Bug #4090
closedunbound advanced settings cause broken unbound.conf file
Added by Vick Khera almost 10 years ago. Updated almost 10 years ago.
100%
Description
I need to permit private IPs for my local domains to resolve. That is, vick.int.kcilink.com resolves to 192.168.7.80. To this end, I have to tell unbound that kcilink.com (and my other domains) is allowed to have private addresses with this configuration:
private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
The above is exactly what is in the "Advanced" box of the unbound general configuration.
In the unbound.conf file it is emitted as one line with no newlines:
private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: "mailermailer.com"private-domain: "khera.org"
which causes unbound do fail to restart.
Ideally, there would be a UI for adding such domains, as I'm sure many people need this feature for their office hosts.
Files
unbound.conf (1.19 KB) unbound.conf | unbound config file section | Vick Khera, 12/18/2014 06:46 AM | |
config-pfsense.localdomain-20150105090641.xml (20.5 KB) config-pfsense.localdomain-20150105090641.xml | Vick Khera, 01/05/2015 08:06 AM |
Updated by Vick Khera almost 10 years ago
I found that I need to specify
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
And it works, even though the private-domain entires are still all smashed into one line.
Updated by Renato Botelho almost 10 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
I couldn't reproduce it, unbound.conf ended with lines exactly the same I added to textarea. Could you please share the <unbound> block of your config.xml?
Updated by Vick Khera almost 10 years ago
- File unbound.conf unbound.conf added
Here it is. I also notice there is no config download option for unbound, just the dns forwarder. In any case, I cut this section from the full configuration.
I use Safari 8 on the mac, by the way.
Now when I go to the dns resolver config section (after reboot), all the private-domain entries are one line. even if I hit enter to split them up, they compress back upon save to the file.
Updated by Renato Botelho almost 10 years ago
Did you upgrade this system from 2.1.x with unbound package installed? The upgrade code had an issue, it was using ; to separate fields during migration. It was fixed in 387ab31a976fbacfc0d8e2fde7efb7cb1c4b6b6b where ; was replaced by newline
Updated by Vick Khera almost 10 years ago
No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.
Updated by Renato Botelho almost 10 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from DNS Resolver to Unbound
- Target version set to 2.2
- % Done changed from 0 to 100
- Affected Version changed from 2.2 to 2.1.x
Vick Khera wrote:
No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.
The ticket says 'Affected version: 2.2', then I did all tests on a 2.2 system.
Moving it to pfSense-packages / unbound and marking it as resolved since the issue is not present in 2.2.
Updated by Vick Khera almost 10 years ago
I guess I was unclear. It was a vanilla 2.1.5 system I upgraded to 2.2-RC for testing.
Updated by Renato Botelho almost 10 years ago
Ah ok, please try to update to a more recent snapshot, it should be fixed now. Seems to be same issue of #4104
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
Updated by Vick Khera almost 10 years ago
No, this did not fix the problem.
I did some experimentation and discovered that if I enter the above configuration without double quotes, the lines are not smashed together. For example:
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: mailermailer.com private-domain: khera.org
Results in the following config in unbound.conf:
server: private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com private-domain: khera.org
So it looks like you have some issues with lines ending in double quotes.
Updated by Vick Khera almost 10 years ago
I'm using the 20141224-0520 upgrade image.
Updated by Chris Buechler almost 10 years ago
I can paste in exactly what you have above:
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
and my unbound.conf ends up with:
# Unbound custom options server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
with the exact same correct line endings.
Are there still remnants of the old unbound package in /usr/local/pkg/ on your system or something? This is definitely fixed in 2.2.
Updated by Phillip Davis almost 10 years ago
Chris has put a little different - Vick's example does not have the double-quotes on the last 2 lines.
In any case, I tried:server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org
and got# Unbound custom options
server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org
which is the expected result.
Updated by Vick Khera almost 10 years ago
This was a 2.1.3 install into a VM, upgrade to 2.1.5, then upgraded to 2.2-RC (and again to the 12/24 snapshot). There was never unbound installed on it. I used it to test out the pfblocker package only.
If you want a copy of the VMware image let me know. I run it under VMware Fusion on my mac, and it still has the snapshot from prior to the 2.2 upgrade.
Otherwise, I guess forget about this since you cannot reproduce.
Updated by Jim Pingle almost 10 years ago
Any chance we could get the exact config.xml section that exhibited the problem?
Updated by Bipin Chandra almost 10 years ago
as soon as i enter the below line in advanced config box and hit save and apply, dns resolver stops working and wont start at all
log-queries: yes
error i get is this
php-fpm83585: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:89: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1419919488] unbound[34655:0] fatal error: Could not read config file: /var/unbound/unbound.conf'
Updated by Chris Buechler almost 10 years ago
that's legitimately wrong syntax Bipin, not related to this, see forum.
Updated by Vick Khera almost 10 years ago
- File config-pfsense.localdomain-20150105090641.xml config-pfsense.localdomain-20150105090641.xml added
Jim P wrote:
Any chance we could get the exact config.xml section that exhibited the problem?
Attached is the full config file.
Updated by Renato Botelho almost 10 years ago
- Project changed from pfSense Packages to pfSense
- Category changed from Unbound to DNS Resolver
- Status changed from Resolved to Confirmed
- Assignee deleted (
Renato Botelho) - Affected Version deleted (
2.1.x)
Confirmed. Steps to reproduce on 2.2:
- Configure DNS Resolver Advanced Options with the following content
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: mailermailer.com private-domain: khera.org
- Make a backup
- Restore the backup and will will end up with the following content at Advanced Option:
server: private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com private-domain: khera.org
Because of the quotes contained in the first domains, newline chars after quotes are removed on trim call inside cData() function at xmlparse.inc here - https://github.com/pfsense/pfsense/blob/master/etc/inc/xmlparse.inc#L124
Updated by Renato Botelho almost 10 years ago
- Status changed from Confirmed to Feedback
Applied in changeset 0a23cddced057d929c53f3ad1e5d6898a3fada50.
Updated by Renato Botelho almost 10 years ago
Applied in changeset cfb5073f83fa80e5b40476b12ea91ff5114c60fc.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
With Renato's steps I could replicate the issue. the base64 encoding works, and does fix it.