Netgate SG-1000 microFirewall

Author Topic: [SOLVED] DNS Resolver (Unbound) Unable to Start  (Read 173 times)

0 Members and 1 Guest are viewing this topic.

Offline dodiggitydag

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
[SOLVED] DNS Resolver (Unbound) Unable to Start
« on: January 15, 2018, 02:11:49 pm »
It is sad to have your network stop working abruptly just to find out your DNS Server is down!

Error log for DNS Resolver whenever I try to start the service:

Code: [Select]
Jan 15 13:46:32  unbound  7695:0  fatal error: failed to setup modules 
Jan 15 13:46:32  unbound  7695:0  error: module init for module validator failed 
Jan 15 13:46:32  unbound  7695:0  error: validator: could not apply configuration settings. 
Jan 15 13:46:32  unbound  7695:0  error: validator: error in trustanchors config 
Jan 15 13:46:32  unbound  7695:0  error: error reading auto-trust-anchor-file: /var/unbound/root.key 
Jan 15 13:46:32  unbound  7695:0  error: failed to read /root.key 
Jan 15 13:46:32  unbound  7695:0  notice: init module 0: validator

Error when I try to update the configuration file:
Code: [Select]
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/unbound_server.pem: No such file or directory
[1516046660] unbound-checkconf[17975:0] fatal error: server-cert-file: "/var/unbound/test/unbound_server.pem" does not exist

I noticed my DNS Resolver configuration no longer shows the interfaces I had originally selected.

This happened to me on my custom hardware, so I purchased an SG-3100 two weeks ago.  Now I have the same issue after configuring the system from scratch.  Help!!
« Last Edit: January 15, 2018, 08:19:29 pm by dodiggitydag »

Online Gertjan

  • Hero Member
  • *****
  • Posts: 2420
  • Karma: +190/-9
    • View Profile
Re: DNS Resolver (Unbound) Unable to Start
« Reply #1 on: January 15, 2018, 02:58:41 pm »
It is sad to have your network stop working abruptly just to find out your DNS Server is down... fatal error: server-cert-file: "/var/unbound/test/unbound_server.pem" does not exist[/code]
....
Saw this a couple a weeks ago.

It's time to find out the pfSense version ... but I'll bet it isn't 2.4.2 (latest).

Your SG-3100 device should be treated as any other computer that you un-box : before even looking at it, you ugrade - because what's in could be something from the far past.
Just ... upgrade.
And if there is a slightest problem, take out the re-install CD/DVD/USB and make your own - clean !! - device (no more Dell/Thosiba/Acer/Sony/Whatever bullshit software on your computer).

The files it's looking for, should be in /var/unbound/test/ - or the test directory that doesn't exists.
The file are all in /var/unbound/ : see for yourself :
Code: [Select]
[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al
total 72
drwxr-xr-x   5 unbound  unbound   512 Jan 15 12:07 .
drwxr-xr-x  32 root     wheel     512 Dec 21 10:50 ..
-rw-r--r--   1 root     unbound   314 Jan 13 02:27 access_lists.conf
drwxr-xr-x   2 unbound  unbound   512 Dec 12 20:49 conf.d
-rw-r--r--   1 root     unbound  1676 Jan 13 02:27 dhcpleases_entries.conf
-rw-r--r--   1 root     unbound  3578 Nov 25  2015 dnsbl_cert.pem
-rw-r--r--   1 root     unbound     0 Jan 13 02:27 domainoverrides.conf
-rw-r--r--   1 root     unbound  5722 Jan 13 02:27 host_entries.conf
-rw-r--r--   1 root     unbound     0 Jun  7  2016 pfb_dnsbl.conf
-rw-r--r--   1 root     unbound  1216 May 30  2016 pfb_dnsbl_lighty.conf
-rw-r--r--   1 root     unbound   300 Jan 29  2015 remotecontrol.conf
-rw-r--r--   1 unbound  unbound  1252 Jan 15 12:06 root.key
-rw-r--r--   1 root     unbound  1823 Jan 13 02:27 unbound.conf
-rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_control.key
-rw-r-----   1 unbound  unbound   802 Jan 29  2015 unbound_control.pem
-rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_server.key
-rw-r-----   1 unbound  unbound   790 Jan 29  2015 unbound_server.pem
drwxr-xr-x   3 root     unbound   512 Jan  8 17:30 usr
drwxr-xr-x   3 root     unbound   512 Jan  8 17:30 var
You saw it, no /test/ directory.

But I advise you not to to anything. Install a new pfSEnse on your box. This will take 10 minutes or so (depend if the coffee is hot, or not) and walks you through a very important experience, if you need to do it ones more, in the future.
Just do it, you won't regret it.
We all installed our first pfSense on a machine for the first time.
Go !

Offline dodiggitydag

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: DNS Resolver (Unbound) Unable to Start
« Reply #2 on: January 15, 2018, 05:27:06 pm »
Hello Gertjan,
I love your personality :P .  I am running the latest firmware; however, I agree that a reinstall will be necessary.  Throughout the day I've been losing my configuration across the whole firewall.  I found the issue-

Code: [Select]
du -sh /var/log/*
Revealed that Surricata log was taking 5.6G of the 7G drive.  LOL!  Now I looked at the config, and I think the logs should have rotated...perhaps logging TLS certs was a bad idea.

I'll reinstall, that's something I'm very familiar doing (too many times).

Thanks!!