The pfSense Store

Author Topic: Unbound DNS Resolver problem?  (Read 3418 times)

0 Members and 1 Guest are viewing this topic.

Offline jwsmiths

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Unbound DNS Resolver problem?
« on: April 05, 2016, 03:55:45 pm »
php-fpm[35774]: /services_unbound_advanced.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.3-P1 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 112 leases to leases file. Listening on BPF/em1/xx:xx:xx:xx:xx:xx/10.0.1.0/24 Sending on BPF/em1/xx:xx:xx:xx:xx:xx/10.0.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received t

Updated today - DNS does not seem be working though I cannot tell why.  I am certainly not running HP Jet Admin.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: Unbound DNS Resolver problem?
« Reply #1 on: April 05, 2016, 04:02:13 pm »
That's just something trying to start dhcpd while it's already running. Likely just log spam, and definitely wouldn't have any impact on DNS.

Offline jwsmiths

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #2 on: April 05, 2016, 04:36:52 pm »
That's just something trying to start dhcpd while it's already running. Likely just log spam, and definitely wouldn't have any impact on DNS.

And had it been nothing but that log entry I'd agree with you but whenever I try to go to websites I see that my system is falling back to my secondary DNS server:
imac:~ justinsmith$ nslookup www.apple.com
;; Got SERVFAIL reply from 10.0.1.1, trying next server
Server:      10.0.1.2
Address:   10.0.1.2#53

Non-authoritative answer:
www.apple.com   canonical name = www.apple.com.edgekey.net.
www.apple.com.edgekey.net   canonical name = www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net   canonical name = e6858.dscc.akamaiedge.net.
Name:   e6858.dscc.akamaiedge.net
Address: 104.70.75.117

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: Unbound DNS Resolver problem?
« Reply #3 on: April 05, 2016, 05:51:35 pm »
Just saying that log in particular has no relation to any DNS issues.

Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled? 

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #4 on: April 06, 2016, 04:04:18 am »
i have dns resolver issue such that it wont start at boot

Code: [Select]
Apr 6 13:03:22 unbound 35699:0 error: Error for server-cert-file: /var/unbound/unbound_server.pem
Apr 6 13:03:22 unbound 35699:0 error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory
Apr 6 13:03:22 unbound 35699:0 error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Apr 6 13:03:22 unbound 35699:0 error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Apr 6 13:03:22 unbound 35699:0 fatal error: could not set up remote-control
Apr 6 13:03:24 unbound 48279:0 error: Error for server-cert-file: /var/unbound/unbound_server.pem
Apr 6 13:03:24 unbound 48279:0 error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory
Apr 6 13:03:24 unbound 48279:0 error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Apr 6 13:03:24 unbound 48279:0 error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Apr 6 13:03:24 unbound 48279:0 fatal error: could not set up remote-control

Offline jwsmiths

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #5 on: April 06, 2016, 07:50:20 am »
Just saying that log in particular has no relation to any DNS issues.

Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled?
I see what you're saying about that log post - and I knew that it seemed odd that it was mentioning dhcpd, but I figured maybe the message was truncated or I was mis-understanding something.  Regardless it is the only message in the log from Unbound.

The service is running, DNNSEC is enabled.  Now I have forwarding mode enabled and it is working, however, if I disable forwarding mode it fails again.

-Justin

Offline jwsmiths

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #6 on: April 06, 2016, 12:23:22 pm »
Just saying that log in particular has no relation to any DNS issues.

Unbound service running? Looks like it should be, assuming the 10.0.1.1 IP is Unbound? Do you have forwarding mode enabled? DNSSEC enabled?

As usual (and of course unexpectedly) you were absolutely correct that the log had absolutely zero to do with the problem.  The solution was (and I should have thought of checking this sooner) that Suricata was blocking the root DNS servers due to "Invalid UDP Checksum" errors.   I simply un-blocked the servers (suppressed the alert for those IPs) and now Unbound works perfectly.  Not sure why Suricata decided to start blocking them now and had never done so in the past, but alas the problem is fixed.  Thanks for your help!

-Justin

Offline laurpaum

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #7 on: April 06, 2016, 04:18:55 pm »
If running suricata in inline mode, you have to disable hardware offloading.

See https://forum.pfsense.org/index.php?topic=108068.msg601891

Laurent

Offline jwsmiths

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Unbound DNS Resolver problem?
« Reply #8 on: April 06, 2016, 04:29:37 pm »
If running suricata in inline mode, you have to disable hardware offloading.

See https://forum.pfsense.org/index.php?topic=108068.msg601891

Laurent

Yeah I just got hit by the bug probably a minute after you replied to my initial post - disabled now! Hope this is just temporary.
-Justin