Project

General

Profile

Actions

Bug #6712

closed

services_unbound.php Host Overrides don't change any unbound configuration

Added by Jeremy C. Reed over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
08/13/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:

Description

services_unbound.php
I cannot get any Host Override to be configured with unbound.
/var/unbound/host_entries.conf lists my /etc/hosts entries but
not my override entries.
My config.xml has my <hosts> details for <unbound> but I don't see it
at all in my /var/unbound settings.

(By the way, the unrelated Host Overrides for DNS Forwarder work and the Domain Overrides for DNS Resolver and DNS Forwarder work.)

(My list of bugs is at http://reedmedia.net/books/pfsense/bugs-20160813.html )

Actions #1

Updated by Kill Bill over 8 years ago

This certainly works. Would suggest using the forums for help.

Actions #2

Updated by Jeremy C. Reed over 8 years ago

Thanks to PiBa-NL on IRC who helped me troubleshoot this down to:
/etc/inc/system.inc

339 // prefer dnsmasq for hosts generation where it's enabled. It relies
340 // on hosts for name resolution of its overrides, unbound does not.
341 if (isset($config['dnsmasq']) && isset($config['dnsmasq']['enable'])) {
342 $dnsmasqcfg = $config['dnsmasq'];
343 } else {
344 $dnsmasqcfg = $config['unbound'];
345 }

Once I disabled dnsmasq it worked (had to save/apply in DNS Resolver first).

Since pfsense allows both to be enabled at same time (consider different Listen ports as documented), please allow both or clearly document and detect and warn.
It would be simple to just make a function for the code and pass dnsmasq or unbound to it.

By the way the comment in code above is misleading, as the read_hosts used for unbound also uses hosts (assume this comment means /etc/hosts).

Actions #3

Updated by Jim Thompson over 8 years ago

  • Assignee set to Jeremy Porter

assigned to PIngle for eval, but looks like "not a bug" to me.

Actions #4

Updated by Jim Thompson over 8 years ago

  • Category set to Unbound
  • Status changed from New to Assigned
  • Assignee changed from Jeremy Porter to Jim Pingle

wrong assignee

Actions #5

Updated by Jim Pingle over 8 years ago

  • Project changed from pfSense Packages to pfSense
  • Category deleted (Unbound)
  • Assignee changed from Jim Pingle to Renato Botelho

Looks like it is a problem but not one most would hit since it's rare to have both enabled.

source:src/etc/inc/unbound.inc#L568 unbound_add_host_entries() is reading /etc/hosts rather than starting with $config['unbound']['hosts'].

When the DNS Forwarder is enabled, its contents are preferred for /etc/hosts since as the comment states, unbound doesn't care about /etc/hosts but dnsmasq does, which means if both are enabled, then the /etc/hosts entries from dnsmasq will be picked up and put in /var/unbound/host_entries.conf rather than what is defined in the GUI for DNS Resolver.

So unbound_add_host_entries() needs to be changed to read the hosts from config.xml not /etc/hosts. The only other reason I can think of why it would read /etc/hosts directly would be to also pick up the automatic entries for localhost and for the firewall itself, so those likely need added as well.

As an alternate tactic, hosts for dnsmasq could be written elsewhere and dnsmasq can be passed the --addn-hosts=/path/to/file parameter so it picks up its own distinct copy.

Actions #6

Updated by Jim Pingle over 8 years ago

  • Category set to DNS Resolver
  • Target version set to 2.4.0
  • Affected Version set to 2.3.x
Actions #7

Updated by Renato Botelho almost 8 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Renato Botelho almost 8 years ago

  • Assignee changed from Renato Botelho to Jim Pingle

Assigning to Jim Pingle for testing

Actions #9

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved

Looks good now. Forwarder hosts go in /etc/hosts, Resolver hosts go in /var/unbound/host_entries.conf and they appear to work as expected.

Actions #10

Updated by Jim Pingle almost 8 years ago

  • Target version changed from 2.4.0 to 2.3.3
Actions

Also available in: Atom PDF