DNS Resolver
-
2.2-BETA (amd64)
built on Sat Nov 22 01:52:19 CST 2014
FreeBSD 10.1-RELEASEAfter today's upgrade Resolver "went to sleep", had to switch for DNS Forwarder.
Oct 28 14:12:42 unbound: [23277:3] notice: sendto failed: No buffer space available
I know, the date is wrong.
-
Today with build Fri Nov 21 01:58:53 CST 2014 I'm getting again 'fatal error: Could not read config file: /unbound.conf' with DHCP Registration checked.
That seems to be fixed after merging a pull request from wagonza yesterday. I found one system where I could replicate that, and after that change, I no longer could. There is a bug ticket on that issue. https://redmine.pfsense.org/issues/4036
Others who could replicate that, are you seeing it on snapshots from the 23rd or newer?
-
@cmb:
That seems to be fixed after merging a pull request from wagonza yesterday. I found one system where I could replicate that, and after that change, I no longer could. There is a bug ticket on that issue. https://redmine.pfsense.org/issues/4036
Others who could replicate that, are you seeing it on snapshots from the 23rd or newer?
The latest snapshot I can get is 'Sat Nov 22 01:52:19 CST 2014'.
-
@cmb:
That seems to be fixed after merging a pull request from wagonza yesterday. I found one system where I could replicate that, and after that change, I no longer could. There is a bug ticket on that issue. https://redmine.pfsense.org/issues/4036
Others who could replicate that, are you seeing it on snapshots from the 23rd or newer?
With snapshot 'Mon Nov 24 02:33:34 CST 2014' my unbound problem is gone.
Thank You!
-
Seems solved. It starts normally now.
2.2-BETA (amd64)
built on Mon Nov 24 02:33:34 CST 2014
FreeBSD 10.1-RELEASE -
well…. spoke to soon. Can't enable "Register DHCP leases in the DNS Resolver". It refuses to start again.
2.2-BETA (amd64)
built on Tue Nov 25 11:18:23 CST 2014
FreeBSD 10.1-RELEASE -
well…. spoke to soon. Can't enable "Register DHCP leases in the DNS Resolver". It refuses to start again.
and logs what?
-
ups… sorry about that. There you go..
System log:
Nov 25 20:27:40 dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
Nov 25 20:27:40 dhcpleases: kqueue error: unkown
Nov 25 20:27:40 dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
Nov 25 20:27:39 dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.Unbound log:
Nov 25 20:29:40 unbound: [93575:0] fatal error: Could not read config file: /unbound.conf
Nov 25 20:29:40 unbound: [93575:0] notice: Restart of unbound 1.4.22.
Nov 25 20:29:40 unbound: [93575:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Nov 25 20:29:40 unbound: [93575:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 25 20:29:40 unbound: [93575:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Nov 25 20:29:40 unbound: [93575:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 25 20:29:40 unbound: [93575:0] info: service stopped (unbound 1.4.22).
Nov 25 20:29:40 unbound: [93575:0] info: start of service (unbound 1.4.22).
Nov 25 20:29:40 unbound: [93575:0] notice: init module 1: iterator
Nov 25 20:29:40 unbound: [93575:0] notice: init module 0: validatorBUT, this is only try if I put includes in advanced config. With default config, I can start resolver with "Register DHCP leases in the DNS Resolver" set.
-
BUT, this is only try if I put includes in advanced config. With default config, I can start resolver with "Register DHCP leases in the DNS Resolver" set.
Seems you're putting something invalid in there.
-
-
I just set up a new 2.2 installation… unbound appears to be running, but these entries appear in the log whenever the service is started. I do have the options to register DHCP leases and static DHCP entries checked.
Nov 25 19:15:29 unbound: [88622:0] error: cannot parse netblock: '/'
Nov 25 19:15:29 unbound: [88622:0] error: cannot parse access control: / allow
Nov 25 19:15:29 unbound: [88622:0] fatal error: Could not setup access control listAlso, the service IS running, but the Status > Services page shows it as stopped.
EDIT: Nope… it's not running. My computer is using the Google IPv6 DNS servers I put into pfSense, not the local resolver. I guess there's no way to have the router specify its own IPv6 address (even if it's link-local) for DNS to DHCP clients? I only know it's not running because my IP phone - which only supports IPv4 - can't resolve my VoIP provider hostname, and the only DNS server it has is the IPv4 LAN address of my box.
This appears to be caused by the fact that I'm not requesting an IPv6 address on my WAN interface, just a prefix. Since there's no address, there's nothing to put in the access_lists.conf file, resulting in a access-control: / allow line.
Bug 4046 created for this…
-
@virgiliomi:
This appears to be caused by the fact that I'm not requesting an IPv6 address on my WAN interface, just a prefix. Since there's no address, there's nothing to put in the access_lists.conf file, resulting in a access-control: / allow line.
Pretty sure you have to be running an old version, that was fixed over a week ago.
-
@cmb:
@virgiliomi:
This appears to be caused by the fact that I'm not requesting an IPv6 address on my WAN interface, just a prefix. Since there's no address, there's nothing to put in the access_lists.conf file, resulting in a access-control: / allow line.
Pretty sure you have to be running an old version, that was fixed over a week ago.
2.2-BETA (amd64)
built on Tue Nov 25 11:18:23 CST 2014 -
I updated to the latest snapshot as of this morning (built on Thu Nov 27 00:15:05 CST 2014) and the above issue seems to be resolved. Now I run into something else. My computer (Win7) has both the IPv6 and v4 addresses of my box as DNS servers. When I try to do nslookup, it appears that unbound is refusing queries to the IPv6 address, while queries via IPv4 go through no problem.
> [internal hostname] Server: UnKnown Address: 2601:8:a00:xxx:xxx:xxx:xxx:xxx *** UnKnown can't find [internal hostname]: Query refused > [external hostname] Server: UnKnown Address: 2601:8:a00:xxx:xxx:xxx:xxx:xxx *** UnKnown can't find [external hostname]: Query refused > server 192.168.1.1 Default Server: [192.168.1.1] Address: 192.168.1.1 > [internal hostname] Server: [192.168.1.1] Address: 192.168.1.1 Name: [internal hostname] Address: 192.168.1.108 > [external hostname] Server: [192.168.1.1] Address: 192.168.1.1 Non-authoritative answer: Name: [external hostname] Addresses: [ip addresses]
-
@virgiliomi:
When I try to do nslookup, it appears that unbound is refusing queries to the IPv6 address, while queries via IPv4 go through no problem.
That was tightened up a bit recently. It generally seems fine. The biggest functional change is it skips IPv6 subnets that reside on an Internet connection (a static interface with a gateway specified under Interfaces>[interface name], or any dynamic connection type). Is the subnet in question on an interface that's an Internet connection? Or is treated like one because a gateway is chosen under Interfaces?
-
@cmb:
@virgiliomi:
When I try to do nslookup, it appears that unbound is refusing queries to the IPv6 address, while queries via IPv4 go through no problem.
That was tightened up a bit recently. It generally seems fine. The biggest functional change is it skips IPv6 subnets that reside on an Internet connection (a static interface with a gateway specified under Interfaces>[interface name], or any dynamic connection type). Is the subnet in question on an interface that's an Internet connection? Or is treated like one because a gateway is chosen under Interfaces?
No, it's actually my LAN interface, which has IPv6 as "Track Interface" (WAN, Prefix 0)… My WAN interface isn't obtaining an IPv6 address, just a /60 prefix.
-
@virgiliomi:
No, it's actually my LAN interface, which has IPv6 as "Track Interface" (WAN, Prefix 0)… My WAN interface isn't obtaining an IPv6 address, just a /60 prefix.
Ok I see what was happening there, that was fixed today. Should be good on tomorrow's snapshot, or gitsync now.
-
Are entries posted in "Domain Overrides" being processed correctly?
I want to route any requests for hosts on the other end of my vpn to the pfSense that runs that network. This is something I had working perfectly using "Domain Overrides" within the old DNS Forwarder, but using DNS resolver it doesn't seem to be working.
My current config has the domain is set "vpn" and the server to forward these requests to is "10.30.1.1"
Are there any particular settings I should be looking at to get this to work?
Here is my log for an nslookup from my local network to server.vpn (Server is a valid dns entry on the other network and like I said, these queries were working with DNS Forwarder).
Looking at the log, I can see entires such as "server.vpn.local." - Why has the "local" been added to this query? (local, as your probably guessed is the DNS suffix for my local lan). My WAN DNS servers are Google (8.8.x.x) and Level 3 (209.244.x.x) and you can see that queries are being sent to these as well as 10.30.1.1 (the server which should be able to give us a result).
01/11/2029 01:53 unbound: [20144:0] info: start of service (unbound 1.4.22). 01/11/2029 01:53 unbound: [20144:2] debug: cache memory msg=66554 rrset=67202 infra=3849 val=0 01/11/2029 01:53 unbound: [20144:2] debug: sending to target: <vpn.>10.30.1.1#53 01/11/2029 01:53 unbound: [20144:2] info: sending query: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: processQueryTargets: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: resolving (init part 3): server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: use stub vpn. NS IN 01/11/2029 01:53 unbound: [20144:2] info: resolving (init part 2): server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: use stub vpn. NS IN 01/11/2029 01:53 unbound: [20144:2] info: resolving server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new 01/11/2029 01:53 unbound: [20144:3] debug: cache memory msg=66554 rrset=67202 infra=3596 val=0 01/11/2029 01:53 unbound: [20144:3] info: finishing processing for server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] info: query response was NXDOMAIN ANSWER 01/11/2029 01:53 unbound: [20144:3] info: reply from <.> 8.8.4.4#53 01/11/2029 01:53 unbound: [20144:3] info: response for server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] info: iterator operate: query server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply 01/11/2029 01:53 unbound: [20144:3] debug: cache memory msg=66313 rrset=67202 infra=3596 val=0 01/11/2029 01:53 unbound: [20144:3] debug: sending to target: <.> 8.8.4.4#53 01/11/2029 01:53 unbound: [20144:3] info: sending query: server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] info: processQueryTargets: server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] info: resolving server.vpn.local. AAAA IN 01/11/2029 01:53 unbound: [20144:3] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new 01/11/2029 01:53 unbound: [20144:0] debug: cache memory msg=66313 rrset=67202 infra=3347 val=0 01/11/2029 01:53 unbound: [20144:0] info: finishing processing for server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] info: query response was NXDOMAIN ANSWER 01/11/2029 01:53 unbound: [20144:0] info: reply from <.> 209.244.0.3#53 01/11/2029 01:53 unbound: [20144:0] info: response for server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] info: iterator operate: query server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply 01/11/2029 01:53 unbound: [20144:0] debug: cache memory msg=66072 rrset=66072 infra=3347 val=0 01/11/2029 01:53 unbound: [20144:0] debug: sending to target: <.> 209.244.0.3#53 01/11/2029 01:53 unbound: [20144:0] info: sending query: server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] info: processQueryTargets: server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] info: resolving server.vpn.local. A IN 01/11/2029 01:53 unbound: [20144:0] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new 01/11/2029 01:53 unbound: [20144:2] debug: cache memory msg=66554 rrset=67202 infra=3849 val=0 01/11/2029 01:53 unbound: [20144:2] debug: sending to target: <vpn.>10.30.1.1#53 01/11/2029 01:53 unbound: [20144:2] info: sending query: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: processQueryTargets: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: iterator operate: query server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply 01/11/2029 01:53 unbound: [20144:2] debug: cache memory msg=66554 rrset=67202 infra=3849 val=0 01/11/2029 01:53 unbound: [20144:2] debug: sending to target: <vpn.>10.30.1.1#53 01/11/2029 01:53 unbound: [20144:2] info: sending query: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: processQueryTargets: server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] info: iterator operate: query server.vpn. A IN 01/11/2029 01:53 unbound: [20144:2] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply</vpn.></vpn.></vpn.>
-
@mattbunce - have a read of this thread: https://forum.pfsense.org/index.php?topic=84184.0
Perhaps now the unbound requests are going out with source IP as the VPN tunnel local end-point, and the DNS server at 10.30.1.1 does not have a route back to that?
In DNS Forwarder (dnsmasq) you might have been using the "Source IP" field in the Domain Overrides settings to help this. But that field no longer exists for DNS Resolver (unbound).Edit: add: Your client will be adding anything in its DNS suffix searchlist automatically, thus tryin server.vpn.local as well as server.vpn
Put the terminating "." at the end of the name to stop that;nslookup server.vpn.
-
So Unbound seems to have an issue where it restarts about every 70 minutes. Unfortunately I turned down the log verbosity because it was generating a massive amount of data even at level 1. So all I have are the start/stop entries. But here's a bit of the log…
Nov 28 00:41:25 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 00:41:25 unbound: [18673:0] info: start of service (unbound 1.4.22). Nov 28 01:50:49 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 01:50:49 unbound: [18673:0] info: start of service (unbound 1.4.22). Nov 28 03:00:08 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 03:00:08 unbound: [18673:0] info: start of service (unbound 1.4.22). Nov 28 04:09:24 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 04:09:24 unbound: [18673:0] info: start of service (unbound 1.4.22). Nov 28 05:18:43 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 05:18:43 unbound: [18673:0] info: start of service (unbound 1.4.22). Nov 28 06:23:57 unbound: [18673:0] info: service stopped (unbound 1.4.22). Nov 28 06:23:57 unbound: [18673:0] info: start of service (unbound 1.4.22).
I'll turn the verbosity back up and see if it provides any further enlightenment tomorrow… but given how much data it puts in that log file, it might be a bit harder to tell.