the same thing, some check box to only allow allowed lists? or i need one to reject all networks first?).

• Hosts seems OK.

• Host Override works but aliases don't.

• Only the first domain works on Host Override. If i configure multiple domains to a IP or multiple IPs only the first one seems to work.

• Not tested yet domain override. I'll.

Edit: My DNS clients take the DNS from General Setup -> DNS Servers (the first-one) and not the pfsense IP. My DNS Servers in system information and in interface are 127.0.0.1 and those in General Setup -> DNS Servers (should have my ISP to from my pppoe connection).

Edit2: For some reason My Ubuntu server 14.04 in VirtualBox doesn't resolve any host or domain said:

"xxxxx@BoxHost:/etc$ nslookup
> pfsense
;; reply from unexpected source: 10.0.30.1#53, expected 10.0.0.1#53"

10.0.0.1 is Lan IP (vlan) and 10.0.30.1 is another Vlan where My ubuntu server network are.

I can second the above in bold. I cannot get pfSense to serve itself as DNS, instead it pushes ISP DNS.
Am I missing something?

virgiliomi

@m3usv0x:

I can second the above in bold. I cannot get pfSense to serve itself as DNS, instead it pushes ISP DNS.
Am I missing something?

I'll third this… pfSense is not providing the router's IP address as the DNS server for clients to use when DNS Resolver is enabled. All works correctly when DNS Forwarder is used instead.

grandrivers

yes i noticed this also in 2.1.4 when doing some troubleshooting

Fegu

Just to bump this: pfSense is not providing the router's IP address as the DNS server for clients to use when DNS Resolver is enabled. All works correctly when DNS Forwarder is used instead.

I tried with and without Enable Forwarding Mode. I also made sure that the override box in General Settings is off.

Also, slightly related, the dropdown options on the advanced settings page are all at the first option as default, while the legends/help texts underneath claim that default values are something else.

virgiliomi

Another bump, but also something different…

I recently changed back from ISP DHCPv6+PD to my HE tunnel, and in doing so I re-enabled the DHCPv6 server in pfSense. Anyway... after those changes were made, I disabled DNS Forwarder and enabled DNS Resolver. Pulled my network connection, reconnected it, and now my computer received my router's IPv6 address for DNS, but IPv4 DNS servers point to the DNS servers I've specified in the router.

For reference, my DHCPv6/RA setting is Managed.

emce

Upgraded from 2.1.5 to:

2.2-BETA (i386)
built on Fri Sep 19 23:33:28 CDT 2014

Disabled DNS Forwarder and enabled DNS Resolver.  The service failed to start up with the following error:

 php-fpm[38680]: /services_unbound.php: The command '/usr/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1411217151] unbound[40074:0] fatal error: user 'unbound' does not exist.'

I decided to create an unbound user/group to see what would happen, but upon attempting to start it up again, I received this error:

php-fpm[26599]: /services_unbound.php: The command '/usr/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was ''

I haven't had a chance to troubleshoot further, but I'm happy to provide any other info.

Thanks!
-Mike

rbgarga

@emce:

Upgraded from 2.1.5 to:

2.2-BETA (i386)
built on Fri Sep 19 23:33:28 CDT 2014

Disabled DNS Forwarder and enabled DNS Resolver.  The service failed to start up with the following error:

 php-fpm[38680]: /services_unbound.php: The command '/usr/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1411217151] unbound[40074:0] fatal error: user 'unbound' does not exist.'

I decided to create an unbound user/group to see what would happen, but upon attempting to start it up again, I received this error:

php-fpm[26599]: /services_unbound.php: The command '/usr/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was ''

I haven't had a chance to troubleshoot further, but I'm happy to provide any other info.

Thanks!
-Mike

I pushed an upgrade code to migrate unbound package configuration to 2.2 when it's installed, and also make sure unbound user is created during upgrade. It'll be available on next snapshots.

emce

@Renato:

I pushed an upgrade code to migrate unbound package configuration to 2.2 when it's installed, and also make sure unbound user is created during upgrade. It'll be available on next snapshots.

Upgraded to:

2.2-BETA (i386)
built on Wed Sep 24 04:55:10 CDT 2014
FreeBSD 10.1-PRERELEASE

And everything is looking good so far.  Thanks!
-Mike

Raul Ramos

@emce:

Upgraded to:

2.2-BETA (i386)
built on Wed Sep 24 04:55:10 CDT 2014
FreeBSD 10.1-PRERELEASE

And everything is looking good so far.  Thanks!
-Mike

2.2-BETA (amd64)
built on Wed Sep 24 04:53:53 CDT 2014 (nanobsd)

I continue with some problems:

• I have to put on "DHCP Server  -> DNS servers"  my localhost IP, otherwise clients don't pick local DNS server and if i don't have DNS servers in "System ->General", does not get any . "Do not use the DNS Forwarder as a DNS server for the firewall" are uncheck. DNS Forward work ok,

• One more time, Aliases in  Host override don't work,

• Can't redirect multiple custom domains to a local IP. Ex. mydomain.com and www.mydomain.com, only the top work the other get a non-authorirative sever to get IP if have any.

Cya

priller

First a little background and then what the problem is and why ….

2.2-BETA (amd64)
built on Fri Oct 17

Behavior of Enabling Forwarding Mode

Services: DNS Resolver

Select: Enable Forwarding Mode

This adds the following to /etc/unbound/unbound.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 8.8.8.8

The forwarding DNS server is read from what is configured in "System: General Setup - DNS servers"

This works fine.  However, that is not the sever I want to forward to.

What I want to accomplish

I want to use unbound to forward to a DNSCrypt Proxy listening on 127.0.0.1 port 40.

I am doing this today with DNS Forwarder (dnsmasq) as documented in:
https://forum.pfsense.org/index.php?topic=78446.msg453441#msg453441

Attempted configuration

Since using the "Enable Forwarding Mode" checkbox picks the DNS servers in General Setup, I need a way to override that and use 127.0.0.1@40.

So, I deselected "Enable Forwarding Mode" and in the Advanced box entered:

forward-zone:
    name: "."
        forward-addr: 127.0.0.1@40

That Advanced configuration shows in /conf/config.xml.  BUT, unbound never uses it and is not in forwarding mode.

Since that is a valid unbound configuration , why is it being ignored when you enter it in the Advanced box?  Shouldn't these options be passed to unbound when it starts?

Raul Ramos

Hi

Someone please :), correct host overrides? thanks.

router_wang

The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

How can I configure it not to do this?

chpalmer

@router_wang:

The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

How can I configure it not to do this?

Go to System/General Setup-  DNS Servers…

Uncheck- " Allow DNS server list to be overridden by DHCP/PPP on WAV"

Check-  "Do not use the DNS Forwarder as a DNS server for the firewall"

router_wang

@chpalmer:

@router_wang:

The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

How can I configure it not to do this?

Go to System/General Setup-  DNS Servers…

Uncheck- " Allow DNS server list to be overridden by DHCP/PPP on WAV"

Check-  "Do not use the DNS Forwarder as a DNS server for the firewall"

Yes, I have it set like this and it still does it anyway.

athurdent

I'm using CARP virtual IPs and run Unbound on "All" interfaces.
If I query the CARP IP from a Linux box, I get this:

root@none:~# dig @192.168.xxx.254 www.heise.de
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53

Snapshot is AMD64 from today.

Hugovsky

@router_wang:

@chpalmer:

@router_wang:

The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

How can I configure it not to do this?

Go to System/General Setup-  DNS Servers…

Uncheck- " Allow DNS server list to be overridden by DHCP/PPP on WAV"

Check-  "Do not use the DNS Forwarder as a DNS server for the firewall"

Yes, I have it set like this and it still does it anyway.

Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

pyrodex

After each update I've noticed unbound won't start on a reboot. I've got to go in and save the settings and then it will start. Here is what I see in the logs each time:

Nov  1 18:22:07 firewall unbound: [80205:0] error: can't bind socket: Can't assign requested address
Nov  1 18:22:07 firewall unbound: [80205:0] debug: failed address fe80::250:56ff:fe1a:1b1c port 42698

I merely just update and reboot. Then to correct I simply go into the settings and hit SAVE and that lets it recover.

dstroot

Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

This was a key point - thanks.

Tikimotel

DNS Spoofabillity test: https://www.grc.com/dns/dns.htm

DNS Nameserver Access Details
External Ping: ignored (Nice, as it's preferable for it to be less visible.)
External Query: ignored (This means the nameserver is more spoof resistant.)
DNSSEC Security: supported (This server supports improved security standards.)
–-> Alphabetic Case: mixed (Extra bits of entropy are present in these queries!)  <---
Extra Anti-Spoofing: unknown (Unable to obtain server fingerprint.)

I've added the options below into the unbound config on my pfsense v2.1.5 in order to get the extra bits of entropy for the alphabetic case test.

use-caps-for-id: yes
val-clean-additional: yes

I wonder if these are available by default, or switchable settings in the new pfsense 2.2 builds?

Quote on the alphabetic case test:

Alphabetic Case:
The DNS system is not sensitive to alphabetic case, so the domain “WWW.GRC.COM” is identical to “www.grc.com”. DNS is designed to ignore but preserve the alphabetic case used in queries and replies. This creates an opportunity for a DNS resolver to add additional unknown bits of “entropy” to its queries by randomly changing the case of any alphabetic characters in the queried domain name. When replies are received, only the valid replying nameserver that received the mixed-case query could know the proper case for its reply. No spoofing server would know. This would give a clever resolver another way to reject spoofed replies. We know of no nameservers that are deliberately mixing case in this way, but through this test we are helping you to keep your eye out for any.

dstroot

Still not seeing host overrides work.

❯ dig doubleclick.net

; <<>> DiG 9.8.3-P1 <<>> doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37689
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;doubleclick.net.		IN	A

;; ANSWER SECTION:
doubleclick.net.	3600	IN	A	70.32.146.212

;; Query time: 105 msec
;; SERVER: 192.168.15.1#53(192.168.15.1)
;; WHEN: Sun Nov  9 14:00:46 2014
;; MSG SIZE  rcvd: 49

Hugovsky

It works for me but, I have to send it to 0.0.0.0, not 127.0.0.1.

dstroot

Hmmm - I'm on the latest beta, tried 0.0.0.0 and 127.0.0.1.  Still no joy.  Will look into this further tomorrow.

dstroot

My bad.  I wasn't filling it out correctly - it works if you do it as I show in the attached.

Hugovsky

Can I pass "include: /etc/unbound/local-blocking-data.conf" in the advanced field of the resolver? I want to block some domains.

Hugovsky

Apparently the options in the advanced field are not parsed to the config file. Am I doing it wrong?

Escorpiom

I'm sorry to say that Unbound in 2.2 beta has (still) issues:

Nov 12 18:21:42	unbound: [94783:0] notice: Restart of unbound 1.4.22.
Nov 12 18:21:42	unbound: [94783:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024\. Config for less fds or compile with libevent
Nov 12 18:21:42	unbound: [94783:0] warning: continuing with less udp ports: 91

I've seen this a couple of times here, but no solution was found.
From what can be found on the web, it seems to be a problem with multicore cpu's (mine's a 2558 SOC).
The "Number of queries per thread" in the web interface shows 512, but in the actual config file it's still set at 1024.

The value should sit around 250 for a 4-core cpu, not exceeding a total of 1024.
Manually adjusting the Unbound config is no use, after saving a change in the admin interface, it resets to 1024 again.

This issue is causing Unbound to restart and when it does, delays the DNS lookups.
Old bug that really need to be fixed.

Cheers.

Hugovsky

Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:

2.2-BETA (amd64)
built on Thu Nov 13 06:05:47 CST 2014
FreeBSD 10.1-RELEASE

check in the config file below and check the pic:

/var/unbound: cat unbound.conf
##########################

Unbound Configuration

##########################

Server configuration

server:
chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 1024
jostle-timeout: 200
infra-host-ttl: 900
infra-lame-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 4m
rrset-cache-size: 8m
outgoing-range: 462
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

Interface IP(s) to bind to

interface: 192.168.50.1
interface: 10.1.2.1
interface: 192.168.51.1
interface: 127.0.0.1
interface: ::1

Outgoing interfaces to be used

outgoing-interface: #####
outgoing-interface: #####

DNS Rebinding

For DNS Rebinding prevention

private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10

Set private domains in case authoritative name server returns a Private IP address

private-domain: "hsnetworks"
domain-insecure: "hsnetworks"

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Remote Control Config

include: /var/unbound/remotecontrol.conf

(edited to include snapshot version)

Hugovsky

More info on this:

although the config file of unbound doesn't have it, config.xml does have the right settings:

<custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
<dnssec><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
<outgoing_num_tcp>0</outgoing_num_tcp>
<incoming_num_tcp>0</incoming_num_tcp>
<edns_buffer_size>1480</edns_buffer_size>
<num_queries_per_thread>512</num_queries_per_thread>
<jostle_timeout>100</jostle_timeout></prefetchkey></prefetch></dnssec>

phil.davis

The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully.

phil.davis

Pull request: https://github.com/pfsense/pfsense/pull/1336

That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.

And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also  ;)

Hugovsky

Thanks again for being so fast. I'll test it and report back.

Hugovsky

It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:

"FILE FORMAT
      There  must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."

Text parsed in the advanced field breaks the line with spaces. Do you think this is important?

Escorpiom

Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
Will test it shortly.

Cheers.

athurdent

@athurdent:

I'm using CARP virtual IPs and run Unbound on "All" interfaces.
If I query the CARP IP from a Linux box, I get this:

root@none:~# dig @192.168.xxx.254 www.heise.de
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53

Snapshot is AMD64 from today.

I took another look at this:

IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.

If you set

interface-automatic: yes

then it replies properly when doing a dig@ the alias IP.
This feature is marked experimental though, I don't know the downsides.

p1erre

Hi

I've another issue, all my DHCP6 static bindings are not included in /var/unbound/host_entries.conf. It shows only the IPv4 entries.

Guest

file a bug.

p1erre

@gonzopancho:

file a bug.

Bug #4013