Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Frontend may generate incorrect unbound resolver configuration

    DHCP and DNS
    2
    4
    724
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rmaederR
      rmaeder
      last edited by

      The contents of the "Advanced" input field from the DNS Resolver configuration page is inserted into the generated unbound.conf file after the domain overrides (here I just entered a comment line into the box to demonstrate the problem):

      # Domain overrides
      include: /var/unbound/domainoverrides.conf
      
      # Unbound custom options
      # content of "Advanced" ends up here.
      
      ###
      # Remote Control Config
      ###
      
      

      If the domain overrides are nonempty, they terminate the "Server:" section of the configuration and introduce stub-zone: sections.
      Now, it is too late to add additional global options and the resulting configuration file becomes syntactically wrong. As a result, unbound will not restart,and you are really hosed, if the router is the one serving your local net.

      I think the "Advanced" section should go before the domain overrides (see also this topic https://forum.pfsense.org/index.php?topic=99177.msg552633#msg552633).

      Of course, there is unbound-checkconf, which the frontend could use to detect bad configs before trying to use them. It could then revert to the last known good configuration.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        
        server:
        include: /var/unbound/domainoverrides.conf
        
        

        There. Your solution. (And no, cramming everything into the server: section ain't any improvement, there are custom config things that do not belong into server:, so that'd actually make the problem worse.)

        1 Reply Last reply Reply Quote 0
        • rmaederR
          rmaeder
          last edited by

          If the domain overrides contains any stub-zone: declarations, they end the preceding "Server:" section.
          However, it seems there can be several "Server:" sections, so putting an explicit "server:" at the top of the "Advanced" input field should work, whether or not you have domain overrides.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Yeah, there can be multiple server etc. sections, however you need the section terminated first, so… as said above, the custom config shouldn't get stuck in between assuming that the content does belong to server:

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.