Bug #11547
closed
DNS Resolver does not bind to an interface when it recovers from a down state
Added by Frank Gouton over 3 years ago.
Updated over 3 years ago.
Description
Unbound doesn't open a listening socket for an interface that has no active device. If you connect a device later it can't resolve domains.
Steps to reproduce:
Connect a PC directly with a LAN port of the pfsense
Boot the PC up.
Stop DNS Resolver (no reload)
Unplug THE lan cabl
Start the resolver
Wait for start,
Wait some seconds more
Connect PC.
Result: The PC can't resolve DNS
That is a serious problem for me because this happens every morning and I have to reload unbound manually.
This problem was discussed here: https://forum.netgate.com/topic/161400/unbound-stops-listening-on-interface/3
I'm made a mistake selecting the version. It's the latest stable version 2.5. Can you fix that please?
- Subject changed from Unbound not working after restart to Unbound does not bind to down/nocarrier interface when it recovers
- Status changed from New to Not a Bug
- Priority changed from High to Low
- Target version set to CE-Next
- Affected Version changed from 2.4.5 to 2.5.0
This is very similar to #11087 -- Seems like you have specific interfaces selected for the resolver to use, and unbound doesn't restart when the interface status changes back to 'up' after being down to pick up the recovered interface.
You can switch the interface selection to 'All' to work around the problem.
- Status changed from Not a Bug to New
The option "All" includes the WAN interface too. Wouldn't it be a security risk to open the unbound port on the wan interface?
It's not a significant concern or it wouldn't be the default behavior. Both the firewall rules AND unbound ACLs prevent any queries from being accepted on WAN.
Unless you have overly lenient WAN rules and have manually added loose unbound ACLs (like for 0.0.0.0/0) then there is little risk in binding to all.
Ok thanks. Looks like setting it to "All" works for now. This behavior is new with the latest pfsense update. Never had the problem with the previous version. (Pfsense on custom hardware)
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
- % Done changed from 0 to 100
I encounter a similar problem with bind which stop responding each time an openvpn disconnection/connection is made... could the patch resolve that problem too? I'm tempted to apply it...
hereunder what happen in log when named stop responding...
filterdns9294: merge_config: configuration reload
[...]
named53473: network: error: creating IPv4 interface ovpnc2 failed; interface ignored
filterdns9294: merge_config: configuration reload
[...]
Stéphane BARBARAY wrote:
I encounter a similar problem with bind which stop responding each time an openvpn disconnection/connection is made... could the patch resolve that problem too? I'm tempted to apply it...
hereunder what happen in log when named stop responding...
filterdns9294: merge_config: configuration reload
[...]
named53473: network: error: creating IPv4 interface ovpnc2 failed; interface ignored
filterdns9294: merge_config: configuration reload
[...]
Please create a new redmine issue
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
- Subject changed from Unbound does not bind to down/nocarrier interface when it recovers to DNS Resolver does not bind to an interface when it recovers from a down state
Updating subject for release notes.
- Status changed from Feedback to Closed
Also available in: Atom
PDF