Project

General

Profile

Bug #7271

Co-existence of unbound and BIND/named

Added by Rolf Sommerhalder 9 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
BIND
Target version:
-
Start date:
02/17/2017
Due date:
% Done:

0%

Affected Version:
2.4
Affected Architecture:
All

Description

Problem: both packages (want to) use same port 953 on 127.0.0.1 for (remote) control. If BIND is installed and enabled, then unbound fails to start after reboot.

2.4.0-BETA][admin@fwA]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf
[1487326118] unbound[44792:0] error: can't bind socket: Address already in use for 127.0.0.1
[1487326118] unbound[44792:0] error: cannot open control interface 127.0.0.1 953
[1487326118] unbound[44792:0] fatal error: could not open ports

Implications of unbound failing to come up can be pretty drastic after restoring a config backup on a freshly installed pfSense box when its DNS Server Settings depend on unbound. It will try repeatedly to resolve beta.pfsense.com until timing out after minutes, be unable to install packages that are listed in the config backup, and fail to bring up SSHd or Web-configurator.

Proposed and tested solution: Move control port of unbound from 953 back to its default value 8953 (see [1]), e.g. in

/etc/inc/unbound.inc
replace:
 control-port: 953

by:
 control-port: 8953

Thanks,
Rolf

[1] https://www.freebsd.org/cgi/man.cgi?unbound.conf
...
control-port: port number
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take
effect.

History

#1 Updated by Kill Bill 9 months ago

Yeah, I'd definitely rather move the BIND control port than mess with default ports for a default pfSense resolver that's been there for ages without any issues.

#2 Updated by Jim Pingle 9 months ago

  • Target version deleted (2.4.0)

Agreed. Move the BIND port instead.

#3 Updated by Jim Pingle 9 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from DNS Resolver to BIND

#4 Updated by Jim Thompson 9 months ago

  • Assignee set to Jim Pingle
  • Priority changed from High to Normal
  • Target version set to 2.4.0

#5 Updated by David Wood 9 months ago

The work-round I used back in the days of the pfSense 2.2.x BIND port was to call rndc-confgen with the "-p <control port>" option. I believe that is all that is needed here.

#6 Updated by Jim Pingle 4 months ago

  • Target version deleted (2.4.0)

#7 Updated by Kill Bill 3 months ago

Also available in: Atom PDF