Unbound DNS Resolver problem?
-
php-fpm[35774]: /services_unbound_advanced.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.3-P1 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 112 leases to leases file. Listening on BPF/em1/xx:xx:xx:xx:xx:xx/10.0.1.0/24 Sending on BPF/em1/xx:xx:xx:xx:xx:xx/10.0.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received t
Updated today - DNS does not seem be working though I cannot tell why. I am certainly not running HP Jet Admin.
-
That's just something trying to start dhcpd while it's already running. Likely just log spam, and definitely wouldn't have any impact on DNS.
-
@cmb:
That's just something trying to start dhcpd while it's already running. Likely just log spam, and definitely wouldn't have any impact on DNS.
And had it been nothing but that log entry I'd agree with you but whenever I try to go to websites I see that my system is falling back to my secondary DNS server:
imac:~ justinsmith$ nslookup www.apple.com
;; Got SERVFAIL reply from 10.0.1.1, trying next server
Server: 10.0.1.2
Address: 10.0.1.2#53Non-authoritative answer:
www.apple.com canonical name = www.apple.com.edgekey.net.
www.apple.com.edgekey.net canonical name = www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net canonical name = e6858.dscc.akamaiedge.net.
Name: e6858.dscc.akamaiedge.net
Address: 104.70.75.117 -
Just saying that log in particular has no relation to any DNS issues.
Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled?
-
i have dns resolver issue such that it wont start at boot
Apr 6 13:03:22 unbound 35699:0 error: Error for server-cert-file: /var/unbound/unbound_server.pem Apr 6 13:03:22 unbound 35699:0 error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory Apr 6 13:03:22 unbound 35699:0 error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib Apr 6 13:03:22 unbound 35699:0 error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib Apr 6 13:03:22 unbound 35699:0 fatal error: could not set up remote-control Apr 6 13:03:24 unbound 48279:0 error: Error for server-cert-file: /var/unbound/unbound_server.pem Apr 6 13:03:24 unbound 48279:0 error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory Apr 6 13:03:24 unbound 48279:0 error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib Apr 6 13:03:24 unbound 48279:0 error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib Apr 6 13:03:24 unbound 48279:0 fatal error: could not set up remote-control -
@cmb:
Just saying that log in particular has no relation to any DNS issues.
Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled?
I see what you're saying about that log post - and I knew that it seemed odd that it was mentioning dhcpd, but I figured maybe the message was truncated or I was mis-understanding something. Regardless it is the only message in the log from Unbound.
The service is running, DNNSEC is enabled. Now I have forwarding mode enabled and it is working, however, if I disable forwarding mode it fails again.
-Justin
-
@cmb:
Just saying that log in particular has no relation to any DNS issues.
Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled?
As usual (and of course unexpectedly) you were absolutely correct that the log had absolutely zero to do with the problem. The solution was (and I should have thought of checking this sooner) that Suricata was blocking the root DNS servers due to "Invalid UDP Checksum" errors. I simply un-blocked the servers (suppressed the alert for those IPs) and now Unbound works perfectly. Not sure why Suricata decided to start blocking them now and had never done so in the past, but alas the problem is fixed. Thanks for your help!
-Justin
-
If running suricata in inline mode, you have to disable hardware offloading.
See https://forum.pfsense.org/index.php?topic=108068.msg601891
Laurent
-
If running suricata in inline mode, you have to disable hardware offloading.
See https://forum.pfsense.org/index.php?topic=108068.msg601891
Laurent
Yeah I just got hit by the bug probably a minute after you replied to my initial post - disabled now! Hope this is just temporary.
-Justin