2.2.4-RELEASE unbound resolver will not start with domain override.

mschiek01 · Oct 3, 2015, 3:03 PM

I am not sure if this has been documented or not. I have multiple systems both i386 and amd64 some were upgraded from previous releases some are new installs.

All of these systems exhibit the same problem with the resolver. If a domain override is specified in the gui unbound will not start with an error.

php-fpm[11436]: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:99: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1443883129] unbound[25652:0] fatal error: Could not read config file: /var/unbound/unbound.conf'

It took me a while to figure out the issue but it appears that the gui adds data to the file "/var/unbound/domainoverrides.conf"
the data is:
stub-zone:
name: "domain.example"
stub-addr: 0.0.0.0
stub-prime: no

This causes a syntax error and the service will not start.

The data should be:
server:
stub-zone:
name: "domain.example"
stub-addr: 0.0.0.0
stub-prime: no

As a workaround the data can be added to the advanced options instead and the service will start properly and the domain will be resolved properly.

I should note that I think this same problem occurs with the host override gui as well.

Hope this helps someone as I spent quite a lot of time trying to figure out what I was doing wrong.

johnpoz · Oct 3, 2015, 3:14 PM

huh??? Not sure what your doing, but I have lots of host over rides in the resolver gui, and have put in domain over rides as well without any issues.

I would think if this was an actual problem there would be LOADS of people bringing it up.. Your doing something wrong, or have issues with your installs.

mschiek01 · Oct 3, 2015, 3:26 PM

I see what you are saying, but multiple installs?

What are the contents of: /var/unbound/domainoverrides.conf

on your box.

Also you are using the resolver not the legacy forwarder correct?

johnpoz · Oct 4, 2015, 12:28 PM

Yes I am using the resolver!! Have been since it came out..

[2.2.4-RELEASE][root@pfSense.local.lan]/root: cat /var/unbound/domainoverrides.conf
stub-zone:
name: "domainover-ride.test"
stub-addr: 1.2.3.4
stub-prime: no
stub-zone:
name: "test000.over"
stub-addr: 0.0.0.0
stub-prime: no
[2.2.4-RELEASE][root@pfSense.local.lan]/root:

Not sure why anyone would put 0.0.0.0 for an over ride other than trying to block something.. but since you mentioned it I put it in to see as well and see it doesn't stop pfsense resolver from running

babbler · Dec 27, 2015, 6:54 PM

Hi!

A hint that might help:

If you have something in your advanced section and it's not quite right it can cause that behavior.
It works, until you start to use the domain overrides. This is because how the final config file built by pfsense.

For example if you have just one line, like:

outgoing-port-avoid: 0-32767

it works, but if you put anything to the domain overrides it will cause a syntax error, because the outgoing-port-avoid will fall into the wrong section.

To avoid that you must state the correct section for all of your advanced parameters:
server:
outgoing-port-avoid: 0-32767

then the domain override will work again.