Bug #4090
closedunbound advanced settings cause broken unbound.conf file
Added by Vick Khera over 9 years ago. Updated about 9 years ago.
100%
Description
I need to permit private IPs for my local domains to resolve. That is, vick.int.kcilink.com resolves to 192.168.7.80. To this end, I have to tell unbound that kcilink.com (and my other domains) is allowed to have private addresses with this configuration:
private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
The above is exactly what is in the "Advanced" box of the unbound general configuration.
In the unbound.conf file it is emitted as one line with no newlines:
private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: "mailermailer.com"private-domain: "khera.org"
which causes unbound do fail to restart.
Ideally, there would be a UI for adding such domains, as I'm sure many people need this feature for their office hosts.
Files
unbound.conf (1.19 KB) unbound.conf | unbound config file section | Vick Khera, 12/18/2014 06:46 AM | |
config-pfsense.localdomain-20150105090641.xml (20.5 KB) config-pfsense.localdomain-20150105090641.xml | Vick Khera, 01/05/2015 08:06 AM |
Updated by Vick Khera over 9 years ago
I found that I need to specify
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
And it works, even though the private-domain entires are still all smashed into one line.
Updated by Renato Botelho over 9 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
I couldn't reproduce it, unbound.conf ended with lines exactly the same I added to textarea. Could you please share the <unbound> block of your config.xml?
Updated by Vick Khera over 9 years ago
- File unbound.conf unbound.conf added
Here it is. I also notice there is no config download option for unbound, just the dns forwarder. In any case, I cut this section from the full configuration.
I use Safari 8 on the mac, by the way.
Now when I go to the dns resolver config section (after reboot), all the private-domain entries are one line. even if I hit enter to split them up, they compress back upon save to the file.
Updated by Renato Botelho over 9 years ago
Did you upgrade this system from 2.1.x with unbound package installed? The upgrade code had an issue, it was using ; to separate fields during migration. It was fixed in 387ab31a976fbacfc0d8e2fde7efb7cb1c4b6b6b where ; was replaced by newline
Updated by Vick Khera over 9 years ago
No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.
Updated by Renato Botelho over 9 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from DNS Resolver to Unbound
- Target version set to 2.2
- % Done changed from 0 to 100
- Affected Version changed from 2.2 to 2.1.x
Vick Khera wrote:
No, it was a vanilla 2.1.5 system in a vm. I use it for testing things, then revert the image to the base system with just the IP addresses configured.
The ticket says 'Affected version: 2.2', then I did all tests on a 2.2 system.
Moving it to pfSense-packages / unbound and marking it as resolved since the issue is not present in 2.2.
Updated by Vick Khera over 9 years ago
I guess I was unclear. It was a vanilla 2.1.5 system I upgraded to 2.2-RC for testing.
Updated by Renato Botelho over 9 years ago
Ah ok, please try to update to a more recent snapshot, it should be fixed now. Seems to be same issue of #4104
Updated by Chris Buechler over 9 years ago
- Status changed from Feedback to Resolved
Updated by Vick Khera over 9 years ago
No, this did not fix the problem.
I did some experimentation and discovered that if I enter the above configuration without double quotes, the lines are not smashed together. For example:
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: mailermailer.com private-domain: khera.org
Results in the following config in unbound.conf:
server: private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com private-domain: khera.org
So it looks like you have some issues with lines ending in double quotes.
Updated by Vick Khera over 9 years ago
I'm using the 20141224-0520 upgrade image.
Updated by Chris Buechler over 9 years ago
I can paste in exactly what you have above:
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
and my unbound.conf ends up with:
# Unbound custom options server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: "mailermailer.com" private-domain: "khera.org"
with the exact same correct line endings.
Are there still remnants of the old unbound package in /usr/local/pkg/ on your system or something? This is definitely fixed in 2.2.
Updated by Phillip Davis over 9 years ago
Chris has put a little different - Vick's example does not have the double-quotes on the last 2 lines.
In any case, I tried:server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org
and got# Unbound custom options
server:
private-domain: "kcilink.com"
private-domain: "m1e.net"
private-domain: mailermailer.com
private-domain: khera.org
which is the expected result.
Updated by Vick Khera about 9 years ago
This was a 2.1.3 install into a VM, upgrade to 2.1.5, then upgraded to 2.2-RC (and again to the 12/24 snapshot). There was never unbound installed on it. I used it to test out the pfblocker package only.
If you want a copy of the VMware image let me know. I run it under VMware Fusion on my mac, and it still has the snapshot from prior to the 2.2 upgrade.
Otherwise, I guess forget about this since you cannot reproduce.
Updated by Jim Pingle about 9 years ago
Any chance we could get the exact config.xml section that exhibited the problem?
Updated by Bipin Chandra about 9 years ago
as soon as i enter the below line in advanced config box and hit save and apply, dns resolver stops working and wont start at all
log-queries: yes
error i get is this
php-fpm83585: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:89: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1419919488] unbound[34655:0] fatal error: Could not read config file: /var/unbound/unbound.conf'
Updated by Chris Buechler about 9 years ago
that's legitimately wrong syntax Bipin, not related to this, see forum.
Updated by Vick Khera about 9 years ago
- File config-pfsense.localdomain-20150105090641.xml config-pfsense.localdomain-20150105090641.xml added
Jim P wrote:
Any chance we could get the exact config.xml section that exhibited the problem?
Attached is the full config file.
Updated by Renato Botelho about 9 years ago
- Project changed from pfSense Packages to pfSense
- Category changed from Unbound to DNS Resolver
- Status changed from Resolved to Confirmed
- Assignee deleted (
Renato Botelho) - Affected Version deleted (
2.1.x)
Confirmed. Steps to reproduce on 2.2:
- Configure DNS Resolver Advanced Options with the following content
server: private-domain: "kcilink.com" private-domain: "m1e.net" private-domain: mailermailer.com private-domain: khera.org
- Make a backup
- Restore the backup and will will end up with the following content at Advanced Option:
server: private-domain: "kcilink.com"private-domain: "m1e.net"private-domain: mailermailer.com private-domain: khera.org
Because of the quotes contained in the first domains, newline chars after quotes are removed on trim call inside cData() function at xmlparse.inc here - https://github.com/pfsense/pfsense/blob/master/etc/inc/xmlparse.inc#L124
Updated by Renato Botelho about 9 years ago
- Status changed from Confirmed to Feedback
Applied in changeset 0a23cddced057d929c53f3ad1e5d6898a3fada50.
Updated by Renato Botelho about 9 years ago
Applied in changeset cfb5073f83fa80e5b40476b12ea91ff5114c60fc.
Updated by Chris Buechler about 9 years ago
- Status changed from Feedback to Resolved
With Renato's steps I could replicate the issue. the base64 encoding works, and does fix it.