OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: chemlud on February 15, 2019, 03:15:38 pm
-
Hello again!
Have here a fresh install of 19.1.1 amd64 with LibreSSL and DNS over TLS configured. Unbound not stable under these conditions, see here
https://forum.opnsense.org/index.php?topic=7811.msg48949#msg48949
:-(
But if I try to revert unbound to the version doing fine with 18.7.x, by
opnsense-revert -r 18.7.7 unbound
I only get "Fetching unbound.txz... failed"
(while unbound is UP und running).
Is it not possible to run 19.1.1 with this old version of unbound?
___________________
Was it only a problem with Suricata (not yet) configured correctly (and therefore not starting up)? Now Unbound has been stable for quite some time.
-
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.5/LibreSSL/All/unbound-1.7.3.txz
Unbound 1.9.0 will hit 19.1.2 along with LibreSSL 2.8.3... Can't get worse in that regard I hope.
Cheers,
Franco
-
... since my post unbound has been stable. Amazing!
Will try to update (fresh install + config) my systems over the weekend to see how 19.1.1 does on the different platforms :-)
-
But 3 min later unbound exited on signal 11....
-
Hi Franco, the command you provided downgrades unbound to 1.7.3. However, on my other LibreSSL/DNSoverTLS installs I have 1.8.1 (locked since 18.7.9), which is doing fine.
I upgrade now the 18.7.9 (via 18.7.10.4) to 19.1.1, hopefully this release will play nice with unbound 1.8.1... (otherwise will have to downgrade).
-
ooops, didn't know that package lock will not survive upgrade to 19.1.1... so reverted unbound to 1.7.3.
-
Yes, safety measure on major upgrades, otherwise things may break leaving the system in a defunct state.
Cheers,
Franco
-
Meanwhile I updated 2 systems with 19.1.1/LibreSSL to unbound 1.8.1, which seems to do fine. So the problem is somewhere between 1.8.1 and 1.8.2 or 1.8.3.
Unbound 1.8.3 with DNSoverTLS is doing fine with 19.1.1 when using OpenSSL, as expected.
-
I updated to 19.1.2 with unbound locked to version 1.8.1. After reboot unbound simply doesn't start, nothing in the logs. I tried to replace the pkg.opnsense.org by the IP but get SSL certificate error when trying to download unbound.
No DNS here, any ideas how to resolve?
-
OK, switched to DNSmasq and updated unbound to 1.9.0_1, let's see if it'S stable with DNS over TLS and LibreSSL :-)
-
Update on: DNS over TLS (unbound) with LibreSSL
Apparently unbound 1.9.0_1 is stable in this setup (tested for 2-3 hours now... keep fingers crossed). :-D
-
Not sure what went wrong here with the locked package, but keeping fingers crossed for 1.9.0 indeed...
Cheers,
Franco
-
...took about 24 h hours, but then exited unbound on "signal 11" according to System log...
will try to downgrade unbound and see if it starts with 19.1.2...
-
Downgraded to unbound 1.8.1, which will not start due to
Mar 2 11:40:07 opnsense: /status_services.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was 'Shared object "libssl.so.45" not found, required by "unbound"'
in the sys log.
-
Is there sumfink like a "service watchdog" which could monitor unbound and restart if it dies away? :-)
-
Monit might be able to help, however that doesn't change the fact that whatever changes were introduced in 18.7.10 in either Unbound or HBSD keep on lingering and causing it to crash. I couldn't touch any of the PRD systems to enable the swap and provide better info for lattera to look into...
Interestingly, there's one system that's not affected among many others, and I just noticed Suricata was not ON there. I'm trying now on an APU that crashes heavily to see if there are any changes.
-
You also run the LibreSSL flavour and try to do DNS over TLS? I thought I'm the only one! :-D
I had a quick look at Monit yesterday, but it's anyrhing but straight forward how to use this beast. I would have to figure out the path to the .pid file for unbound as well as the correct command to restart unbound. And test this and and and... No time for this currently...
-
Kinda hard seing the value of 'dumping half of the old/buggy/unused for decades OpenSSL code in the first 30 days of forking it' ;-)
So yeah, I'm pushing for it everywhere and worked just fine until 18.7.10. I have a higher degree of confidence the OpenBSD people are more concerned and focused on secure coding principles and a good track record in that regard than pretty much anyone else playing with forks.
-
I would really love to learn where in the Bermuda triangle of BSD - LibreSSL - unbound the error sits. Or if it is a "misconfig" in the DNS servers SSL/TLS unbound is contacting....
-
Arguably out of it. It dies on the hands of HBSD apparently. Otherwise Unbound thrives on DoT/Doh on 1.8.3 using pfSense which lacks the HBSD hardening. It would be extremely doubtful that any major workarounds that aren't public have been done in pfS in that regard.
-
But pfSense is not LibreSSL, or? For me unbound has been stable with OpenSLL and DNS over TLS in the past...
-
That's correct.
My point however, although arguably incomplete, was that the issues were present on both OpenSSL and LibreSSL, with no indication whatsoever about an SSL issue when crashing.
The only issue I saw on OpenSSL/pfSense regarding Unbound was shortly after 1.1.1.1 launched and lasted less than 24h and was dealt with server side by Cloudflare. Basically quad1 would fail to connect while quad9 would be just fine.
At the same time OPNsense/LibreSSL/Unbound were working just fine on both DoT services.
-
But now I only can stay at 19.1.1 with LibreSSL and unbound with DNToverTLS or switch to OpenSSL for updating. I'm a little lost at the moment...
-
@chemlud
I've experienced your exact predicament and I took the "Stubby" rout after the 19.1 release following the "directnupe" guide. As far as I can tell it's working very well. I'm on 19.1.2 LibreSSL flavour.
https://forum.opnsense.org/index.php?topic=10062.0
miroco
-
I have no GetDNS and no Stubby installed, so you mean I should install Stubby? :)
-
It's working for me. These following notes are an extract of the "directnupe" guide. They helped me get a better overview of the process. However I do strongly advise you to read up on his guide prior to making the installation/configuration.
miroco
GetDNS and Stubby
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libidn-1.34_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libuv-1.26.0.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libev-4.24,1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/getdns-1.5.1.txz
# su -m unbound -c /usr/local/sbin/unbound-anchor
# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me:
# chmod 744 /usr/local/etc/rc.d/stubby.sh
# chmod a+x /usr/local/etc/rc.d/stubby.sh
Yes must enable Stubby Daemon in the file - open file by: nano /usr/local/etc/rc.d/stubby.sh
go to line 27 -
: ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"}
That is all you have to do to this file. It comes pre-configured. Save and exit.
Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 60000 # keep-alive for 1 min, for better performance
listen_addresses:
- 127.0.0.1@8053 ## Stubby / Unbound ## Default Address/Port
https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example
upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
- address_data: 185.49.141.37
tls_port: 853
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
- address_data: 158.64.1.29
tls_auth_name: "kaitain.restena.lu"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
- address_data: 145.100.185.17
tls_port: 853
tls_auth_name: "dnsovertls2.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
- address_data: 146.185.167.43
tls_auth_name: "dot.securedns.eu"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
- address_data: 94.130.110.185
tls_port: 853
tls_auth_name: "ns1.dnsprivacy.at"
tls_pubkey_pinset:
- digest: "sha256"
value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
- address_data: 94.130.110.178
tls_port: 853
tls_auth_name: "ns2.dnsprivacy.at"
tls_pubkey_pinset:
- digest: "sha256"
value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
- address_data: 89.234.186.112
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
- address_data: 99.192.182.200
tls_auth_name: "iana.tenta.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=
## End of Sample File /
Save and Exit
In order to have Opnsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time,
you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:
stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"
Save and exit
Then make the file executable - once again - works for me:
# chmod 744 /etc/rc.conf.d/stubby
# chmod a+x /etc/rc.conf.d/stubby
----
Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.
UNBOUND GENERAL SETTINGS
Network Interfaces = WAN LAN ( all of your LAN interfaces if you have more than one )
And You Must Select Localhost - repeat - You Must Select Localhost!
Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr:127.0.0.1@8053
## END OF ENTRY
Outgoing Network Interfaces = Localhost
Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding.
Save and Apply Settings
Next -Under System > Settings > General Settings
Set the first DNS Server to 127.0.0.1 with no gateway selected /
Make sure that DNS server option:
A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked !
and DNS server option
B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked !
I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface.
If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried.
I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.
-
Someone finally notified Unbound after a bit of prodding ;)
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4232
-
Interesting, thanks for that.
Since Unbound kept on dying with what appeared to be an HBSD related error message I thought the proper chain would have required a bottom up approach and not the other way around.
Whenever a patch is available please let us know so we can work this issue out both here and upstream in that bug report - if needed.
-
Nice to hear that things move forward, but as I wrote a above I fear this will end in an Bermuda triangle between (H)BSD, LibreSSL and unbound. Hoping for the best... The solution with stubby is not something to implement in 5 min, this might be beyond my pay grade. :-(
-
How and for what reasons your OPNsense box is deployed, dictates your freedom of action of cause. In my case, I'm the only user.
I started with a fresh backup of the configuration file. With it you can always return to the previous known good state. However, it will take longer than 5 min. Don't let anyone rush you.
Useful tools:
Putty
WinSCP
Notepad++
Then you can ask your boss for a raise :-)
miroco
-
Hi!
I'm still on
19.1.1
LibreSSL 2.7.5
Unbound 1.8.1
Anybody tried to update and unbound still stable? (Last try is some days ago, iirc 19.1.2, and unbound was stable for about 24h)
-
It sounds a bit like upstream servers are part of the crashes...
Cheers,
Franco
-
That was what I expected, to be true...
But doesn't this imply there is something wrong with openSSL, if it can't work correctly with LibreSSL?
-
Remember Heartbleed? It was known that OpenSSL has its own "memory allocation" to speed it up, which kinda wraps around malloc and free and never really gives back memory to the system leading to "solicited" use after free. LibreSSL doesn't do this anymore so it would naturally crash sooner.
The underlying issue could be the same in OpenSSL and LibreSSL still (same fix) but barely escapes crashing in OpenSSL leaving a vulnerability door open for the future. ;)
Cheers,
Franco
-
PS: Or for the paranoia fans out there: it could already be exploited in the wild and LibreSSL actually protects you properly. ;)
-
Yeah, franco, reminds me that I have to take my pills :-D
But I'm kinda locked at the moment... stay on 19.1.1 as long as possible, until someone (me, on an experimental box? But no time currently...) confirms another setup is working well. Don't want to run around restarting unbound every now and then.
-
PS: What really bugs me is that apparently nobody cares and the big players keep using this pile of trash called openSSL, whatever it takes, no matter what the price will be...
-
OK, I updated my test system (which I wanted to deploy weeks ago, anyways...) to 19.1.4 and unbound fails quite quickly and reliably.
Of note there is only ONE (1) client attached to the opnsense, unly running a Firefox to keep the GUI of opnsense in sight for restarting unbound. Nothing else attached...
I get in GENERAL LOG:
Mar 16 02:59:12 kernel: [HBSD SEGVGUARD] [unbound (17174)] Suspension expired.
Mar 16 02:59:12 kernel: pid 17174 (unbound), uid 59: exited on signal 11
Mar 15 22:00:33 kernel: [HBSD SEGVGUARD] [unbound (93551)] Suspension expired.
Mar 15 22:00:33 kernel: pid 93551 (unbound), uid 59: exited on signal 11
Mar 15 20:01:59 kernel: [HBSD SEGVGUARD] [unbound (77728)] Suspension expired.
Mar 15 20:01:59 kernel: pid 77728 (unbound), uid 59: exited on signal 11
Mar 15 19:31:27 kernel: pid 5130 (unbound), uid 59: exited on signal 11
Mar 15 18:27:32 opnsense: /usr/local/etc/rc.linkup: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '[1552670852] unbound[74683:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1552670852] unbound[74683:0] error: cannot open control interface 127.0.0.1 953 [1552670852] unbound[74683:0] fatal error: could not open ports'
18:27 should be the time of REBOOT after updating from 18.7.10_4
...and in UNBOUND LOG:
Mar 16 08:55:00 unbound: [55520:2] info: generate keytag query _ta-4f66. NULL IN
Mar 16 08:54:08 unbound: [55520:0] info: start of service (unbound 1.9.0).
Mar 16 08:54:08 unbound: [55520:0] notice: init module 1: iterator
Mar 16 08:54:08 unbound: [55520:0] notice: init module 0: validator
Mar 16 00:17:18 unbound: [17174:3] info: generate keytag query _ta-4f66. NULL IN
Mar 16 00:17:17 unbound: [17174:0] info: start of service (unbound 1.9.0).
Mar 16 00:17:17 unbound: [17174:0] notice: init module 1: iterator
Mar 16 00:17:17 unbound: [17174:0] notice: init module 0: validator
Mar 15 21:04:14 unbound: [93551:0] info: generate keytag query _ta-4f66. NULL IN
Mar 15 21:04:10 unbound: [93551:0] info: start of service (unbound 1.9.0).
Mar 15 21:04:10 unbound: [93551:0] notice: init module 1: iterator
Mar 15 21:04:10 unbound: [93551:0] notice: init module 0: validator
Mar 15 19:38:52 unbound: [77728:1] info: generate keytag query _ta-4f66. NULL IN
Mar 15 19:38:51 unbound: [77728:0] info: start of service (unbound 1.9.0).
Mar 15 19:38:51 unbound: [77728:0] notice: init module 1: iterator
Mar 15 19:38:51 unbound: [77728:0] notice: init module 0: validator
Mar 15 18:51:49 unbound: [5130:2] info: generate keytag query _ta-4f66. NULL IN
Mar 15 18:51:46 unbound: [5130:0] info: start of service (unbound 1.9.0).
Mar 15 18:51:46 unbound: [5130:0] notice: init module 1: iterator
Mar 15 18:51:46 unbound: [5130:0] notice: init module 0: validator
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: service stopped (unbound 1.9.0).
Mar 15 18:50:54 unbound: [84000:0] info: start of service (unbound 1.9.0).
Mar 15 18:50:54 unbound: [84000:0] notice: init module 1: iterator
Mar 15 18:50:54 unbound: [84000:0] notice: init module 0: validator
Mar 15 18:50:54 unbound: [84000:0] notice: Restart of unbound 1.9.0.
Mar 15 18:50:54 unbound: [84000:0] info: 0.131072 0.262144 5
Mar 15 18:50:54 unbound: [84000:0] info: lower(secs) upper(secs) recursions
Mar 15 18:50:54 unbound: [84000:0] info: [25%]=0.16384 median[50%]=0.196608 [75%]=0.229376
Mar 15 18:50:54 unbound: [84000:0] info: histogram of recursion processing times
Mar 15 18:50:54 unbound: [84000:0] info: average recursion processing time 0.152972 sec
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 3: 5 queries, 0 answers from cache, 5 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: 0.262144 0.524288 5
Mar 15 18:50:54 unbound: [84000:0] info: 0.131072 0.262144 6
Mar 15 18:50:54 unbound: [84000:0] info: lower(secs) upper(secs) recursions
Mar 15 18:50:54 unbound: [84000:0] info: [25%]=0.191147 median[50%]=0.251221 [75%]=0.380109
Mar 15 18:50:54 unbound: [84000:0] info: histogram of recursion processing times
Mar 15 18:50:54 unbound: [84000:0] info: average recursion processing time 0.236744 sec
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 15 18:50:54 unbound: [84000:0] info: server stats for thread 2: 11 queries, 0 answers from cache, 11 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 15 18:50:54 unbound: [84000:0] info: 1.000000 2.000000 1
Mar 15 18:50:54 unbound: [84000:0] info: 0.524288 1.000000 2
-
PS: After my last post I found that I had configured only ONE DNS server (Digitalcourage) via TLS, add two more and up to now no more crashes....
Is there an easy way to setup a service watchdog for unbound? I think I asked this in the past, I'm getting old...
-
But when starting to update the only client connected, I get within seconds:
Mar 16 14:46:00 kernel: -> pid: 53949 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 16 14:46:00 kernel: [HBSD SEGVGUARD] [unbound (53949)] Suspension expired.
Mar 16 14:46:00 kernel: pid 53949 (unbound), uid 59: exited on signal 11
...after restarting unbound is stable enough to complete updates, waiting
-
Did a Wireshark on the WAN interface of the OPNsense, last package received before unbound passed away was:
11652 2019-03-16 16:04:00.652225560 WAN_OPNsense 46.182.19.48 TCP 60 23837 ? 853 [RST] Seq=424 Win=0 Len=0
....
11672 2019-03-16 16:04:00.838704263 46.182.19.48 WAN_OPNsense TCP 66 853 ? 41185 [RST, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=1447257805 TSecr=80176261
If I look upstream, I see the OPNsense sending RST packages to the DNS server every 20-30 packages, after Client Hello, Server Hello, a little TLSv1.2 traffic and and some TCP packages sent back and forth, the there is
"Encrypted Alert" from then OPNsense and FIN/ACK
then
"Encrypted Alert" from then DNS server and FIN/ACK
after that the OPNsense sends the RST package...
Of any help? More info needed?
-
..started a pcap on the sense (WAN), to see what the alert is (or will the sense itself not be able to decrypt the package?)
-
No, pcap on OPNsense doesn't give any clue on the "Encrypted Alert", this time the conversation on port 853 ended with
6835 2019-03-16 17:30:00.381892 89.233.43.71 WAN_OPNsense TLSv1.2 73 Alert (Level: Fatal, Description: Illegal Parameter)
..afterwards only FIN and FIN,ACK and unbound dies....
-
Tried to find unbound 1.8.1 somewhere in the repos of opnsense, to no avail. Can anybody guide me how to transplant unbound 1.8.1 from another opnsense? Which files to copy over how and how to install?
-
# opnsense-code ports tools
# cd /usr/ports/dns/unbound
# git checkout 18.7.6
# make package deinstall install
It is relatively easy to navigate the ports tree if you know the OPNsense version equivalent of what you're looking for. ;)
Cheers,
Franco
-
Hi Franco!
Many thanks for reply!
# opnsense-code ports tools
...downloaded a gazillion of bytes.
# cd /usr/ports/net/unbound
...finds no directory named unbound. I checked manually (ls- l) in /usr/ports/net, there are some hundred directories, none is named unbound or related. Strange!
-
Sorry I tested and corrected it but forgot to change the notes before pasting :/
net -> dns
-
That helped ;-)
... but only half way:
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===> unbound-1.8.1 depends on package: autoconf>=2.69 - not found
===> autoconf-2.69_1 depends on executable: gm4 - not found
===> m4-1.4.18,1 depends on executable: makeinfo - not found
===> License GPLv3+ accepted by the user
===> texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1
Stop.
make[3]: stopped in /usr/ports/print/texinfo
*** Error code 1
Stop.
make[2]: stopped in /usr/ports/devel/m4
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/devel/autoconf
*** Error code 1
Stop.
make: stopped in /usr/ports/dns/unbound
-
# pkg install -A gmake automake pkgconf
And try again....
-
...now we have:
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===> unbound-1.8.1 depends on package: autoconf>=2.69 - found
===> unbound-1.8.1 depends on package: automake>=1.16.1 - found
===> unbound-1.8.1 depends on executable: libtoolize - not found
===> License GPLv2 accepted by the user
===> libtool-2.4.6 depends on file: /usr/local/sbin/pkg - found
=> libtool-2.4.6.tar.xz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.xz
libtool-2.4.6.tar.xz 100% of 950 kB 3227 kBps 00m00s
===> Fetching all distfiles required by libtool-2.4.6 for building
===> Extracting for libtool-2.4.6
=> SHA256 Checksum OK for libtool-2.4.6.tar.xz.
===> Patching for libtool-2.4.6
===> libtool-2.4.6 depends on executable: gm4 - found
===> libtool-2.4.6 depends on executable: gmake - found
===> libtool-2.4.6 depends on executable: makeinfo - not found
===> License GPLv3+ accepted by the user
===> texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1
Stop.
make[2]: stopped in /usr/ports/print/texinfo
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/devel/libtool
*** Error code 1
Stop.
make: stopped in /usr/ports/dns/unbound
...still sumfink missing
-
# pkg install -A libtool
8)
-
That worked well, but now the console doesn'T stop throwing text lines for minutes now. Is it making the WHOLE sense? I thought it was just unbound I ordered... :-D
PS: some minutes later...
root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
***skipped some million lines of text outpt here...***
ln -sf "tls_init.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_new.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_clear_keys.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_file."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_mem.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_path."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_fil"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_mem"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_verify_d"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_unload_file.3"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_close.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_error.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_handshake.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_reset.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_write.3"
/bin/mkdir -p '/usr/obj/usr/ports/security/libressl/work/stage/usr/local/libdata/pkgconfig'
install -m 0644 libcrypto.pc libssl.pc libtls.pc openssl.pc '/usr/obj/usr/ports/security/libressl/work/stage/usr/l'
/bin/rm -f -r /usr/obj/usr/ports/security/libressl/work/stage//usr/local/etc/ssl/cert.pem
====> Compressing man pages (compress-man)
===> Installing for libressl-2.7.4
===> Checking if libressl already installed
===> libressl-2.7.4 is already installed
You may wish to ``make deinstall'' and install this port again
by ``make reinstall'' to upgrade it properly.
If you really wish to overwrite the old port of libressl
without deleting it first, set the variable "FORCE_PKG_REGISTER"
in your environment or the "make install" command line.
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1
Stop.
make: stopped in /usr/ports/dns/unbound
-
Frustrating, kinda like every other day behind the scenes for us. 8)
I'll build an old version for you in a bit.
For now try the newly released 1.9.1:
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/unbound-1.9.1.txz
Cheers,
Franco
-
1.9.1 installed, on reboot:
Mar 19 09:34:27 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.11.1 ::)
Mar 19 09:34:27 kernel: em4: permanently promiscuous mode enabled
Mar 19 09:34:27 kernel: em3: link state changed to DOWN
Mar 19 09:34:27 kernel: em3: permanently promiscuous mode enabled
Mar 19 09:34:08 kernel: pid 38636 (unbound), uid 59: exited on signal 11
Mar 19 09:34:07 kernel: OK
Mar 19 09:34:06 kernel: OK
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '192.168.199.1'
...and after manual restart:
Mar 19 09:36:52 kernel: -> pid: 5881 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 19 09:36:52 kernel: [HBSD SEGVGUARD] [unbound (5881)] Suspension expired.
Mar 19 09:36:52 kernel: pid 5881 (unbound), uid 59: exited on signal 11
Mar 19 09:35:37 kernel: pid 6235 (unbound), uid 59: exited on signal 11
I disabled DNSsec for the moment to see, if it makes a difference...
-
...same difference, w/o DNSsec reboot came back fine, but trying to update the only client in LAN kills off unbound after some seconds.
-
Sorry, busy week. Here's your 1.8.1 on LibreSSL 2.8.3:
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/unbound-1.8.1.txz
-
...installed and rebooted. Stable for the moment...
Many thanks! Any way to store this unbound 1.8.1 locally and install via console, in case I decide to update my production systems? :-)
PS: Stored a copy on my computer (wget....) and on the opnsense (fetch). But how to install it from my computer on another opnsense? Do I need to setup a webserver on my computer? No idea how to mount an USB-stick on my sense by hand...
-
You can install the file via any HTTP server or locally on the box, "pkg add -f location/to/package.txz" will do the trick...
Cheers,
Franco
-
...yeah, would have to setup a http server locally or learn how to mount an USB-stick on my sense install ;-)
Many thanks again, 1.8.1 is stable on 19.1.4 up to now.
Will a package lock of unbound 1.8.1 on 19.1.1 install survive an update to 19.1.4?
Or is unbound 1.8.1 available on 19.1.1 not functional on 19.1.4?
-
Lock the unbound package, it'll likely keep working until it's time to upgrade to 19.7.
Cheers,
Franco
-
Nearly, as the locked unbound 1.8.1 from 19.1.1 will give you on reboot after update to 19.1.4
opnsense: /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was 'Shared object "libssl.so.45" not found, required by "unbound"'
...
switch to DNSmasq (don't forget to enter DNS servers in Settings - General, might cost you some time to recognize why your DNS is dead), update unbound from 1.8.1 to 1.8.1 (verson provided by Franco's link above) and back in business...
-
LibreSSL was updated in 19.1.2 and so the shared library version mismatches. I'm sorry, but that's exactly what I mean by "frustrating, kinda like every other day".
Cheers,
Franco
-
Not a big issue, that's why I did the update on Saturday to have some extra time for surprises... ;)
-
Update on 19.1.5 with unbound 1.9.1: Same problem, trying to revert to unbound 1.8.1
...the unbound 1.8.1 linked above is no longer available..
-
# opnsense-code -f ports tools
# cd /usr/ports/dns/unbound
# git checkout 18.7.6 .
# pkg install -yA gmake libtool automake pkgconf
# make package deinstall install
I can provide a binary if needed, but I'm pretty sure this will work now...
-
Thank you very much, franco, I'm at
# make package deinstall install
===> unbound-1.8.1 depends on package: autoconf>=2.69 - found
===> unbound-1.8.1 depends on package: automake>=1.16.1 - found
===> unbound-1.8.1 depends on executable: libtoolize - found
===> unbound-1.8.1 depends on package: pkgconf>=1.3.0_1 - found
===> unbound-1.8.1 depends on file: /usr/local/lib/libcrypto.so.43 - not found
===> Installing for libressl-2.7.4
===> Checking if libressl already installed
===> libressl-2.7.4 is already installed
You may wish to ``make deinstall'' and install this port again
by ``make reinstall'' to upgrade it properly.
If you really wish to overwrite the old port of libressl
without deleting it first, set the variable "FORCE_PKG_REGISTER"
in your environment or the "make install" command line.
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1
Stop.
make: stopped in /usr/ports/dns/unbound
Sorry for that... No hurry, it's only an experimental system at that time.
-
No, did you type "git checkout 18.7.6 ." with the DOT at the end. Important...
Cheers,
Franco
-
(You have an older tree checked out and that clashes with everything else installed.)
-
Yepp, I copy&pasted your commands ;-)
Tried again, gives "Updated 0 from path e704d..."
and in the end same error. I'm not a coder, sorry
-
# rm -r /usr/ports
This needs to work... Maybe the tree is stuck although opnsense-code -f should do that as well..
-
That one did the trick! Pörfect! :-D
-
Whew, ok... 8)
-
Someone finally notified Unbound after a bit of prodding ;)
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4232
Hi franco, is Menco even active on this forum? I found that under "Advanced" in the GUI (last option on page) the logging level of Unbound can be increased. Did anybody try to get such a log and if not, would it be helpful to the Unbound people for debugging?
-
It certainly would. The way it is now we have a lot of people using advanced options reporting errors here but not to Unbound which doesn't bring us closer to a solution.
I'm happy to provide custom builds of Unbound for patches that they want to try or extra debugging info added...
Cheers,
Franco
-
... will break my test system by updating to 19.1.6 (unbound unlocked) and post the output here. Or any other method preferred? The log might be quite large in the most verbose mode, I guess....
Who would report the log to unbpund (I have no git account or alike...)?
-
I can create an account and post it there if you wish, but I am not very quick these days due to my day job.
Cheers,
Franco
-
OK, I updated to 19.1.6 and killed unbound by opening Firefox (empty tab, the "Safebrowsing" stuff alone seems to be enough to kill unbound).
_________________
OPNsense 19.1.6
LibreSSL
Unbound 1.9.1
DNSSEc not enabled
Options:
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 46.182.19.48@853 #digitalcourage
forward-addr: 89.233.43.71@853 #FriDNS.dk
forward-addr: 149.112.112.112@853 #Quad9
________________
syslog
Apr 11 16:44:41 kernel: pid 29895 (unbound), uid 59: exited on signal 11
________________
unbound log set to level 5
Apr 11 16:44:41 unbound: [29895:2] debug: svcd callbacks end
Apr 11 16:44:41 unbound: [29895:2] debug: cache memory msg=141823 rrset=155964 infra=11115 val=0
Apr 11 16:44:41 unbound: [29895:2] info: 0.524288 1.000000 1
Apr 11 16:44:41 unbound: [29895:2] info: 0.262144 0.524288 2
Apr 11 16:44:41 unbound: [29895:2] info: 0.131072 0.262144 5
Apr 11 16:44:41 unbound: [29895:2] info: 0.065536 0.131072 1
Apr 11 16:44:41 unbound: [29895:2] info: lower(secs) upper(secs) recursions
Apr 11 16:44:41 unbound: [29895:2] info: [25%]=0.16384 median[50%]=0.222822 [75%]=0.360448
Apr 11 16:44:41 unbound: [29895:2] info: histogram of recursion processing times
Apr 11 16:44:41 unbound: [29895:2] info: average recursion processing time 0.232278 sec
Apr 11 16:44:41 unbound: [29895:2] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 9 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 16:44:41 unbound: [29895:2] debug: query took 0.278204 sec
Apr 11 16:44:41 unbound: [29895:2] debug: mesh_run: iterator module exit state is module_finished
Apr 11 16:44:41 unbound: [29895:2] debug: return error response SERVFAIL
Apr 11 16:44:41 unbound: [29895:2] debug: store error response in message cache
Apr 11 16:44:41 unbound: [29895:2] debug: configured stub or forward servers failed -- returning SERVFAIL
Apr 11 16:44:41 unbound: [29895:2] debug: No more query targets, attempting last resort
Apr 11 16:44:41 unbound: [29895:2] debug: attempt to get extra 3 targets
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 0 avail) parentNS
Apr 11 16:44:41 unbound: [29895:2] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 2
Apr 11 16:44:41 unbound: [29895:2] info: processQueryTargets: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 16:44:41 unbound: [29895:2] info: error sending query to auth server ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: close fd 34
Apr 11 16:44:41 unbound: [29895:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 11 16:44:41 unbound: [29895:2] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: dnssec status: not expected
Apr 11 16:44:41 unbound: [29895:2] debug: sending to target: <.> 89.233.43.71#853
Apr 11 16:44:41 unbound: [29895:2] info: sending query: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: selrtt 788
Apr 11 16:44:41 unbound: [29895:2] debug: rtt=788
Apr 11 16:44:41 unbound: [29895:2] debug: servselect ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: attempt to get extra 3 targets
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (1 result, 0 avail) parentNS
Apr 11 16:44:41 unbound: [29895:2] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 2
Apr 11 16:44:41 unbound: [29895:2] info: processQueryTargets: safebrowsing.googleapis.com. AAAA IN
Apr 11 16:44:41 unbound: [29895:2] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 16:44:41 unbound: [29895:2] info: error sending query to auth server ip4 89.233.43.71 port 853 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: close fd 34
Apr 11 16:44:41 unbound: [29895:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 11 16:44:41 unbound: [29895:2] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 16:44:41 unbound: [29895:2] debug: dnssec status: not expected
Apr 11 16:44:41 unbound: [29895:2] debug: sending to target: <.> 89.233.43.71#853
Apr 11 16:44:41 unbound: [29895:2] info: sending query: safebrowsing.googleapis.com. AAAA IN
...
Have the whole resolver.log here, but much too big to paste it here. File size 95.4 MB....
-
next event:
syslog:
Apr 11 18:47:23 kernel: -> pid: 46228 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Apr 11 18:47:23 kernel: [HBSD SEGVGUARD] [unbound (46228)] Suspension expired.
Apr 11 18:47:23 kernel: pid 46228 (unbound), uid 59: exited on signal 11
unbound log:
Apr 11 18:47:23 unbound: [46228:1] debug: comm point listen_for_rw 27 0
Apr 11 18:47:23 unbound: [46228:3] debug: cache memory msg=134543 rrset=140365 infra=11115 val=0
Apr 11 18:47:23 unbound: [46228:3] info: 0RDd mod0 rep ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] info: 0.524288 1.000000 1
Apr 11 18:47:23 unbound: [46228:3] info: 0.262144 0.524288 1
Apr 11 18:47:23 unbound: [46228:3] info: 0.131072 0.262144 3
Apr 11 18:47:23 unbound: [46228:3] info: lower(secs) upper(secs) recursions
Apr 11 18:47:23 unbound: [46228:3] info: [25%]=0.185685 median[50%]=0.240299 [75%]=0.458752
Apr 11 18:47:23 unbound: [46228:3] info: histogram of recursion processing times
Apr 11 18:47:23 unbound: [46228:3] info: average recursion processing time 0.319276 sec
Apr 11 18:47:23 unbound: [46228:3] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 5 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 18:47:23 unbound: [46228:3] debug: mesh_run: iterator module exit state is module_wait_reply
Apr 11 18:47:23 unbound: [46228:3] debug: comm point start listening 29
Apr 11 18:47:23 unbound: [46228:3] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: dnssec status: not expected
Apr 11 18:47:23 unbound: [46228:3] debug: sending to target: <.> 149.112.112.112#853
Apr 11 18:47:23 unbound: [46228:3] info: sending query: ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: selrtt 478
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=581
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 149.112.112.112 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=1155
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 89.233.43.71 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: rtt=478
Apr 11 18:47:23 unbound: [46228:3] debug: servselect ip4 46.182.19.48 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: attempt to get extra 3 targets
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 46.182.19.48 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 89.233.43.71 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: ip4 149.112.112.112 port 853 (len 16)
Apr 11 18:47:23 unbound: [46228:3] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 3 avail) parentNS
Apr 11 18:47:23 unbound: [46228:3] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Apr 11 18:47:23 unbound: [46228:3] info: processQueryTargets: ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: iter_handle processing q with state QUERY TARGETS STATE
Apr 11 18:47:23 unbound: [46228:3] debug: forwarding request
Apr 11 18:47:23 unbound: [46228:3] debug: request has dependency depth of 0
Apr 11 18:47:23 unbound: [46228:3] info: resolving ftp.de.debian.org. A IN
Apr 11 18:47:23 unbound: [46228:3] debug: iter_handle processing q with state INIT REQUEST STATE
Apr 11 18:47:23 unbound: [46228:3] debug: process_request: new external request event
Apr 11 18:47:23 unbound: [46228:3] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
Apr 11 18:47:23 unbound: [46228:3] debug: mesh_run: start
Apr 11 18:47:23 unbound: [46228:3] debug: udp request from ip4 192.168.11.10 port 55142 (len 16)
Apr 11 18:47:23 unbound: [46228:3] debug: answer from the cache failed
Apr 11 18:47:23 unbound: [46228:0] debug: cache memory msg=134543 rrset=140365 infra=11115 val=0
Apr 11 18:47:23 unbound: [46228:0] info: 0RDd mod0 rep security.debian.org. AAAA IN
Apr 11 18:47:23 unbound: [46228:0] info: 0.262144 0.524288 2
Apr 11 18:47:23 unbound: [46228:0] info: 0.131072 0.262144 2
Apr 11 18:47:23 unbound: [46228:0] info: lower(secs) upper(secs) recursions
Apr 11 18:47:23 unbound: [46228:0] info: [25%]=0.196608 median[50%]=0.262144 [75%]=0.393216
Apr 11 18:47:23 unbound: [46228:0] info: histogram of recursion processing times
Apr 11 18:47:23 unbound: [46228:0] info: average recursion processing time 0.263320 sec
Apr 11 18:47:23 unbound: [46228:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 4 recursion replies sent, 0 replies dropped, 0 states jostled out
Apr 11 18:47:23 unbound: [46228:0] debug: mesh_run: iterator module exit state is module_wait_reply
Apr 11 18:47:23 unbound: [46228:0] debug: comm point start listening 28
Apr 11 18:47:23 unbound: [46228:0] debug: tcp bound to src ip4 192.168.199.4 port 0 (len 16)
Apr 11 18:47:23 unbound: [46228:0] debug: dnssec status: not expected
Apr 11 18:47:23 unbound: [46228:0] debug: sending to target: <.> 149.112.112.112#853
Apr 11 18:47:23 unbound: [46228:0] info: sending query: security.debian.org. AAAA IN
Apr 11 18:47:23 unbound: [46228:0] debug: selrtt 478
Apr 11 18:47:23 unbound: [46228:0] debug: rtt=581
-
I installed 19.1.10 (libreSSL and unbound updates) and for the last 2-3 h DNS-over-TLS has been stable! :-)
-
I wouldn't bet on that, but then again 2-3 hours is already a long time for this to be up and running.
Might have been Unbound 1.9.2 or just LibreSSL 2.9, either way that would be great. :)
Cheers,
Franco
-
hmm, DNS was stable for about 22 hours, so I updated a "production system" and rebooted... looking fine so far! Hoping for the best... :-D
-
I'm afraid to ask.... :)