Project

General

Profile

Actions
Copy link

Bug #16906

closed

Unbound configuration may be generated with duplicate interface bindings

Added by Marc Goldburg 4 days ago. Updated 2 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcos M
Category:
DNS Resolver
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

unbound.conf can contain duplicate interface entries in a specific VIP/RA/Multi-WAN scenario. The duplicate interface entries prevent unbound from starting. Problem occurs with 26.03.1 but not 24.11.

pfSense is configured as follows.

  • Two WAN interfaces. First (igc0) is v4+v6. Second (igc1.95) is v4 only.
  • The v4 part of the first interface and the second interface are configured as an IPv4 failover gateway group (igc0 is tier 1, igc1.95 is tier 2).
  • Three internal interfaces -- igc1.{15,20,40} -- are configured for Track Interface to get respective GUA prefixes from the ISP on the first WAN interface.
  • Each of those internal interfaces has a corresponding ULA VIP of the form fd04:f95f:5a7f:{15,20,40}::1/64.
  • The RA for each of those interfaces advertises the v6 prefix from the ISP and the respective ULA VIP prefix as an "RA Subnet."

If the configured VIP (Firewall>VIP) and the configured RA (Services>Router Advertisements>[interface]>RA Subnet(s)) for an interface are literally identical, in the failover scenario unbound.conf will contain repeated entries for that interface and fail to start. In a non-failover situation, literally identical addresses do not result in a corrupt unbound.conf. For example, fd04:f95f:5a7f:20::1 and fd04:f95f:5a7f:0020::1 are not literally identical even though they refer to the same address. One contains :20: while the other contains :0020:.

Four example snippets from unbound.conf below, "(A,B)" denotes a VIP address of A and an advertised prefix of B.

Non-Identical Addresses (works in failover and non-failover situations)
(fd04:f95f:5a7f:20::1, fd04:f95f:5a7f:0020::1) non-failover, no repeated addresses

# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.20.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.40.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1

(fd04:f95f:5a7f:20::1, fd04:f95f:5a7f:0020::1) failover, no repeated addresses

# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 192.168.20.1
interface: 192.168.40.1
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1

Identical Addresses (non-failover works, but failover does not)

(fd04:f95f:5a7f:0020::1, fd04:f95f:5a7f:0020::1) non-failover, no repeated addresses

# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.20.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.40.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1

(fd04:f95f:5a7f:0020::1, fd04:f95f:5a7f:0020::1) failover, repeated addresses

# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 192.168.20.1
interface: fd04:f95f:5a7f:20::1
interface: 192.168.40.1
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:0020::1
interface: 127.0.0.1
interface: ::1

In this situation, unbound fails to start because of the repeated fd04:f95f:5a7f:20::1.
[26.03.1-RELEASE][admin@pfSense.home.arpa]/root: /usr/local/sbin/unbound -d -vvv -c /var/unbound/unbound.conf
[1781721749] unbound[19248:0] notice: Start of unbound 1.25.1.
[1781721749] unbound[19248:0] debug: setting ip-ratelimit-slabs: 4
[1781721749] unbound[19248:0] debug: setting ratelimit-slabs: 4
[1781721749] unbound[19248:0] debug: setting dnscrypt-shared-secret-cache-slabs: 4
[1781721749] unbound[19248:0] debug: setting dnscrypt-nonce-cache-slabs: 4
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.15.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.15.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.20.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.20.1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.40.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.40.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.10.2 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.10.2 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.99.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.99.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.50.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.50.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.51.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.51.1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ef 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ef 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5f0 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5f0 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:15::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:15::1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:40::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:40::1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] error: bind: address already in use
[1781721749] unbound[19248:0] fatal error: could not open ports

Files

Download all files
clipboard-202606180928-e7mza.png (67 KB) clipboard-202606180928-e7mza.png Marc Goldburg, 06/18/2026 04:28 PM
clipboard-202606180933-rfc0w.png (122 KB) clipboard-202606180933-rfc0w.png Marc Goldburg, 06/18/2026 04:33 PM
clipboard-202606180957-tplnd.png (22.2 KB) clipboard-202606180957-tplnd.png Marc Goldburg, 06/18/2026 04:57 PM
Actions
Copy link

Also available in: Atom PDF