Frontend may generate incorrect unbound resolver configuration



  • The contents of the "Advanced" input field from the DNS Resolver configuration page is inserted into the generated unbound.conf file after the domain overrides (here I just entered a comment line into the box to demonstrate the problem):

    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    
    # Unbound custom options
    # content of "Advanced" ends up here.
    
    ###
    # Remote Control Config
    ###
    
    

    If the domain overrides are nonempty, they terminate the "Server:" section of the configuration and introduce stub-zone: sections.
    Now, it is too late to add additional global options and the resulting configuration file becomes syntactically wrong. As a result, unbound will not restart,and you are really hosed, if the router is the one serving your local net.

    I think the "Advanced" section should go before the domain overrides (see also this topic https://forum.pfsense.org/index.php?topic=99177.msg552633#msg552633).

    Of course, there is unbound-checkconf, which the frontend could use to detect bad configs before trying to use them. It could then revert to the last known good configuration.


  • Banned

    
    server:
    include: /var/unbound/domainoverrides.conf
    
    

    There. Your solution. (And no, cramming everything into the server: section ain't any improvement, there are custom config things that do not belong into server:, so that'd actually make the problem worse.)



  • If the domain overrides contains any stub-zone: declarations, they end the preceding "Server:" section.
    However, it seems there can be several "Server:" sections, so putting an explicit "server:" at the top of the "Advanced" input field should work, whether or not you have domain overrides.


  • Banned

    Yeah, there can be multiple server etc. sections, however you need the section terminated first, so… as said above, the custom config shouldn't get stuck in between assuming that the content does belong to server:


Log in to reply