Project

General

Profile

Actions

Bug #11051

closed

Unbound: custom TLS listen port ignored

Added by Brad Edmondson almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Viktor Gurov
Category:
DNS Resolver
Target version:
Start date:
11/10/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:

Description

Using latest stable pfSense: 2.4.5-RELEASE-p1 (amd64)

Attempting to configure two-tier DNS cache, using either BIND or DNS Forwarder (dnsmasq) for first-level cache and for local DHCP names (due to #5413), and using DNS Resolver (unbound) at the second level to take advantage of DNSBL. I set BIND/dnsmasq to port 53 and 853 for TLS (BIND only), and intend to run DNS Forwarder (Unbound) on loopback address ports 5053 and 5853, respectively. Although I can set both of these in the Unbound GUI (services_unbound.php), the second setting, for TLS port, is not applied to the config file, so when the Unbound service restarts it listens on 5053 for unencrypted and 853 for encrypted. I've tried a few different port numbers for both, and the unencrypted port configuration is always applied while the encrypted port is never applied (always stays 853).

I think this is a problem with the GUI/pfSense, because when I ssh in and review the unbound config file at /var/unbound/unbound.conf, I can see the port: setting get updated while the tls-port: setting remains 853. I even manually set tls-port: 5853 in unbound.conf and it was changed back to 853 the next time I saved changes in the GUI.

Actions #1

Updated by Brad Edmondson almost 4 years ago

More context: running on bare metal Celeron 3160 with 8gb RAM. Landing page reports:

2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE

Actions #3

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #4

Updated by Renato Botelho almost 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #5

Updated by Danilo Zrenjanin almost 4 years ago

  • Status changed from Feedback to Resolved

Tested on:

2.5.0-DEVELOPMENT (amd64)
built on Fri Nov 13 19:02:04 EST 2020
FreeBSD 12.2-STABLE

The GUI applies the changes successefully to the unbound.conf file.

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem" 
tls-port: 8853

Ticket resolved.

Actions

Also available in: Atom PDF