Bug #2246
closed
PFsense code that generates Unbound's config draws on multiple sources that can conflict, causing Unbound to silently fail in an undocumented manner
0%
Description
If a user has has previously tried to set up authoritative redirects on domains using DNS forwarder or any other package that created Hosts entries in the router, then later switches to Unbound and puts similar records in Unbound's custom config, it's possible to get an undocumented fatal error (in the sense that pasting to Google doesn't seem to turn up an answer):
unbound: [15826:0] error: local-data in redirect zone must reside at top of zone, not at <DOMAIN + DNS DATA>
I think what's happening is Unbound both imports the router's hosts file to its config as well as applying custom config, failing when they contain similar entries. Either that, or it imports from DNS forwarder. The error occurs whether or not the original package (eg DNS forwarder) has been disabled.
It's quite feasible that the Hosts file or DNS forwarder may have had data before Unbound was used, so this is quite an easy issue to have. The module that creates Unbound's actual config (as reported at its status tab) should not attempt to create duplicate or conflicting records if old data exists in Hosts or other package settings.
Updated by Warren Baker over 13 years ago
- Status changed from New to Rejected
Unbound is meant to be a drop in replacement for the current DNS Forwarder (barring some changes that are required in the system). So it will read the the Host and Domain overrides that are defined in the DNS Forwarder section.
Updated by Stilez y over 13 years ago
Yes. But it doesn't integrate them correctly.
In this case, I had DNS forwarder defining some redirects. I disabled DNS forwarder and enabled Unbound. But the settings I created in DNS forwarder weren't then accessible in Unbound, weren't displayed in Unbound, weren't able to be removed or modified in Unbound, weren't presented to me in any form in Unbound - and when I tried to enter them from scratch in Unbound's "custom config" panel it promptly failed to handle that either and died.
If Unbound is stated to be a "drop-in replacement" for someone using DNS forwarding, it has to be assumed there may already be DNS forward settings set from prior use of DNS forwarder, and provide a way to view or modify them or warn on setup if aren't imported or might conflict. Right now there isn't any means provided within Unbound to view, modify or remove any inherited settings from DNS forwarder and the user isn't told that settings will be inherited, not displayed, can cause a crash, and must be manually removed before dropping in Unbound as a replacement.
Reopen please?
Updated by Warren Baker over 13 years ago
Unbound is been integrated into base which will (hopefully) be 2.1 - so work around the package is very limited. The documentation is lacking in that it doesn't inform the user that it will make use of the Host and domain overrides and any overrides should be configured there.
Why your Unbound is not using the Host override entries I can't say but they work for everyone else. As to adding them in the custom configuration, I assume you did use native unbound syntax? Ideally move this to the forums until a valid bug can be established then we can move forward from there.
Updated by Stilez y over 13 years ago
Good news on the 2.1 integration, and yes, custom config + native Unbound syntax. The problem wasn't that it didn't use them, it's that it did use them but gave no indication it was inheriting settings since it provided no wayt to view or edit them. The only symptom was that if the user, not seeing them in Unbound settings tab, tried to re-add them as custom config (fairly obvious step) Unbound would crash out and not explain why.
So in 2.0.1 the real problem with Unbound as a "drop in" replacement is that it isn't. Drop-in would mean the same functions exist. In 2.0.1 once you switch from DNS forwarder to Unbound, you can't configure specific forwards natively as with DNS forwarder, and custom config - the only route to doing so - can't display, remove, modify, or update the custom forward settings that now exist.
If Unbound (whether integrated or as a package) had a pfsense tab interface to view, modify and remove custom DNS records then I agree, the issue wouldn't arise in 2.1 onward.
I think this suggests two points related to Unbound in 2.1. First, does it have a tab added for DNS record management, or do any manual DNS records still have to get dumped into custom config using native syntax? Second DNS forwarder's table was very limited, you couldn't specify TTL or some other fields, hence the switch to Unbound, which allows full record creation:
local-zone: "evilspam.com" redirect
local-data: "evilspam.com 86400 IN A 127.0.0.1"
local-data: "evilspam.com 86400 IN AAAA ::1"AFAIK that wasn't possible (or very limited) in 2.0.1 DNS forwarder and was possible but only as freeform text/custom config in 2.0.1 Unbound. Does 2.1 allow more flexibility in its custom DNS record definitions interface, or would that be a feature request?
Updated by Warren Baker over 13 years ago
Agreed - it isn't a complete drop-in replacement due to various changes required to the base system. So as the package stands it serves the majority of the user's requirements.
When you refer to DNS record management I hope you don't mean you want to use Unbound as full blown authoritative server?
As to flexibility around control of records and their various values you can log a feature request and we will see what we can do.