Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    186 Posts 44 Posters 160.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      athurdent
      last edited by

      I'm using CARP virtual IPs and run Unbound on "All" interfaces.
      If I query the CARP IP from a Linux box, I get this:

      root@none:~# dig @192.168.xxx.254 www.heise.de
      ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
      ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
      ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
      

      Snapshot is AMD64 from today.

      1 Reply Last reply Reply Quote 0
      • H Offline
        Hugovsky
        last edited by

        @router_wang:

        @chpalmer:

        @router_wang:

        The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

        How can I configure it not to do this?

        Go to System/General Setup-  DNS Servers…

        Uncheck- " Allow DNS server list to be overridden by DHCP/PPP on WAV"

        Check-  "Do not use the DNS Forwarder as a DNS server for the firewall"

        Yes, I have it set like this and it still does it anyway.

        Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

        1 Reply Last reply Reply Quote 0
        • P Offline
          pyrodex
          last edited by

          After each update I've noticed unbound won't start on a reboot. I've got to go in and save the settings and then it will start. Here is what I see in the logs each time:

          
          Nov  1 18:22:07 firewall unbound: [80205:0] error: can't bind socket: Can't assign requested address
          Nov  1 18:22:07 firewall unbound: [80205:0] debug: failed address fe80::250:56ff:fe1a:1b1c port 42698
          
          

          I merely just update and reboot. Then to correct I simply go into the settings and hit SAVE and that lets it recover.

          1 Reply Last reply Reply Quote 0
          • D Offline
            dstroot
            last edited by

            Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

            This was a key point - thanks.

            1 Reply Last reply Reply Quote 0
            • T Offline
              Tikimotel
              last edited by

              DNS Spoofabillity test: https://www.grc.com/dns/dns.htm

              DNS Nameserver Access Details
              External Ping: ignored (Nice, as it's preferable for it to be less visible.)
              External Query: ignored (This means the nameserver is more spoof resistant.)
              DNSSEC Security: supported (This server supports improved security standards.)
              –-> Alphabetic Case: mixed (Extra bits of entropy are present in these queries!)  <---
              Extra Anti-Spoofing: unknown (Unable to obtain server fingerprint.)

              I've added the options below into the unbound config on my pfsense v2.1.5 in order to get the extra bits of entropy for the alphabetic case test.

              
              use-caps-for-id: yes
              val-clean-additional: yes
              
              

              I wonder if these are available by default, or switchable settings in the new pfsense 2.2 builds?

              Quote on the alphabetic case test:

              Alphabetic Case:
              The DNS system is not sensitive to alphabetic case, so the domain “WWW.GRC.COM” is identical to “www.grc.com”. DNS is designed to ignore but preserve the alphabetic case used in queries and replies. This creates an opportunity for a DNS resolver to add additional unknown bits of “entropy” to its queries by randomly changing the case of any alphabetic characters in the queried domain name. When replies are received, only the valid replying nameserver that received the mixed-case query could know the proper case for its reply. No spoofing server would know. This would give a clever resolver another way to reject spoofed replies. We know of no nameservers that are deliberately mixing case in this way, but through this test we are helping you to keep your eye out for any.

              1 Reply Last reply Reply Quote 0
              • D Offline
                dstroot
                last edited by

                Still not seeing host overrides work.

                
                ❯ dig doubleclick.net
                
                ; <<>> DiG 9.8.3-P1 <<>> doubleclick.net
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37689
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
                
                ;; QUESTION SECTION:
                ;doubleclick.net.		IN	A
                
                ;; ANSWER SECTION:
                doubleclick.net.	3600	IN	A	70.32.146.212
                
                ;; Query time: 105 msec
                ;; SERVER: 192.168.15.1#53(192.168.15.1)
                ;; WHEN: Sun Nov  9 14:00:46 2014
                ;; MSG SIZE  rcvd: 49
                
                

                issue.png
                issue.png_thumb

                1 Reply Last reply Reply Quote 0
                • H Offline
                  Hugovsky
                  last edited by

                  It works for me but, I have to send it to 0.0.0.0, not 127.0.0.1.

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dstroot
                    last edited by

                    Hmmm - I'm on the latest beta, tried 0.0.0.0 and 127.0.0.1.  Still no joy.  Will look into this further tomorrow.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dstroot
                      last edited by

                      My bad.  I wasn't filling it out correctly - it works if you do it as I show in the attached.

                      blocked.png
                      blocked.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        Hugovsky
                        last edited by

                        Can I pass "include: /etc/unbound/local-blocking-data.conf" in the advanced field of the resolver? I want to block some domains.

                        1 Reply Last reply Reply Quote 0
                        • H Offline
                          Hugovsky
                          last edited by

                          Apparently the options in the advanced field are not parsed to the config file. Am I doing it wrong?

                          1 Reply Last reply Reply Quote 0
                          • E Offline
                            Escorpiom
                            last edited by

                            I'm sorry to say that Unbound in 2.2 beta has (still) issues:

                            Nov 12 18:21:42	unbound: [94783:0] notice: Restart of unbound 1.4.22.
                            Nov 12 18:21:42	unbound: [94783:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024\. Config for less fds or compile with libevent
                            Nov 12 18:21:42	unbound: [94783:0] warning: continuing with less udp ports: 91
                            

                            I've seen this a couple of times here, but no solution was found.
                            From what can be found on the web, it seems to be a problem with multicore cpu's (mine's a 2558 SOC).
                            The "Number of queries per thread" in the web interface shows 512, but in the actual config file it's still set at 1024.

                            The value should sit around 250 for a 4-core cpu, not exceeding a total of 1024.
                            Manually adjusting the Unbound config is no use, after saving a change in the admin interface, it resets to 1024 again.

                            This issue is causing Unbound to restart and when it does, delays the DNS lookups.
                            Old bug that really need to be fixed.

                            Cheers.

                            1 Reply Last reply Reply Quote 0
                            • H Offline
                              Hugovsky
                              last edited by

                              Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:

                              2.2-BETA (amd64)
                              built on Thu Nov 13 06:05:47 CST 2014
                              FreeBSD 10.1-RELEASE

                              check in the config file below and check the pic:

                              /var/unbound: cat unbound.conf
                              ##########################

                              Unbound Configuration

                              ##########################

                              Server configuration

                              server:
                              chroot: /var/unbound
                              username: "unbound"
                              directory: "/var/unbound"
                              pidfile: "/var/run/unbound.pid"
                              use-syslog: yes
                              port: 53
                              verbosity: 1
                              harden-referral-path: no
                              do-ip4: yes
                              do-ip6: yes
                              do-udp: yes
                              do-tcp: yes
                              do-daemonize: yes
                              module-config: "validator iterator"
                              unwanted-reply-threshold: 0
                              num-queries-per-thread: 1024
                              jostle-timeout: 200
                              infra-host-ttl: 900
                              infra-lame-ttl: 900
                              infra-cache-numhosts: 10000
                              outgoing-num-tcp: 10
                              incoming-num-tcp: 10
                              edns-buffer-size: 4096
                              cache-max-ttl: 86400
                              cache-min-ttl: 0
                              harden-dnssec-stripped: yes
                              num-threads: 2
                              msg-cache-slabs: 4
                              rrset-cache-slabs: 4
                              infra-cache-slabs: 4
                              key-cache-slabs: 4
                              msg-cache-size: 4m
                              rrset-cache-size: 8m
                              outgoing-range: 462
                              #so-rcvbuf: 4m
                              auto-trust-anchor-file: /var/unbound/root.key
                              prefetch: no
                              prefetch-key: no

                              Statistics

                              Unbound Statistics

                              statistics-interval: 0
                              extended-statistics: yes
                              statistics-cumulative: yes

                              Interface IP(s) to bind to

                              interface: 192.168.50.1
                              interface: 10.1.2.1
                              interface: 192.168.51.1
                              interface: 127.0.0.1
                              interface: ::1

                              Outgoing interfaces to be used

                              outgoing-interface: #####
                              outgoing-interface: #####

                              DNS Rebinding

                              For DNS Rebinding prevention

                              private-address: 10.0.0.0/8
                              private-address: 172.16.0.0/12
                              private-address: 192.168.0.0/16
                              private-address: 192.254.0.0/16
                              private-address: fd00::/8
                              private-address: fe80::/10

                              Set private domains in case authoritative name server returns a Private IP address

                              private-domain: "hsnetworks"
                              domain-insecure: "hsnetworks"

                              Access lists

                              include: /var/unbound/access_lists.conf

                              Static host entries

                              include: /var/unbound/host_entries.conf

                              Domain overrides

                              include: /var/unbound/domainoverrides.conf

                              Remote Control Config

                              include: /var/unbound/remotecontrol.conf

                              (edited to include snapshot version)

                              general.jpg
                              general.jpg_thumb
                              advanced.jpg
                              advanced.jpg_thumb

                              1 Reply Last reply Reply Quote 0
                              • H Offline
                                Hugovsky
                                last edited by

                                More info on this:

                                although the config file of unbound doesn't have it, config.xml does have the right settings:

                                <custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
                                <dnssec><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
                                <outgoing_num_tcp>0</outgoing_num_tcp>
                                <incoming_num_tcp>0</incoming_num_tcp>
                                <edns_buffer_size>1480</edns_buffer_size>
                                <num_queries_per_thread>512</num_queries_per_thread>
                                <jostle_timeout>100</jostle_timeout></prefetchkey></prefetch></dnssec>

                                1 Reply Last reply Reply Quote 0
                                • P Offline
                                  phil.davis
                                  last edited by

                                  The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
                                  I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully.

                                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                  1 Reply Last reply Reply Quote 0
                                  • P Offline
                                    phil.davis
                                    last edited by

                                    Pull request: https://github.com/pfsense/pfsense/pull/1336

                                    That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.

                                    And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also  ;)

                                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                    1 Reply Last reply Reply Quote 0
                                    • H Offline
                                      Hugovsky
                                      last edited by

                                      Thanks again for being so fast. I'll test it and report back.

                                      1 Reply Last reply Reply Quote 0
                                      • H Offline
                                        Hugovsky
                                        last edited by

                                        It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:

                                        "FILE FORMAT
                                              There  must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."

                                        Text parsed in the advanced field breaks the line with spaces. Do you think this is important?

                                        1 Reply Last reply Reply Quote 0
                                        • E Offline
                                          Escorpiom
                                          last edited by

                                          Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
                                          Will test it shortly.

                                          Cheers.

                                          1 Reply Last reply Reply Quote 0
                                          • A Offline
                                            athurdent
                                            last edited by

                                            @athurdent:

                                            I'm using CARP virtual IPs and run Unbound on "All" interfaces.
                                            If I query the CARP IP from a Linux box, I get this:

                                            root@none:~# dig @192.168.xxx.254 www.heise.de
                                            ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                                            ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                                            ;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
                                            

                                            Snapshot is AMD64 from today.

                                            I took another look at this:

                                            IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.

                                            If you set

                                            interface-automatic: yes
                                            

                                            then it replies properly when doing a dig@ the alias IP.
                                            This feature is marked experimental though, I don't know the downsides.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.