"
I hit this yesterday, I'm new to opnsense so it cost me about an hour of network downtime while debugging, I'm posting it here in case someone else gets stuck.
I filed a GitHub bug report with data and logs here https://github.com/opnsense/core/issues/10170
I'm guessing it's probably a small, contained change if someone is looking for a quick kill, but I do not know the codebase.
TL;DR: A host override with a trailing dot in the Host field (e.g. "myhost.") plus domain "lan" ends up as "myhost..lan" in unbound.conf. Unbound refuses to start — "Empty label" / "Could not set up local zones". It's easy to trigger via the "+" shortcut next to a DHCP lease and it appears some clients report hostnames with a trailing dot (valid FQDN notation). OPNsense saves it as-is.
The nasty part is it doesn't fail at save time, but it does fail on the next reboot. So an unattended/unintended reboot will leave you (or everyone else on the network if you're not present) without DNS.
Workaround for anyone stuck right now:
It looks like this may be related to #3944 (whitespace), #5550 (special chars), and #5804 (DHCP/override conflicts) — all seem to involve hostname sanitization.
I filed a GitHub bug report with data and logs here https://github.com/opnsense/core/issues/10170
I'm guessing it's probably a small, contained change if someone is looking for a quick kill, but I do not know the codebase.
TL;DR: A host override with a trailing dot in the Host field (e.g. "myhost.") plus domain "lan" ends up as "myhost..lan" in unbound.conf. Unbound refuses to start — "Empty label" / "Could not set up local zones". It's easy to trigger via the "+" shortcut next to a DHCP lease and it appears some clients report hostnames with a trailing dot (valid FQDN notation). OPNsense saves it as-is.
The nasty part is it doesn't fail at save time, but it does fail on the next reboot. So an unattended/unintended reboot will leave you (or everyone else on the network if you're not present) without DNS.
Workaround for anyone stuck right now:
- Option 8 from the console to get a shell (or ssh in if enabled)
- /usr/local/sbin/unbound-checkconf /var/unbound/unbound.conf — tells you which entry is bad
- Services → Unbound DNS → Overrides → Host Overrides → strip the trailing dot, Apply
- configctl unbound reconfigure && service unbound onestart
It looks like this may be related to #3944 (whitespace), #5550 (special chars), and #5804 (DHCP/override conflicts) — all seem to involve hostname sanitization.
