Unbound not working



  • Now, I'm not sure why it's not working but I tried installing fresh to a VM (Unbound enabled and DNS Forwarder disabled) and the machines in my LAN cannot resolve DNS queries. When I enable DNS forwarder and disable Unbound, everything works as it should.

    How can I troubleshoot this?


  • Banned

    Start with the resolver log and check whether it's running at all.



  • Did you have pfsense working before with unbound or with a DNS provider other than your ISP?
    Is it possible your ISP is killing any DNS that isn't theirs?

    Also, having unbound in forwarder mode using DNSSEC with and ISP who's DNS servers don't support DNSSEC will also kill you DNS.  (I tried it just for giggles)

    You probably need to post your unbound settings here - all of them.



  • @doktornotor:

    Start with the resolver log and check whether it's running at all.

    I do see logs and it says it is running, yes.

    @kejianshi:

    Did you have pfsense working before with unbound or with a DNS provider other than your ISP?
    Is it possible your ISP is killing any DNS that isn't theirs?

    Also, having unbound in forwarder mode using DNSSEC with and ISP who's DNS servers don't support DNSSEC will also kill you DNS.  (I tried it just for giggles)

    You probably need to post your unbound settings here - all of them.

    I'm testing this in our company network, virtually. Basically, it's a test environment wherein I treat our test network (LAN) as pfsense's WAN side (virtual ISP).

    Are you saying that unbound is like another DNS provider that's embedded in pfsense? Sorry, I'm new to it. For what it's worth, I can specify the Google DNS servers on the General page, use DNS Forwarding, and not have any problems.

    Here are my settings:

    https://www.dropbox.com/s/jj0sl8t0vql7xne/unbound.JPG?dl=0



  • Yes - Its a DNS resolver and yours is turned off.


  • Rebel Alliance Global Moderator

    Your settings are not even enabled ;)

    You have it send out queries to authoritative servers out ALL Your interfaces???

    Unbound is a dns RESOLVER.. ie it will ask roots hey who is owner server of domainx.com and then go ask domainx.com ns – hey what is IP of your a record www.domainx.com

    This is much different than forwarding queries of www.domainx.com to your isp dns..  Does your work lan let you talk outbound to the internet on 53?  So you can query any dns server you want?  Most company networks do NOT allow that..



  • @kejianshi:

    Yes - Its a DNS resolver and yours is turned off.

    @johnpoz:

    Your settings are not even enabled ;)

    You have it send out queries to authoritative servers out ALL Your interfaces???

    Unbound is a dns RESOLVER.. ie it will ask roots hey who is owner server of domainx.com and then go ask domainx.com ns – hey what is IP of your a record www.domainx.com

    This is much different than forwarding queries of www.domainx.com to your isp dns..  Does your work lan let you talk outbound to the internet on 53?  So you can query any dns server you want?  Most company networks do NOT allow that..

    I forgot to mention that that picture shows it as disabled but of course I'm not that dumb :) When I was testing it, it was enabled (that box is checked). I just didn't bother taking a screenshot of it while it was enabled because DNS Forwarder is working now.

    Well, it was setup that way as its "default", that is to query authoritative server out all the interfaces.

    Ok, got that. So unbound is like a DNS server in itself, not a forwarder. Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?



  • Yes - But be aware that there is a huge difference between a resolver and a forwarder when it comes to how your pages may or may not resolve.


  • Rebel Alliance Global Moderator

    "Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?"

    No not necessarily..  What that means is 53 is open to 8.8.8.8, .4.4 - does not mean that 53 is open to

    .                      517311  IN      NS      a.root-servers.net.
    .                      517311  IN      NS      b.root-servers.net.
    .                      517311  IN      NS      c.root-servers.net.
    .                      517311  IN      NS      d.root-servers.net.
    .                      517311  IN      NS      e.root-servers.net.
    .                      517311  IN      NS      f.root-servers.net.
    .                      517311  IN      NS      g.root-servers.net.
    .                      517311  IN      NS      h.root-servers.net.
    .                      517311  IN      NS      i.root-servers.net.
    .                      517311  IN      NS      j.root-servers.net.
    .                      517311  IN      NS      k.root-servers.net.
    .                      517311  IN      NS      l.root-servers.net.
    .                      517311  IN      NS      m.root-servers.net.

    or

    ;; ANSWER SECTION:
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.

    And then every single authoritative ns on the planet..  This is the different between a forwarder and a resolver - a forwarder would forward to say 8.8.8.8

    What I would suggest is you use the forwarder, you have no need of the resolver function to look up shit ;)

    As to it defaulting to ALL for interfaces..  It has to default to something..  But ALL is normally not going to be the correct setting for either of those..  Its rare you would listen for dns queries on wan, and its rare that you would talk to an authoritative ns out your lan for example..

    I would suggest you leave it disabled and just use the forwarder pointing to 8.8.8.8, until such time that you actually require a resolver vs a forwarder.



  • Your unbound can also work just fine as a forwarder as long as what you are forwarding from allows that DNSSEC - Google dns does.  Your ISP may not.  Whatever is on your pfsense wan may not also.  In other words, when using unbound as a forwarder, you may not be able to use dnssec.  Just depends on your dns server you tell it to forward from.

    So, lets say you don't allow your ISP to over rider you DNS settings on the WAN AND you also use 8.8.8.8 and 8.8.4.4 AND you also use DNSSEC in unbound DNS resolver with forwarder mode enabled, there is some advantage.  Whoever is between you and google DNS will have a hell of a time spoofing your DNS replies.

    Your work guys may try?  I don't know.  Admins can be mischievous.



  • @johnpoz:

    "Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?"

    No not necessarily..  What that means is 53 is open to 8.8.8.8, .4.4 - does not mean that 53 is open to

    .                      517311  IN      NS      a.root-servers.net.
    .                      517311  IN      NS      b.root-servers.net.
    .                      517311  IN      NS      c.root-servers.net.
    .                      517311  IN      NS      d.root-servers.net.
    .                      517311  IN      NS      e.root-servers.net.
    .                      517311  IN      NS      f.root-servers.net.
    .                      517311  IN      NS      g.root-servers.net.
    .                      517311  IN      NS      h.root-servers.net.
    .                      517311  IN      NS      i.root-servers.net.
    .                      517311  IN      NS      j.root-servers.net.
    .                      517311  IN      NS      k.root-servers.net.
    .                      517311  IN      NS      l.root-servers.net.
    .                      517311  IN      NS      m.root-servers.net.

    or

    ;; ANSWER SECTION:
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.

    And then every single authoritative ns on the planet..  This is the different between a forwarder and a resolver - a forwarder would forward to say 8.8.8.8

    What I would suggest is you use the forwarder, you have no need of the resolver function to look up shit ;)

    As to it defaulting to ALL for interfaces..  It has to default to something..  But ALL is normally not going to be the correct setting for either of those..  Its rare you would listen for dns queries on wan, and its rare that you would talk to an authoritative ns out your lan for example..

    I would suggest you leave it disabled and just use the forwarder pointing to 8.8.8.8, until such time that you actually require a resolver vs a forwarder.

    Got it. You mean my work lan can allow outbound port 53 to known DNS servers like Google but not to root server, right?

    And if I understand correctly, dnsmasq does recursive queries to where it forwards to and unbound does an iteritative lookup, right? In that case, what situation would I best use unbound and why it is kept enabled for fresh installations if it can produce some issues with certain ISPs?

    @kejianshi:

    Your unbound can also work just fine as a forwarder as long as what you are forwarding from allows that DNSSEC - Google dns does.  Your ISP may not.  Whatever is on your pfsense wan may not also.  In other words, when using unbound as a forwarder, you may not be able to use dnssec.  Just depends on your dns server you tell it to forward from.

    So, lets say you don't allow your ISP to over rider you DNS settings on the WAN AND you also use 8.8.8.8 and 8.8.4.4 AND you also use DNSSEC in unbound DNS resolver with forwarder mode enabled, there is some advantage.  Whoever is between you and google DNS will have a hell of a time spoofing your DNS replies.

    Your work guys may try?  I don't know.  Admins can be mischievous.

    I understand. If forwarding is enabled in unbound though, what would its difference be with dnsmasq?


  • Rebel Alliance Global Moderator

    In forwarder mode it support dnssec - while dnsmasq does not, etc..

    As to why they have unbound enabled out of the box?  While sure it could have issues with some connections..  Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not?  To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;)  While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe

    The layer 8 problems are becoming very common on the board...



  • Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.



  • @johnpoz:

    In forwarder mode it support dnssec - while dnsmasq does not, etc..

    As to why they have unbound enabled out of the box?  While sure it could have issues with some connections..  Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not?  To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;)  While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe

    The layer 8 problems are becoming very common on the board...

    We all start somewhere, and that's why the pfsense community is here. I'm not at all clueless when it comes to DNS but I'll admit that I'm not an expert. What's basic for you may not be basic for others.

    @kejianshi:

    Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.

    That's what I thought. I forgot to mention though that I have two pfsense firewalls in my setup, a front end and a back end firewall. I experimented and enabled unbound on just the front end while keeping dnsmasq enabled on the back end and that fixed my problem. Does this mean that it is not recommended to enabled unbound on both firewalls?



  • I'd think that means you have some issue with your pfsense setup on the back end.  I see no reason why it shouldn't work on the front and back end unless something is not correctly configured elsewhere. You can break it with block rules and things like that.  Doing relay from your front end should be no problem though.  Thats perfectly valid and should work very well - It just shouldn't be required.



  • Another clarification on my mind: is it accurate that when you enable forwarding with Unbound, it will never use the root hints?



  • Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.



  • @kejianshi:

    Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.

    Is that a "from" or a "to" 8.8.8.8 or my ISP's DNS server? In any case, if you enable forwarding, regardless of what IP address you are forwarding to, it still disables the root hints, right?



  • Forwarding mode should forward all requests to the designated upstream DNS server/s.
    Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
    That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :)



  • @phil.davis:

    Forwarding mode should forward all requests to the designated upstream DNS server/s.
    Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
    That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :)

    Got it! I was just thinking that it's like the DNS server in Windows Server wherein there's a checkbox for "use root hints if no forwarders are available" under the forwarders tab.

    And by the way, can you guys help me out in another thread? I decided to separate it here: https://forum.pfsense.org/index.php?topic=88164.msg486107#msg486107

    Thanks.