Bug #7271
closedCo-existence of unbound and BIND/named
100%
Description
Problem: both packages (want to) use same port 953 on 127.0.0.1 for (remote) control. If BIND is installed and enabled, then unbound fails to start after reboot.
2.4.0-BETA][admin@fwA]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf [1487326118] unbound[44792:0] error: can't bind socket: Address already in use for 127.0.0.1 [1487326118] unbound[44792:0] error: cannot open control interface 127.0.0.1 953 [1487326118] unbound[44792:0] fatal error: could not open ports
Implications of unbound failing to come up can be pretty drastic after restoring a config backup on a freshly installed pfSense box when its DNS Server Settings depend on unbound. It will try repeatedly to resolve beta.pfsense.com until timing out after minutes, be unable to install packages that are listed in the config backup, and fail to bring up SSHd or Web-configurator.
Proposed and tested solution: Move control port of unbound from 953 back to its default value 8953 (see [1]), e.g. in
/etc/inc/unbound.increplace:
control-port: 953
by:
control-port: 8953
Thanks,
Rolf
[1] https://www.freebsd.org/cgi/man.cgi?unbound.conf
...
control-port: port number
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take
effect.
Updated by Kill Bill over 7 years ago
Yeah, I'd definitely rather move the BIND control port than mess with default ports for a default pfSense resolver that's been there for ages without any issues.
Updated by Jim Pingle over 7 years ago
- Target version deleted (
2.4.0)
Agreed. Move the BIND port instead.
Updated by Jim Pingle over 7 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from DNS Resolver to BIND
Updated by Jim Thompson over 7 years ago
- Assignee set to Jim Pingle
- Priority changed from High to Normal
- Target version set to 2.4.0
Updated by David Wood over 7 years ago
The work-round I used back in the days of the pfSense 2.2.x BIND port was to call rndc-confgen with the "-p <control port>" option. I believe that is all that is needed here.
Updated by Kill Bill about 7 years ago
Test this please.
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Max Leighton almost 4 years ago
Testing with bind 9.16_6 the default control port is still showing as 953 and conflicting with unbound.
Updated by Viktor Gurov almost 4 years ago
Max Leighton wrote:
Testing with bind 9.16_6 the default control port is still showing as 953 and conflicting with unbound.
fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/14
Updated by Danilo Zrenjanin over 3 years ago
Tested on the latest release. Bind package version 9.16_9. It's still not fixed. Please check.
Updated by Viktor Gurov over 3 years ago
- Status changed from Feedback to Resolved
this fix is only for clean BIND install
9.16_9 works as expected