OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: drbob on December 02, 2022, 09:01:28 pm

Title: Errors with configctl unbound check
Post by: drbob on December 02, 2022, 09:01:28 pm
Hi,

I've recently activated an IPv6 tunnel from tunnelbroker.net on my home LAN, and was hoping to redirect Netflix DNS queries as described here (https://www.reddit.com/r/PFSENSE/comments/6weauh/ipv6_and_netflix_another_option/), since Netflix blocks IPv6 connections from the tunnel.

It is necessary to set a custom option in Unbound, so I read the manual page (https://docs.opnsense.org/manual/unbound.html#advanced-configurations) and was planning to follow the instructions by creating an advanced configuration file, however even before I create any custom settings, configctl unbound check fails with a fatal error:

Code: [Select]
root@OPNsense:~ # configctl unbound check
[1670006832] unbound-checkconf[9894:0] error: pythonmod: can't open file dnsbl_module.py for reading
[1670006832] unbound-checkconf[9894:0] fatal error: bad config for python module

I'm not sure how to fix this, as dnsbl_module.py is present in /var/unbound/ with global read permissions, is it a bug in 22.7.9? It seems like it prevents me from validating the config changes I'd like to make.

Any advice welcome.
Title: Re: Errors with configctl unbound check
Post by: Mars79 on December 03, 2022, 12:27:48 pm
Hi all,

I'm having the same issue as drbob, but I just might have found a workaround.
Looking at the file unbound.conf in /var/unbound there is an entry:

python:
python-script: dnsbl_module.py


This looks incorrect as the complete path is missing, so after adding the path:

python:
python-script: /var/unbound/dnsbl_module.py


the"configctl unbound check" does run without any problems.


Can someone from the OPNsense dev team confirm, this is just a missing path in the unbound.conf file and if it's safe to edit it like this? I assume this also has to be fixed in a future patch?
Title: Re: Errors with configctl unbound check
Post by: drbob on December 03, 2022, 09:55:05 pm
That clears the error for me when running configctl unbound check in an ssh shell but I'm not sure that it will work when unbound is actually running, since from what I think I understand from the config file, unbound runs chrooted into /var/unbound, so from the POV of the unbound process dnsbl_module.py would be in the root directory
Title: Re: Errors with configctl unbound check
Post by: Mars79 on December 04, 2022, 02:44:03 am
That just might be easily tested by enabling a random DNS blocklist and checking if pages are being blocked with and without using the /var/unbound addition to dnsbl_module.py.
Title: Re: Errors with configctl unbound check
Post by: Fright on December 04, 2022, 09:13:18 am
Hi!
pretty sure it's the upstream issue (unbound-checkconf doesn't respect chroot on pythonmod checking).
solved with a little trick:
https://github.com/kulikov-a/core/commit/afd7fb705a9a1ddf499fa5ae8d8b2a04837dc9c1

but I don't know how @franco will like it..
Title: Re: Errors with configctl unbound check
Post by: Mars79 on December 05, 2022, 12:25:05 pm
Issue solved by running: opnsense-patch 13ea70a

https://github.com/opnsense/core/issues/6171

Big thanks to the OPNsense devs for this fix.