Project

General

Profile

Actions
Copy link

Bug #11547

closed

DNS Resolver does not bind to an interface when it recovers from a down state

Added by Frank Gouton about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Low
Assignee:
Viktor Gurov
Category:
DNS Resolver
Target version:
2.5.1
Start date:
02/26/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

Unbound doesn't open a listening socket for an interface that has no active device. If you connect a device later it can't resolve domains.

Steps to reproduce:

Connect a PC directly with a LAN port of the pfsense
Boot the PC up.
Stop DNS Resolver (no reload)
Unplug THE lan cabl
Start the resolver
Wait for start,
Wait some seconds more
Connect PC.

Result: The PC can't resolve DNS
That is a serious problem for me because this happens every morning and I have to reload unbound manually.

This problem was discussed here: https://forum.netgate.com/topic/161400/unbound-stops-listening-on-interface/3

Actions
Copy link
 #1

Updated by Frank Gouton about 3 years ago

I'm made a mistake selecting the version. It's the latest stable version 2.5. Can you fix that please?

Actions
Copy link
 #2

Updated by Jim Pingle about 3 years ago

  • Subject changed from Unbound not working after restart to Unbound does not bind to down/nocarrier interface when it recovers
  • Status changed from New to Not a Bug
  • Priority changed from High to Low
  • Target version set to CE-Next
  • Affected Version changed from 2.4.5 to 2.5.0

This is very similar to #11087 -- Seems like you have specific interfaces selected for the resolver to use, and unbound doesn't restart when the interface status changes back to 'up' after being down to pick up the recovered interface.

You can switch the interface selection to 'All' to work around the problem.

Actions
Copy link
 #3

Updated by Jim Pingle about 3 years ago

  • Status changed from Not a Bug to New
Actions
Copy link
 #4

Updated by Frank Gouton about 3 years ago

The option "All" includes the WAN interface too. Wouldn't it be a security risk to open the unbound port on the wan interface?

Actions
Copy link
 #5

Updated by Jim Pingle about 3 years ago

It's not a significant concern or it wouldn't be the default behavior. Both the firewall rules AND unbound ACLs prevent any queries from being accepted on WAN.

Unless you have overly lenient WAN rules and have manually added loose unbound ACLs (like for 0.0.0.0/0) then there is little risk in binding to all.

Actions
Copy link
 #6

Updated by Frank Gouton about 3 years ago

Ok thanks. Looks like setting it to "All" works for now. This behavior is new with the latest pfsense update. Never had the problem with the previous version. (Pfsense on custom hardware)

Actions
Copy link
 #7

Updated by Viktor Gurov about 3 years ago

Actions
Copy link
 #8

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #9

Updated by Renato Botelho about 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions
Copy link
 #10

Updated by Viktor Gurov about 3 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Stéphane BARBARAY about 3 years ago

I encounter a similar problem with bind which stop responding each time an openvpn disconnection/connection is made... could the patch resolve that problem too? I'm tempted to apply it...

hereunder what happen in log when named stop responding...
filterdns9294: merge_config: configuration reload
[...]
named53473: network: error: creating IPv4 interface ovpnc2 failed; interface ignored
filterdns9294: merge_config: configuration reload
[...]

Actions
Copy link
 #12

Updated by Viktor Gurov about 3 years ago

Stéphane BARBARAY wrote:

I encounter a similar problem with bind which stop responding each time an openvpn disconnection/connection is made... could the patch resolve that problem too? I'm tempted to apply it...

hereunder what happen in log when named stop responding...
filterdns9294: merge_config: configuration reload
[...]
named53473: network: error: creating IPv4 interface ovpnc2 failed; interface ignored
filterdns9294: merge_config: configuration reload
[...]

Please create a new redmine issue

Actions
Copy link
 #13

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions
Copy link
 #14

Updated by Renato Botelho about 3 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions
Copy link
 #15

Updated by Jim Pingle about 3 years ago

  • Subject changed from Unbound does not bind to down/nocarrier interface when it recovers to DNS Resolver does not bind to an interface when it recovers from a down state

Updating subject for release notes.

Actions
Copy link
 #16

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Closed
Actions
Copy link

Also available in: Atom PDF