Bug #7271

Co-existence of unbound and BIND/named

Added by Rolf Sommerhalder over 3 years ago. Updated 3 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Problem: both packages (want to) use same port 953 on for (remote) control. If BIND is installed and enabled, then unbound fails to start after reboot.

2.4.0-BETA][admin@fwA]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf
[1487326118] unbound[44792:0] error: can't bind socket: Address already in use for
[1487326118] unbound[44792:0] error: cannot open control interface 953
[1487326118] unbound[44792:0] fatal error: could not open ports

Implications of unbound failing to come up can be pretty drastic after restoring a config backup on a freshly installed pfSense box when its DNS Server Settings depend on unbound. It will try repeatedly to resolve until timing out after minutes, be unable to install packages that are listed in the config backup, and fail to bring up SSHd or Web-configurator.

Proposed and tested solution: Move control port of unbound from 953 back to its default value 8953 (see [1]), e.g. in

 control-port: 953

 control-port: 8953


control-port: port number
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take


#1 Updated by Kill Bill over 3 years ago

Yeah, I'd definitely rather move the BIND control port than mess with default ports for a default pfSense resolver that's been there for ages without any issues.

#2 Updated by Jim Pingle over 3 years ago

  • Target version deleted (2.4.0)

Agreed. Move the BIND port instead.

#3 Updated by Jim Pingle over 3 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from DNS Resolver to BIND

#4 Updated by Jim Thompson over 3 years ago

  • Assignee set to Jim Pingle
  • Priority changed from High to Normal
  • Target version set to 2.4.0

#5 Updated by David Wood over 3 years ago

The work-round I used back in the days of the pfSense 2.2.x BIND port was to call rndc-confgen with the "-p <control port>" option. I believe that is all that is needed here.

#6 Updated by Jim Pingle about 3 years ago

  • Target version deleted (2.4.0)

#7 Updated by Kill Bill about 3 years ago

#9 Updated by Jim Pingle 4 months ago

  • Status changed from New to Pull Request Review

#10 Updated by Renato Botelho 3 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Also available in: Atom PDF