OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: chemlud on February 15, 2019, 03:15:38 pm

Title: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 15, 2019, 03:15:38 pm
Hello again!

Have here a fresh install of 19.1.1 amd64 with LibreSSL and DNS over TLS configured. Unbound not stable under these conditions, see here

https://forum.opnsense.org/index.php?topic=7811.msg48949#msg48949


:-(

But if I try to revert unbound to the version doing fine with 18.7.x, by

Code: [Select]
opnsense-revert -r 18.7.7 unbound
I only get "Fetching unbound.txz... failed"

(while unbound is UP und running).

Is it not possible to run 19.1.1 with this old version of unbound?

___________________

Was it only a problem with Suricata (not yet) configured correctly (and therefore not starting up)? Now Unbound has been stable for quite some time.

Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on February 15, 2019, 03:56:58 pm
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.5/LibreSSL/All/unbound-1.7.3.txz

Unbound 1.9.0 will hit 19.1.2 along with LibreSSL 2.8.3... Can't get worse in that regard I hope.


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 15, 2019, 04:02:58 pm
... since my post unbound has been stable. Amazing!

Will try to update (fresh install + config) my systems over the weekend to see how 19.1.1 does on the different platforms :-)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 15, 2019, 05:04:18 pm
But 3 min later unbound exited on signal 11....
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 19, 2019, 04:10:10 pm
Hi Franco, the command you provided downgrades unbound to 1.7.3. However, on my other LibreSSL/DNSoverTLS installs I have 1.8.1 (locked since 18.7.9), which is doing fine.

I upgrade now the 18.7.9 (via 18.7.10.4) to 19.1.1, hopefully this release will play nice with unbound 1.8.1... (otherwise will have to downgrade).
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 19, 2019, 04:44:02 pm
ooops, didn't know that package lock will not survive upgrade to 19.1.1... so reverted unbound to 1.7.3.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on February 19, 2019, 06:01:35 pm
Yes, safety measure on major upgrades, otherwise things may break leaving the system in a defunct state.


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 19, 2019, 06:12:23 pm
Meanwhile I updated 2 systems with 19.1.1/LibreSSL to unbound 1.8.1, which seems to do fine. So the problem is somewhere between 1.8.1 and 1.8.2 or 1.8.3.

Unbound 1.8.3 with DNSoverTLS is doing fine with 19.1.1 when using OpenSSL, as expected.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on February 28, 2019, 10:44:32 pm
I updated to 19.1.2 with unbound locked to version 1.8.1. After reboot unbound simply doesn't start, nothing in the logs. I tried to replace the pkg.opnsense.org by the IP but get SSL certificate error when trying to download unbound.

No DNS here, any ideas how to resolve? 
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 01, 2019, 09:42:19 am
OK, switched to DNSmasq and updated unbound to 1.9.0_1, let's see if it'S stable with DNS over TLS and LibreSSL :-)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 01, 2019, 02:36:34 pm
Update on: DNS over TLS (unbound) with LibreSSL

Apparently unbound 1.9.0_1 is stable in this setup (tested for 2-3 hours now... keep fingers crossed). :-D
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 01, 2019, 04:30:24 pm
Not sure what went wrong here with the locked package, but keeping fingers crossed for 1.9.0 indeed...


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 02, 2019, 11:36:48 am
...took about 24 h hours, but then exited unbound on "signal 11" according to System log...

will try to downgrade unbound and see if it starts with 19.1.2...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 02, 2019, 11:54:48 am
Downgraded to unbound 1.8.1, which will not start due to

Code: [Select]
Mar 2 11:40:07 opnsense: /status_services.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was 'Shared object "libssl.so.45" not found, required by "unbound"'
in the sys log.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 02, 2019, 05:09:49 pm
Is there sumfink like a "service watchdog" which could monitor unbound and restart if it dies away? :-)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: newsense on March 03, 2019, 05:44:03 am
Monit might be able to help, however that doesn't change the fact that whatever changes were introduced in 18.7.10 in either Unbound or HBSD keep on lingering and causing it to crash. I couldn't touch any of the PRD systems to enable the swap and provide better info for lattera to look into...


Interestingly, there's one system that's not affected among many others, and I just noticed Suricata was not ON there. I'm trying now on an APU that crashes heavily to see if there are any changes.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 03, 2019, 09:39:36 am
You also run the LibreSSL flavour and try to do DNS over TLS? I thought I'm the only one! :-D

I had a quick look at Monit yesterday, but it's anyrhing but straight forward how to use this beast. I would have to figure out the path to the .pid file for unbound as well as the correct command to restart unbound. And test this and and and... No time for this currently...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: newsense on March 03, 2019, 04:05:15 pm
Kinda hard seing the value of 'dumping half of the old/buggy/unused for decades OpenSSL code in the first 30 days of forking it' ;-)

So yeah, I'm pushing for it everywhere and worked just fine until 18.7.10. I have a higher degree of confidence the OpenBSD people are more concerned and focused on secure coding principles and a good track record in that regard than pretty much anyone else playing with forks.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 03, 2019, 04:13:48 pm
I would really love to learn where in the Bermuda triangle of BSD - LibreSSL - unbound the error sits. Or if it is a "misconfig" in the DNS servers SSL/TLS unbound is contacting....
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: newsense on March 03, 2019, 04:22:18 pm
Arguably out of it. It dies on the hands of HBSD apparently. Otherwise Unbound thrives on DoT/Doh on 1.8.3 using pfSense which lacks the HBSD hardening. It would be extremely doubtful that any major workarounds that aren't public have been done in pfS in that regard.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 03, 2019, 04:50:12 pm
But pfSense is not LibreSSL, or? For me unbound has been stable with OpenSLL and DNS over TLS in the past...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: newsense on March 04, 2019, 04:19:13 am
That's correct.

My point however, although arguably incomplete, was that the issues were present on both OpenSSL and LibreSSL,  with no indication whatsoever about an SSL issue when crashing.

The only issue I saw on OpenSSL/pfSense regarding Unbound was shortly after 1.1.1.1 launched and lasted less than 24h and was dealt with server side by Cloudflare. Basically quad1 would fail to connect while quad9 would be just fine.

At the same time OPNsense/LibreSSL/Unbound were working just fine on both DoT services.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 04, 2019, 08:59:35 pm
But now I only can stay at 19.1.1 with LibreSSL and unbound with DNToverTLS or switch to OpenSSL for updating. I'm a little lost at the moment...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: miroco on March 04, 2019, 09:54:52 pm
@chemlud

I've experienced your exact predicament and I took the "Stubby" rout after the 19.1 release following the "directnupe" guide. As far as I can tell it's working very well. I'm on 19.1.2 LibreSSL flavour.

https://forum.opnsense.org/index.php?topic=10062.0

miroco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 04, 2019, 10:10:49 pm
I have no GetDNS and no Stubby installed, so you mean I should install Stubby? :)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: miroco on March 04, 2019, 10:33:11 pm
It's working for me. These following notes are an extract of the "directnupe" guide. They helped me get a better overview of the process. However I do strongly advise you to read up on his guide prior to making the installation/configuration.

miroco


GetDNS and Stubby

# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libidn-1.34_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libuv-1.26.0.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libev-4.24,1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/getdns-1.5.1.txz

# su -m unbound -c /usr/local/sbin/unbound-anchor

# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh

Make it executable - I run two commands - it works for me:
# chmod 744 /usr/local/etc/rc.d/stubby.sh
# chmod a+x /usr/local/etc/rc.d/stubby.sh

Yes must enable Stubby Daemon in the file -  open file by: nano /usr/local/etc/rc.d/stubby.sh
go to line 27  -

: ${stubby_enable="NO"}  change the setting to  : ${stubby_enable="YES"}

That is all you have to do to this file. It comes pre-configured. Save and exit.

Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 1

round_robin_upstreams: 1

idle_timeout: 60000 # keep-alive for 1 min, for better performance

listen_addresses:
  - 127.0.0.1@8053   ## Stubby / Unbound ## Default Address/Port

https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example

upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
  - address_data: 185.49.141.37
    tls_port: 853
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
  - address_data: 158.64.1.29
    tls_auth_name: "kaitain.restena.lu"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
  - address_data: 145.100.185.17
    tls_port: 853
    tls_auth_name: "dnsovertls2.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
  - address_data: 146.185.167.43
    tls_auth_name: "dot.securedns.eu"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
  - address_data: 94.130.110.185
    tls_port: 853
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
  - address_data: 94.130.110.178
    tls_port: 853
    tls_auth_name: "ns2.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
  - address_data: 89.234.186.112
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
  - address_data: 99.192.182.200
    tls_auth_name: "iana.tenta.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=

## End of Sample File  /

Save and Exit


In order to have Opnsense use default start up script (  /usr/local/etc/rc.d/stubby.sh ) at boot time,
you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby   -   in the new file enter the following two lines:

stubby_enable="YES" 
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit

Then make the file executable - once again - works for me:

# chmod 744 /etc/rc.conf.d/stubby
# chmod a+x /etc/rc.conf.d/stubby

----

Now you must configure your  Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces =   WAN LAN ( all of your LAN interfaces if you have more than one )
And You Must Select  Localhost - repeat -  You Must Select  Localhost!

Under Custom options enter the following :

server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr:127.0.0.1@8053

## END OF ENTRY

Outgoing Network Interfaces  =  Localhost

Make Sure to NOT CHECK - DO NOT CHECK -  the box for DNS Query Forwarding.

Save and Apply Settings

Next -Under System > Settings  > General Settings

Set the first DNS Server to 127.0.0.1   with no gateway selected  /   
Make sure that DNS server option:

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

I now only run  127.0.0.1  ( Localhost ) configured as the only DNS SERVER on my WAN interface.
If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried.
I  only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 05, 2019, 07:42:22 pm
Someone finally notified Unbound after a bit of prodding ;)

https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4232
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: newsense on March 06, 2019, 08:07:23 am
Interesting, thanks for that.

Since Unbound kept on dying with what appeared to be an HBSD related error message I thought the proper chain would have required a bottom up approach and not the other way around.

Whenever a patch is available please let us know so we can work this issue out both here and upstream in that bug report - if needed.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 06, 2019, 09:37:13 pm
Nice to hear that things move forward, but as I wrote a above I fear this will end in an Bermuda triangle between (H)BSD, LibreSSL and unbound. Hoping for the best... The solution with stubby is not something to implement in 5 min, this might be beyond my pay grade. :-(
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: miroco on March 06, 2019, 10:22:05 pm
How and for what reasons your OPNsense box is deployed, dictates your freedom of action of cause. In my case, I'm the only user.

I started with a fresh backup of the configuration file. With it you can always return to the previous known good state. However, it will take longer than 5 min. Don't let anyone rush you.

Useful tools:
Putty
WinSCP
Notepad++


Then you can ask your boss for a raise :-)


miroco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 14, 2019, 09:43:24 pm
Hi!

I'm still on

19.1.1
LibreSSL 2.7.5
Unbound 1.8.1

Anybody tried to update and unbound still stable? (Last try is some days ago, iirc 19.1.2, and unbound was stable for about 24h)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 15, 2019, 07:22:05 am
It sounds a bit like upstream servers are part of the crashes...


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 15, 2019, 08:21:08 am
That was what I expected, to be true...

But doesn't this imply there is something wrong with openSSL, if it can't work correctly with LibreSSL?
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 15, 2019, 08:41:09 am
Remember Heartbleed? It was known that OpenSSL has its own "memory allocation" to speed it up, which kinda wraps around malloc and free and never really gives back memory to the system leading to "solicited" use after free. LibreSSL doesn't do this anymore so it would naturally crash sooner.

The underlying issue could be the same in OpenSSL and LibreSSL still (same fix) but barely escapes crashing in OpenSSL leaving a vulnerability door open for the future. ;)


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 15, 2019, 08:45:35 am
PS: Or for the paranoia fans out there: it could already be exploited in the wild and LibreSSL actually protects you properly. ;)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 15, 2019, 11:19:38 am
Yeah, franco, reminds me that I have to take my pills :-D

But I'm kinda locked at the moment... stay on 19.1.1 as long as possible, until someone (me, on an experimental box? But no time currently...) confirms another setup is working well. Don't want to run around restarting unbound  every now and then.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 15, 2019, 11:23:59 am
PS: What really bugs me is that apparently nobody cares and the big players keep using this pile of trash called openSSL, whatever it takes, no matter what the price will be...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 09:35:17 am
OK, I updated my test system (which I wanted to deploy weeks ago, anyways...) to 19.1.4 and unbound fails quite quickly and reliably.

Of note there is only ONE (1) client attached to the opnsense, unly running  a Firefox to keep the GUI of opnsense in sight for restarting unbound. Nothing else attached...

I get in GENERAL LOG:

Code: [Select]
Mar 16 02:59:12 kernel: [HBSD SEGVGUARD] [unbound (17174)] Suspension expired.
Mar 16 02:59:12 kernel: pid 17174 (unbound), uid 59: exited on signal 11
Mar 15 22:00:33 kernel: [HBSD SEGVGUARD] [unbound (93551)] Suspension expired.
Mar 15 22:00:33 kernel: pid 93551 (unbound), uid 59: exited on signal 11
Mar 15 20:01:59 kernel: [HBSD SEGVGUARD] [unbound (77728)] Suspension expired.
Mar 15 20:01:59 kernel: pid 77728 (unbound), uid 59: exited on signal 11
Mar 15 19:31:27 kernel: pid 5130 (unbound), uid 59: exited on signal 11
Mar 15 18:27:32 opnsense: /usr/local/etc/rc.linkup: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '[1552670852] unbound[74683:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1552670852] unbound[74683:0] error: cannot open control interface 127.0.0.1 953 [1552670852] unbound[74683:0] fatal error: could not open ports'

18:27 should be the time of REBOOT after updating from 18.7.10_4

...and in UNBOUND LOG:

Code: [Select]
Mar 16 08:55:00 unbound: [55520:2] info: generate keytag query _ta-4f66. NULL IN
Mar 16 08:54:08 unbound: [55520:0] info: start of service (unbound 1.9.0).
Mar 16 08:54:08 unbound: [55520:0] notice: init module 1: iterator
Mar 16 08:54:08 unbound: [55520:0] notice: init module 0: validator
Mar 16 00:17:18 unbound: [17174:3] info: generate keytag query _ta-4f66. NULL IN
Mar 16 00:17:17 unbound: [17174:0] info: start of service (unbound 1.9.0).
Mar 16 00:17:17 unbound: [17174:0] notice: init module 1: iterator
Mar 16 00:17:17 unbound: [17174:0] notice: init module 0: validator
Mar 15 21:04:14 unbound: [93551:0] info: generate keytag query _ta-4f66. NULL IN
Mar 15 21:04:10 unbound: [93551:0] info: start of service (unbound 1.9.0).
Mar 15 21:04:10 unbound: [93551:0] notice: init module 1: iterator
Mar 15 21:04:10 unbound: [93551:0] notice: init module 0: validator
Mar 15 19:38:52 unbound: [77728:1] info: generate keytag query _ta-4f66. NULL IN
Mar 15 19:38:51 unbound: [77728:0] info: start of service (unbound 1.9.0).
Mar 15 19:38:51 unbound: [77728:0] notice: init module 1: iterator
Mar 15 19:38:51 unbound: [77728:0] notice: init module 0: validator
Mar 15 18:51:49 unbound: [5130:2] info: generate keytag query _ta-4f66. NULL IN
Mar 15 18:51:46 unbound: [5130:0] info: start of service (unbound 1.9.0).
Mar 15 18:51:46 unbound: [5130:0] notice: init module 1: iterator
Mar 15 18:51:46 unbound: [5130:0] notice: init module 0: validator
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: service stopped (unbound 1.9.0).
Mar 15 18:50:54 unbound: [84000:0] info: start of service (unbound 1.9.0).
Mar 15 18:50:54 unbound: [84000:0] notice: init module 1: iterator
Mar 15 18:50:54 unbound: [84000:0] notice: init module 0: validator
Mar 15 18:50:54 unbound: [84000:0] notice: Restart of unbound 1.9.0.
Mar 15 18:50:54 unbound: [84000:0] info: 0.131072 0.262144 5
Mar 15 18:50:54 unbound: [84000:0] info: lower(secs) upper(secs) recursions
Mar 15 18:50:54 unbound: [84000:0] info: [25%]=0.16384 median[50%]=0.196608 [75%]=0.229376
Mar 15 18:50:54 unbound: [84000:0] info: histogram of recursion processing times
Mar 15 18:50:54 unbound: [84000:0] info: average recursion processing time 0.152972 sec
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: 5 queries, 0 answers from cache, 5 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: 0.262144 0.524288 5
Mar 15 18:50:54 unbound: [84000:0] info: 0.131072 0.262144 6
Mar 15 18:50:54 unbound: [84000:0] info: lower(secs) upper(secs) recursions
Mar 15 18:50:54 unbound: [84000:0] info: [25%]=0.191147 median[50%]=0.251221 [75%]=0.380109
Mar 15 18:50:54 unbound: [84000:0] info: histogram of recursion processing times
Mar 15 18:50:54 unbound: [84000:0] info: average recursion processing time 0.236744 sec
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: 11 queries, 0 answers from cache, 11 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: 1.000000 2.000000 1
Mar 15 18:50:54 unbound: [84000:0] info: 0.524288 1.000000 2
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 11:55:24 am
PS: After my last post I found that I had configured only ONE DNS server (Digitalcourage) via TLS, add two more and up to now no more crashes....

Is there an easy way to setup a service watchdog for unbound? I think I asked this in the past, I'm getting old...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 02:56:42 pm
But when starting to update the only client connected, I get within seconds:

Code: [Select]
Mar 16 14:46:00 kernel: -> pid: 53949 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 16 14:46:00 kernel: [HBSD SEGVGUARD] [unbound (53949)] Suspension expired.
Mar 16 14:46:00 kernel: pid 53949 (unbound), uid 59: exited on signal 11

...after restarting unbound is stable enough to complete updates, waiting
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 05:38:57 pm
Did a Wireshark on the WAN interface of the OPNsense, last package received before unbound passed away was:

Code: [Select]
11652 2019-03-16 16:04:00.652225560 WAN_OPNsense 46.182.19.48 TCP 60 23837 ? 853 [RST] Seq=424 Win=0 Len=0
....

11672 2019-03-16 16:04:00.838704263 46.182.19.48 WAN_OPNsense TCP 66 853 ? 41185 [RST, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=1447257805 TSecr=80176261

If I look upstream, I see the OPNsense sending RST packages to the DNS server every 20-30 packages, after Client Hello, Server Hello, a little TLSv1.2 traffic and and some TCP packages sent back and forth, the there is

"Encrypted Alert" from then OPNsense and FIN/ACK

then


"Encrypted Alert" from then DNS server and FIN/ACK

after that the OPNsense sends the RST package...

Of any help? More info needed?
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 06:08:57 pm
..started a pcap on the sense (WAN), to see what the alert is (or will the sense itself not be able to decrypt the package?)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 16, 2019, 07:56:40 pm
No, pcap on OPNsense doesn't give any clue on the "Encrypted Alert", this time the conversation on port 853 ended with

Code: [Select]
6835 2019-03-16 17:30:00.381892 89.233.43.71 WAN_OPNsense TLSv1.2 73 Alert (Level: Fatal, Description: Illegal Parameter)
..afterwards only FIN and FIN,ACK and unbound dies....
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 17, 2019, 05:02:56 pm
Tried to find unbound 1.8.1 somewhere in the repos of opnsense, to no avail. Can anybody guide me how to transplant unbound 1.8.1 from another opnsense? Which files to copy over how and how to install?
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 18, 2019, 08:47:29 am
# opnsense-code ports tools
# cd /usr/ports/dns/unbound
# git checkout 18.7.6
# make package deinstall install

It is relatively easy to navigate the ports tree if you know the OPNsense version equivalent of what you're looking for. ;)


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 18, 2019, 02:01:11 pm
Hi Franco!

Many thanks for reply!

# opnsense-code ports tools

...downloaded a gazillion of bytes.

# cd /usr/ports/net/unbound

...finds no directory named unbound. I checked manually (ls- l) in /usr/ports/net, there are some hundred directories, none is named unbound or related. Strange!
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 18, 2019, 04:34:40 pm
Sorry I tested and corrected it but forgot to change the notes before pasting :/

net -> dns
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 18, 2019, 05:04:49 pm
That helped ;-)

... but only half way:

Code: [Select]
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===>   unbound-1.8.1 depends on package: autoconf>=2.69 - not found
===>   autoconf-2.69_1 depends on executable: gm4 - not found
===>   m4-1.4.18,1 depends on executable: makeinfo - not found
===>  License GPLv3+ accepted by the user
===>   texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/devel/m4
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/autoconf
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 18, 2019, 07:38:25 pm
# pkg install -A gmake automake pkgconf

And try again....
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 18, 2019, 09:04:47 pm
...now we have:

Code: [Select]
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===>   unbound-1.8.1 depends on package: autoconf>=2.69 - found
===>   unbound-1.8.1 depends on package: automake>=1.16.1 - found
===>   unbound-1.8.1 depends on executable: libtoolize - not found
===>  License GPLv2 accepted by the user
===>   libtool-2.4.6 depends on file: /usr/local/sbin/pkg - found
=> libtool-2.4.6.tar.xz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.xz
libtool-2.4.6.tar.xz                          100% of  950 kB 3227 kBps 00m00s
===> Fetching all distfiles required by libtool-2.4.6 for building
===>  Extracting for libtool-2.4.6
=> SHA256 Checksum OK for libtool-2.4.6.tar.xz.
===>  Patching for libtool-2.4.6
===>   libtool-2.4.6 depends on executable: gm4 - found
===>   libtool-2.4.6 depends on executable: gmake - found
===>   libtool-2.4.6 depends on executable: makeinfo - not found
===>  License GPLv3+ accepted by the user
===>   texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/libtool
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound

...still sumfink missing
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 18, 2019, 10:33:21 pm
# pkg install -A libtool

 8)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 19, 2019, 08:54:25 am
That worked well, but now the console doesn'T stop throwing text lines for minutes now. Is it making the WHOLE sense? I thought it was just unbound I ordered... :-D


PS: some minutes later...


Code: [Select]
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install

***skipped some million lines of text outpt here...***

ln -sf "tls_init.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_new.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_clear_keys.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_file."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_mem.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_path."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_fil"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_mem"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_verify_d"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_unload_file.3"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_close.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_error.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_handshake.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_reset.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_write.3"
 /bin/mkdir -p '/usr/obj/usr/ports/security/libressl/work/stage/usr/local/libdata/pkgconfig'
 install  -m 0644 libcrypto.pc libssl.pc libtls.pc openssl.pc '/usr/obj/usr/ports/security/libressl/work/stage/usr/l'
/bin/rm -f -r /usr/obj/usr/ports/security/libressl/work/stage//usr/local/etc/ssl/cert.pem
====> Compressing man pages (compress-man)
===>  Installing for libressl-2.7.4
===>  Checking if libressl already installed
===>   libressl-2.7.4 is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of libressl
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound

Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 19, 2019, 09:24:53 am
Frustrating, kinda like every other day behind the scenes for us.  8)

I'll build an old version for you in a bit.

For now try the newly released 1.9.1:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/unbound-1.9.1.txz


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 19, 2019, 09:50:42 am
1.9.1 installed, on reboot:

Code: [Select]
Mar 19 09:34:27 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.11.1 ::)
Mar 19 09:34:27 kernel: em4: permanently promiscuous mode enabled
Mar 19 09:34:27 kernel: em3: link state changed to DOWN
Mar 19 09:34:27 kernel: em3: permanently promiscuous mode enabled
Mar 19 09:34:08 kernel: pid 38636 (unbound), uid 59: exited on signal 11
Mar 19 09:34:07 kernel: OK
Mar 19 09:34:06 kernel: OK
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '192.168.199.1'

...and after manual restart:

Code: [Select]
Mar 19 09:36:52 kernel: -> pid: 5881 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 19 09:36:52 kernel: [HBSD SEGVGUARD] [unbound (5881)] Suspension expired.
Mar 19 09:36:52 kernel: pid 5881 (unbound), uid 59: exited on signal 11
Mar 19 09:35:37 kernel: pid 6235 (unbound), uid 59: exited on signal 11

I disabled DNSsec for the moment to see, if it makes a difference...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 19, 2019, 10:11:25 am
...same difference, w/o DNSsec reboot came back fine, but trying to update the only client in LAN kills off unbound after some seconds.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 20, 2019, 05:22:31 pm
Sorry, busy week. Here's your 1.8.1 on LibreSSL 2.8.3:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/unbound-1.8.1.txz
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 20, 2019, 06:06:24 pm
...installed and rebooted. Stable for the moment...

Many thanks! Any way to store this unbound 1.8.1 locally and install via console, in case I decide to update my production systems? :-)

PS: Stored a copy on my computer (wget....) and on the opnsense (fetch). But how to install it from my computer on another opnsense? Do I need to setup a webserver on my computer? No idea how to mount an USB-stick on my sense by hand...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 20, 2019, 10:11:14 pm
You can install the file via any HTTP server or locally on the box, "pkg add -f location/to/package.txz" will do the trick...


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 21, 2019, 09:57:59 am
...yeah, would have to setup a http server locally or learn how to mount an USB-stick on my sense install ;-)

Many thanks again, 1.8.1 is stable on 19.1.4 up to now.

Will a package lock of unbound 1.8.1 on 19.1.1 install survive an update to 19.1.4?

Or is unbound 1.8.1 available on 19.1.1 not functional on 19.1.4?

Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 21, 2019, 08:48:51 pm
Lock the unbound package, it'll likely keep working until it's time to upgrade to 19.7.


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 23, 2019, 05:38:14 pm
Nearly, as the locked unbound 1.8.1 from 19.1.1 will give you on reboot after update to 19.1.4

Code: [Select]
opnsense: /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was 'Shared object "libssl.so.45" not found, required by "unbound"'
...

switch to DNSmasq (don't forget to enter DNS servers in Settings - General, might cost you some time to recognize why your DNS is dead), update unbound from 1.8.1 to 1.8.1 (verson provided by Franco's link above) and back in business...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on March 24, 2019, 01:13:10 pm
LibreSSL was updated in 19.1.2 and so the shared library version mismatches. I'm sorry, but that's exactly what I mean by "frustrating, kinda like every other day".


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on March 24, 2019, 02:40:38 pm
Not a big issue, that's why I did the update on Saturday to have some extra time for surprises... ;)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 05, 2019, 12:28:36 pm
Update on 19.1.5 with unbound 1.9.1: Same problem, trying to revert to unbound 1.8.1

...the unbound 1.8.1 linked above is no longer available..
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 05, 2019, 12:42:16 pm
# opnsense-code -f ports tools
# cd /usr/ports/dns/unbound
# git checkout 18.7.6 .
# pkg install -yA gmake libtool automake pkgconf
# make package deinstall install

I can provide a binary if needed, but I'm pretty sure this will work now...
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 05, 2019, 01:47:24 pm
Thank you very much, franco, I'm at

Code: [Select]
# make package deinstall install
===>   unbound-1.8.1 depends on package: autoconf>=2.69 - found
===>   unbound-1.8.1 depends on package: automake>=1.16.1 - found
===>   unbound-1.8.1 depends on executable: libtoolize - found
===>   unbound-1.8.1 depends on package: pkgconf>=1.3.0_1 - found
===>   unbound-1.8.1 depends on file: /usr/local/lib/libcrypto.so.43 - not found
===>  Installing for libressl-2.7.4
===>  Checking if libressl already installed
===>   libressl-2.7.4 is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of libressl
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound

Sorry for that... No hurry, it's only an experimental system at that time.
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 05, 2019, 02:01:12 pm
No, did you type "git checkout 18.7.6 ." with the DOT at the end. Important...


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 05, 2019, 02:01:43 pm
(You have an older tree checked out and that clashes with everything else installed.)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 05, 2019, 02:34:18 pm
Yepp, I copy&pasted your commands ;-)

Tried again, gives "Updated 0 from path e704d..."

and in the end same error. I'm not a coder, sorry
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 05, 2019, 02:44:15 pm
# rm -r /usr/ports

This needs to work... Maybe the tree is stuck although opnsense-code -f should do that as well..
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 05, 2019, 03:23:07 pm
That one did the trick! Pörfect! :-D
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 05, 2019, 03:30:02 pm
Whew, ok...  8)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 11, 2019, 03:11:18 pm
Someone finally notified Unbound after a bit of prodding ;)

https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4232

Hi franco, is Menco even active on this forum? I found that under "Advanced" in the GUI (last option on page) the logging level of  Unbound can be increased. Did anybody try to get such a log and if not, would it be helpful to the Unbound people for debugging?
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 11, 2019, 04:05:22 pm
It certainly would. The way it is now we have a lot of people using advanced options reporting errors here but not to Unbound which doesn't bring us closer to a solution.

I'm happy to provide custom builds of Unbound for patches that they want to try or extra debugging info added...


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 11, 2019, 04:20:32 pm
... will break my test system by updating to 19.1.6 (unbound unlocked) and post the output here. Or any other method preferred? The log might be quite large in the most verbose mode, I guess....

Who would report the log to unbpund (I have no git account or alike...)?
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on April 11, 2019, 04:31:26 pm
I can create an account and post it there if you wish, but I am not very quick these days due to my day job.


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 11, 2019, 05:09:05 pm
OK, I updated to 19.1.6 and killed unbound by opening Firefox (empty tab, the "Safebrowsing" stuff alone seems to be enough to kill unbound).

_________________

OPNsense 19.1.6
LibreSSL

Unbound 1.9.1

DNSSEc not enabled

Options:

Code: [Select]
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 46.182.19.48@853 #digitalcourage
forward-addr: 89.233.43.71@853 #FriDNS.dk
forward-addr: 149.112.112.112@853 #Quad9

________________

syslog

Code: [Select]
Apr 11 16:44:41 kernel: pid 29895 (unbound), uid 59: exited on signal 11
________________

unbound log set to level 5

Code: [Select]
Apr 11 16:44:41 unbound: [29895:2] debug: svcd callbacks end
Apr 11 16:44:41 unbound: [29895:2] debug: cache memory msg=141823 rrset=155964 infra=11115 val=0
Apr 11 16:44:41 unbound: [29895:2] info: 0.524288 1.000000 1
Apr 11 16:44:41 unbound: [29895:2] info: 0.262144 0.524288 2
Apr 11 16:44:41 unbound: [29895:2] info: 0.131072 0.262144 5
Apr 11 16:44:41 unbound: [29895:2] info: 0.065536 0.131072 1
Apr 11 16:44:41 unbound: [29895:2] info: lower(secs) upper(secs) recursions
Apr 11 16:44:41 unbound: [29895:2] info: [25%]=0.16384 median[50%]=0.222822 [75%]=0.360448
Apr 11 16:44:41 unbound: [29895:2] info: histogram of recursion processing times
Apr 11 16:44:41 unbound: [29895:2] info: average recursion processing time 0.232278 sec
Apr 11 16:44:41 unbound: [29895:2] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 9 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 16:44:41 unbound: [29895:2] debug: query took 0.278204 sec
Apr 11 16:44:41 unbound: [29895:2] debug: mesh_run: iterator module exit state is module_finished
Apr 11 16:44:41 unbound: [29895:2] debug: return error response SERVFAIL
Apr 11 16:44:41 unbound: [29895:2] debug: store error response in message cache
Apr 11 16:44:41 unbound: [29895:2] debug: configured stub or forward servers failed -- returning SERVFAIL
Apr 11 16:44:41 unbound: [29895:2] debug: No more query targets, attempting last resort
Apr 11 16:44:41 unbound: [29895:2] debug: attempt to get extra 3 targets
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 0 avail) parentNS
Apr 11 16:44:41 unbound: [29895:2] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 2
Apr 11 16:44:41 unbound: [29895:2] info: processQueryTargets: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 16:44:41 unbound: [29895:2] info: error sending query to auth server ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: close fd 34
Apr 11 16:44:41 unbound: [29895:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 11 16:44:41 unbound: [29895:2] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: dnssec status: not expected
Apr 11 16:44:41 unbound: [29895:2] debug: sending to target: <.> 89.233.43.71#853
Apr 11 16:44:41 unbound: [29895:2] info: sending query: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: selrtt 788
Apr 11 16:44:41 unbound: [29895:2] debug: rtt=788
Apr 11 16:44:41 unbound: [29895:2] debug: servselect ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: attempt to get extra 3 targets
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (1 result, 0 avail) parentNS
Apr 11 16:44:41 unbound: [29895:2] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 2
Apr 11 16:44:41 unbound: [29895:2] info: processQueryTargets: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 16:44:41 unbound: [29895:2] info: error sending query to auth server ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: close fd 34
Apr 11 16:44:41 unbound: [29895:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 11 16:44:41 unbound: [29895:2] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: dnssec status: not expected
Apr 11 16:44:41 unbound: [29895:2] debug: sending to target: <.> 89.233.43.71#853
Apr 11 16:44:41 unbound: [29895:2] info: sending query: safebrowsing.googleapis.com. AAAA IN
...

Have the whole resolver.log here, but much too big to paste it here. File size 95.4 MB....
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on April 11, 2019, 07:52:41 pm
next event:

syslog:
Code: [Select]
Apr 11 18:47:23 kernel: -> pid: 46228 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Apr 11 18:47:23 kernel: [HBSD SEGVGUARD] [unbound (46228)] Suspension expired.
Apr 11 18:47:23 kernel: pid 46228 (unbound), uid 59: exited on signal 11

unbound log:
Code: [Select]
Apr 11 18:47:23 unbound: [46228:1] debug: comm point listen_for_rw 27 0
Apr 11 18:47:23 unbound: [46228:3] debug: cache memory msg=134543 rrset=140365 infra=11115 val=0
Apr 11 18:47:23 unbound: [46228:3] info: 0RDd mod0 rep ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] info: 0.524288 1.000000 1
Apr 11 18:47:23 unbound: [46228:3] info: 0.262144 0.524288 1
Apr 11 18:47:23 unbound: [46228:3] info: 0.131072 0.262144 3
Apr 11 18:47:23 unbound: [46228:3] info: lower(secs) upper(secs) recursions
Apr 11 18:47:23 unbound: [46228:3] info: [25%]=0.185685 median[50%]=0.240299 [75%]=0.458752
Apr 11 18:47:23 unbound: [46228:3] info: histogram of recursion processing times
Apr 11 18:47:23 unbound: [46228:3] info: average recursion processing time 0.319276 sec
Apr 11 18:47:23 unbound: [46228:3] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 5 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 18:47:23 unbound: [46228:3] debug: mesh_run: iterator module exit state is module_wait_reply
Apr 11 18:47:23 unbound: [46228:3] debug: comm point start listening 29
Apr 11 18:47:23 unbound: [46228:3] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: dnssec status: not expected
Apr 11 18:47:23 unbound: [46228:3] debug: sending to target: <.> 149.112.112.112#853
Apr 11 18:47:23 unbound: [46228:3] info: sending query: ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: selrtt 478
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=581
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 149.112.112.112 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=1155
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 89.233.43.71 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=478
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 46.182.19.48 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: attempt to get extra 3 targets
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 3 avail) parentNS
Apr 11 18:47:23 unbound: [46228:3] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Apr 11 18:47:23 unbound: [46228:3] info: processQueryTargets: ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 18:47:23 unbound: [46228:3] debug: forwarding request
Apr 11 18:47:23 unbound: [46228:3] debug: request has dependency depth of 0
Apr 11 18:47:23 unbound: [46228:3] info: resolving ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: iter_handle processing q with state INIT REQUEST STATE
Apr 11 18:47:23 unbound: [46228:3] debug: process_request: new external request event
Apr 11 18:47:23 unbound: [46228:3] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
Apr 11 18:47:23 unbound: [46228:3] debug: mesh_run: start
Apr 11 18:47:23 unbound: [46228:3] debug: udp request from ip4 192.168.11.10 port 55142 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: answer from the cache failed
Apr 11 18:47:23 unbound: [46228:0] debug: cache memory msg=134543 rrset=140365 infra=11115 val=0
Apr 11 18:47:23 unbound: [46228:0] info: 0RDd mod0 rep security.debian.org. AAAA IN
Apr 11 18:47:23 unbound: [46228:0] info: 0.262144 0.524288 2
Apr 11 18:47:23 unbound: [46228:0] info: 0.131072 0.262144 2
Apr 11 18:47:23 unbound: [46228:0] info: lower(secs) upper(secs) recursions
Apr 11 18:47:23 unbound: [46228:0] info: [25%]=0.196608 median[50%]=0.262144 [75%]=0.393216
Apr 11 18:47:23 unbound: [46228:0] info: histogram of recursion processing times
Apr 11 18:47:23 unbound: [46228:0] info: average recursion processing time 0.263320 sec
Apr 11 18:47:23 unbound: [46228:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 4 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 18:47:23 unbound: [46228:0] debug: mesh_run: iterator module exit state is module_wait_reply
Apr 11 18:47:23 unbound: [46228:0] debug: comm point start listening 28
Apr 11 18:47:23 unbound: [46228:0] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 18:47:23 unbound: [46228:0] debug: dnssec status: not expected
Apr 11 18:47:23 unbound: [46228:0] debug: sending to target: <.> 149.112.112.112#853
Apr 11 18:47:23 unbound: [46228:0] info: sending query: security.debian.org. AAAA IN
Apr 11 18:47:23 unbound: [46228:0] debug: selrtt 478
Apr 11 18:47:23 unbound: [46228:0] debug: rtt=581
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on July 03, 2019, 02:10:21 pm
I installed 19.1.10 (libreSSL and unbound updates) and for the last 2-3 h DNS-over-TLS has been stable! :-)
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on July 03, 2019, 02:27:33 pm
I wouldn't bet on that, but then again 2-3 hours is already a long time for this to be up and running.

Might have been Unbound 1.9.2 or just LibreSSL 2.9, either way that would be great. :)


Cheers,
Franco
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: chemlud on July 04, 2019, 10:11:24 am
hmm, DNS was stable for about 22 hours, so I updated a "production system" and rebooted... looking fine so far! Hoping for the best... :-D
Title: Re: Revert unbound to 18.7.7 - not possible?
Post by: franco on July 05, 2019, 06:00:30 pm
I'm afraid to ask.... :)