Hi,
IPFire 2.25 Core 153
Unbound is setup with supplied unbound.conf file (Note that this file has some temp options)
#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
# CUSTOM
val-permissive-mode: yes
# Common Server Options
chroot: ""
directory: "/etc/unbound"
username: "nobody"
do-ip6: no
port: 53
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
use-syslog: yes
log-time-ascii: yes
# Unbound Statistics
statistics-interval: 86400
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
# Randomise any cached responses
rrset-roundrobin: yes
# Privacy Options
hide-identity: yes
hide-version: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
#trust-anchor-file: "/var/lib/unbound/root.key"
val-log-level: 2
log-servfail: yes
# Hardening Options
harden-large-queries: yes
harden-referral-path: yes
aggressive-nsec: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
# EDNS Buffer Size (#12240)
edns-buffer-size: 1232
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
# Allow access from everywhere
access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
# Include hosts
include: "/etc/unbound/hosts.conf"
# Include any forward zones
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
Here’s the forward.conf:
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
resolv.conf:
search [the firewall hostname]
nameserver 127.0.0.1
options trust-ad
Ok I struggled to death to get the correct anchor file, but that was eventually resolved(get it…), by specifying -f parameter to unbound-anchor to provide own resolve.conf file (which had a nameserver of 8.8.8.8 instead of 127.0.0.1), that gave me the correct anchor file.
But it still didnt work, so I found a topic on here and an answer from Micheal that said to try switching PROTO on the dns.cgi WUI to UDP/TCP/TLS. Now here is where it gets interresting:
On UDP: It just gives an unbound error saying the anchor isn’t trusted
On TCP: same error as UDP - anchor isn’t trusted.
On TLS however it works, exactly as expected, so cudos. Perfect
But now comes my problem…
When I restart the machine, DNS fails completely with error:
<SERVFAIL> <domain - this includes all domains that needs resolving A/AAAA IN>: all the configured stub or forward servers failed, at zone .
Obviously this goes without saying but, i’m gonna say it anyway: unbound is running after restart, it’s just failing with that error in /var/log/messages
the forward.conf file remains unchanged between reboots, so does the unbound.conf file - double checked that.
ONLY WAY TO FIX IT:
At this point if you check the firewall connections page, the firewall isn’t opening any connections to the nameservers (8.8.8.8,8.8.4.4) on ports 53 or 853
Step 1: Go onto the WUI -> Network -> Domain Name System and just click the Save button without changing any options.
This makes it so that the connections page starts showing connections to nameservers on port 853, but still no DNS resolutions from firewall clients(clients connected to the green interface). unbound log also stops complaining about the forward zones. And name resolution on the ipfire server works (nslookup eith 127.0.0.1 and dig)
If you check DNSSEC with dig CLI commands, everything checks out - so unbound DNSSEC is now working perfectly.
Also, if you click the “Check DNS Servers” button on the Network -> Domain Name System Page (dns.cgi), it says OK (before step 1 it failed), but the title Status still says “broken”
Step 2: go on CLI -> /etc/init.d/unbound restart
This fixes it completely, now all clients can send DNS queries, you can see open connections on the connections page, and there are no more errors on the unbound log.
I inspected the dns.cgi file briefly, here is what I discovered:
Firstly after you click the Save button it generates a yaml file with the correct nameservers that are configured on the dns page. I assume it gets copied over to forward.conf by another service, didn’t investigate that far yet.
Also I don’t know perl all that well, so it’s slow going.
Then it goes on to issue a system command “suricatactrl restart”
As far as I can tell tha’ts all the WUI does after clicking the Save button.
Even if I issue the suricatactrl restart command on CLI then /etc/init.d/unbound restart, this still does not fix my problem.
If I remember right now, the suricatactrl restart command also restarts the firewall service.
Also, I disabled the proxy service and IPS/IDS services while resolving all the errors I got after the core 153 update. So they are still disabled and not starting
So i tried to restart the firewall (/etc/init.d/firewall restart) then /etc/init.d/unbound restart too with no success. I’m running out of things to check next, I can’t spend 3 full days investigating and fixing something that should be working by default.
I need a fix for this
Please can I get some feedback from someone who knows or maybe had a similar issue
Let me know if you need more log files or conf files
Thank you