OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: tillsense on December 15, 2022, 06:20:59 pm

Title: Unbound DNS DoT config contact to root server
Post by: tillsense on December 15, 2022, 06:20:59 pm

Hi all,

Unbound contacts the root server(s) at startup. With a DoT config and firewall rules that prevent port 53 makes no sense. An option in the gui to prevent this would be suitable at the point or even in this case the default?

cheers
till

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 16, 2022, 04:05:41 pm

Hi!
is 22.7.9_3 applied?

Title: Re: Unbound DNS DoT config contact to root server
Post by: tillsense on December 16, 2022, 05:37:33 pm

Hi,
oops... yes the version is 22.7.9_3

cheers
till

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 16, 2022, 06:29:09 pm

uh...looks like unbound-checkconf is screwing up in one more place
can you test with

Code: [Select]

opnsense-patch -a kulikov-a f0f1bedplease?

Title: Re: Unbound DNS DoT config contact to root server
Post by: tillsense on December 16, 2022, 07:37:51 pm

very nice that's ok :) but the unbound service starts 3 times for one start I just see?

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 16, 2022, 07:47:09 pm

sorry, I didn't quite understand )
no roots poking with the patch applied?

Quote

service starts 3 times for one start I just see?

patch only change working dir before unbound config test (unbound-checkconf chroot issue) so that a false-error does not trigger the trust anchor update
https://github.com/kulikov-a/core/commit/f0f1bed75801b097a4d53a59484c0b386cf961e7
nothing else changes in behavior

Title: Re: Unbound DNS DoT config contact to root server
Post by: tillsense on December 16, 2022, 07:51:21 pm

yes must be older this is already longer so according to logs

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 17, 2022, 08:23:57 pm

sorry for the noise, is the problem gone or does it still shows up sometimes?

Title: Re: Unbound DNS DoT config contact to root server
Post by: tillsense on December 19, 2022, 07:34:30 pm

Hi Fright,

currently not but i have an eye on it. why unbound start 3 times for the service runs through is not yet clear to me but thanks for your quick support and the patch!

cheers
till

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 19, 2022, 07:49:19 pm

Thanks, @tillsense

patch is merged (https://github.com/opnsense/core/pull/6197) it just remained not completely clear whether it is guaranteed to eliminate the issue

about 3-time starts: maybe there are additional inputs? unbound now starts way faster (with the py module). is it possible that you just click the Apply button on the DoT page a few times?

Title: Re: Unbound DNS DoT config contact to root server
Post by: tillsense on December 23, 2022, 08:27:27 pm

Quote from: Fright on December 19, 2022, 07:49:19 pm

... is it possible that you just click the Apply button on the DoT page a few times?

..no at boot the same. Logs say only start and stop 3x within 2-3min... have an internal ca so i notice that immediately.

cheers
till

Title: Re: Unbound DNS DoT config contact to root server
Post by: Fright on December 26, 2022, 03:28:21 pm

yes, it is possible and depends on the actual system configuration and events (the patch didn't change anything about it). afaiu plugin management has "hooks" that manage plugin actions in response to system events (to let plugins "know" about system changes). for unbound it is: https://github.com/opnsense/core/blob/bdab4f6970ed0975f132bdf0879ad51b7bca3b57/src/etc/inc/plugins.inc.d/unbound.inc#L43-L48
you can see what hook triggers unbound action in general log (search by "unbound_" keyword)