Project

General

Profile

Bug #4090

unbound advanced settings cause broken unbound.conf file

Added by Vick Khera over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
DNS Resolver
Target version:
Start date:
12/10/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

I need to permit private IPs for my local domains to resolve. That is, vick.int.kcilink.com resolves to 192.168.7.80. To this end, I have to tell unbound that kcilink.com (and my other domains) is allowed to have private addresses with this configuration:

private-domain: "kcilink.com" 
private-domain: "m1e.net" 
private-domain: "mailermailer.com" 
private-domain: "khera.org" 

The above is exactly what is in the "Advanced" box of the unbound general configuration.

In the unbound.conf file it is emitted as one line with no newlines:

private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: "mailermailer.com"private-domain: "khera.org" 

which causes unbound do fail to restart.

Ideally, there would be a UI for adding such domains, as I'm sure many people need this feature for their office hosts.

unbound.conf (1.19 KB) unbound.conf unbound config file section Vick Khera, 12/18/2014 06:46 AM
config-pfsense.localdomain-20150105090641.xml (20.5 KB) config-pfsense.localdomain-20150105090641.xml Vick Khera, 01/05/2015 08:06 AM

Associated revisions

Revision c23f4d8f (diff)
Added by Renato Botelho over 6 years ago

Replace ; by newlines when upgrading custom_options from unbound packages, it's related to ticket #4090

Revision 0fcab48b (diff)
Added by Renato Botelho over 6 years ago

Replace ; by newlines when upgrading custom_options from unbound packages, it's related to ticket #4090

Revision 0a23cddc (diff)
Added by Renato Botelho over 6 years ago

Fix #4090:

- Unbound advanced options may contain double quotes and it breaks the
syntax when a backup is restored because newlines are trimmed. Save it
in base64 format is a safe way to prevent it
- Bump config version to 11.5
- Provide upgrade code to encode current config or the one that came
from unbound package on 2.1.5

Revision cfb5073f (diff)
Added by Renato Botelho over 6 years ago

Fix #4090:

- Unbound advanced options may contain double quotes and it breaks the
syntax when a backup is restored because newlines are trimmed. Save it
in base64 format is a safe way to prevent it
- Bump config version to 11.5
- Provide upgrade code to encode current config or the one that came
from unbound package on 2.1.5

History

#1 Updated by Vick Khera over 6 years ago

I found that I need to specify

server:
private-domain: "kcilink.com" 
private-domain: "m1e.net" 
private-domain: "mailermailer.com" 
private-domain: "khera.org" 

And it works, even though the private-domain entires are still all smashed into one line.

#2 Updated by Renato Botelho over 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho

I couldn't reproduce it, unbound.conf ended with lines exactly the same I added to textarea. Could you please share the <unbound> block of your config.xml?

#3 Updated by Vick Khera over 6 years ago

Here it is. I also notice there is no config download option for unbound, just the dns forwarder. In any case, I cut this section from the full configuration.

I use Safari 8 on the mac, by the way.

Now when I go to the dns resolver config section (after reboot), all the private-domain entries are one line. even if I hit enter to split them up, they compress back upon save to the file.

#4 Updated by Renato Botelho over 6 years ago

Did you upgrade this system from 2.1.x with unbound package installed? The upgrade code had an issue, it was using ; to separate fields during migration. It was fixed in 387ab31a976fbacfc0d8e2fde7efb7cb1c4b6b6b where ; was replaced by newline

#5 Updated by Vick Khera over 6 years ago

No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.

#6 Updated by Renato Botelho over 6 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from DNS Resolver to Unbound
  • Target version set to 2.2
  • % Done changed from 0 to 100
  • Affected Version changed from 2.2 to 2.1.x

Vick Khera wrote:

No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.

The ticket says 'Affected version: 2.2', then I did all tests on a 2.2 system.

Moving it to pfSense-packages / unbound and marking it as resolved since the issue is not present in 2.2.

#7 Updated by Vick Khera over 6 years ago

I guess I was unclear. It was a vanilla 2.1.5 system I upgraded to 2.2-RC for testing.

#8 Updated by Renato Botelho over 6 years ago

Ah ok, please try to update to a more recent snapshot, it should be fixed now. Seems to be same issue of #4104

#9 Updated by Chris Buechler over 6 years ago

  • Status changed from Feedback to Resolved

#10 Updated by Vick Khera over 6 years ago

No, this did not fix the problem.

I did some experimentation and discovered that if I enter the above configuration without double quotes, the lines are not smashed together. For example:

server:
private-domain: "kcilink.com" 
private-domain: "m1e.net" 
private-domain: mailermailer.com
private-domain: khera.org

Results in the following config in unbound.conf:

server:
private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com
private-domain: khera.org

So it looks like you have some issues with lines ending in double quotes.

#11 Updated by Vick Khera over 6 years ago

I'm using the 20141224-0520 upgrade image.

#12 Updated by Chris Buechler over 6 years ago

I can paste in exactly what you have above:

server:
private-domain: "kcilink.com" 
private-domain: "m1e.net" 
private-domain: "mailermailer.com" 
private-domain: "khera.org" 

and my unbound.conf ends up with:

# Unbound custom options
server:
private-domain: "kcilink.com" 
private-domain: "m1e.net" 
private-domain: "mailermailer.com" 
private-domain: "khera.org" 

with the exact same correct line endings.

Are there still remnants of the old unbound package in /usr/local/pkg/ on your system or something? This is definitely fixed in 2.2.

#13 Updated by Phillip Davis over 6 years ago

Chris has put a little different - Vick's example does not have the double-quotes on the last 2 lines.
In any case, I tried:
server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org

and got
# Unbound custom options
server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org

which is the expected result.

#14 Updated by Vick Khera over 6 years ago

This was a 2.1.3 install into a VM, upgrade to 2.1.5, then upgraded to 2.2-RC (and again to the 12/24 snapshot). There was never unbound installed on it. I used it to test out the pfblocker package only.

If you want a copy of the VMware image let me know. I run it under VMware Fusion on my mac, and it still has the snapshot from prior to the 2.2 upgrade.

Otherwise, I guess forget about this since you cannot reproduce.

#15 Updated by Jim Pingle over 6 years ago

Any chance we could get the exact config.xml section that exhibited the problem?

#16 Updated by Bipin Chandra over 6 years ago

as soon as i enter the below line in advanced config box and hit save and apply, dns resolver stops working and wont start at all

log-queries: yes

error i get is this

php-fpm83585: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:89: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1419919488] unbound[34655:0] fatal error: Could not read config file: /var/unbound/unbound.conf'

#17 Updated by Chris Buechler over 6 years ago

that's legitimately wrong syntax Bipin, not related to this, see forum.

#18 Updated by Vick Khera over 6 years ago

Jim P wrote:

Any chance we could get the exact config.xml section that exhibited the problem?

Attached is the full config file.

#19 Updated by Renato Botelho over 6 years ago

  • Project changed from pfSense Packages to pfSense
  • Category changed from Unbound to DNS Resolver
  • Status changed from Resolved to Confirmed
  • Assignee deleted (Renato Botelho)
  • Affected Version deleted (2.1.x)

Confirmed. Steps to reproduce on 2.2:

  • Configure DNS Resolver Advanced Options with the following content
    server:
    private-domain: "kcilink.com" 
    private-domain: "m1e.net" 
    private-domain: mailermailer.com
    private-domain: khera.org
    
  • Make a backup
  • Restore the backup and will will end up with the following content at Advanced Option:
    server:
    private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com
    private-domain: khera.org
    

Because of the quotes contained in the first domains, newline chars after quotes are removed on trim call inside cData() function at xmlparse.inc here - https://github.com/pfsense/pfsense/blob/master/etc/inc/xmlparse.inc#L124

#20 Updated by Renato Botelho over 6 years ago

  • Status changed from Confirmed to Feedback

#22 Updated by Renato Botelho over 6 years ago

  • Assignee set to Renato Botelho

#23 Updated by Chris Buechler over 6 years ago

  • Status changed from Feedback to Resolved

With Renato's steps I could replicate the issue. the base64 encoding works, and does fix it.

Also available in: Atom PDF