Messages

Thanks for your reply.
i could only see below lines after running unbound -dd, nothing seen further as hint to know the errors.
[1605983824] unbound[71039:0] notice: init module 0: validator
[1605983824] unbound[71039:0] notice: init module 1: iterator
[1605983824] unbound[71039:0] info: start of service (unbound 1.12.0).

Still waiting for some assistance to troubleshoot Unbound service not starting.

Apology, for posting reply in your thread in error.

Can anyone assist in troubleshooting Unbound service not starting.
Can Unbound be uninstalled and reinstalled?

I'm facing Unbound service issue. Multiple time unbound stops.
tried to start from GUI no success
Did tried to start from shell /usr/local/sbin # pluginctl -s unbound start

In logs shows
2020-11-14T20:12:16   unbound[75749]   [75749:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
2020-11-14T20:12:12   unbound[75749]   [75749:0] notice: Restart of unbound 1.12.0.
2020-11-14T20:12:12   unbound[75749]   [75749:0] debug: cache memory msg=263192 rrset=263192 infra=10866 val=787453

Hi,
The link you have used is it for GeoIP or ntopng script
I'm getting error for ntopng script where tar.gz is used to download DB
While for GeoIP blocking zip is used in FW Aliases => GeoIP Setting => URL (this too has issue i think as last updated it shows as 2020-07-28T16:43:02)

I have even used link similar to yours but same error- Authentication

Thanks Husgcoden,
I could see this in shell
/usr/local/opnsense/scripts/filter/lib # python3
Python 3.7.8 (default, Jul 27 2020, 22:43:18)
[Clang 8.0.1 (tags/RELEASE_801/final 366581)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
{'address_count': 0, 'file_count': 0, 'timestamp': None, 'locations_filename': N                  one, 'address_sources': {'IPv4': None, 'IPv6': None}}

I had chat with maxmind, first query was about TLS v and it should be TLS 1.3
Other assumption i have is that, even though i have my license key valid and i could download GeoIP database locally through same URL that is in ntopng-geoip2update.sh. But due to some issue related to certificate or TLS maxmind does not authenticate at first step, subsequently DB download would never happen.

Maxmind asked me to reach either opnsense or ntop to reslove this issue and there is nothing more to be done from their side.
Its all started after upgrade to 20.7

New error seen, could anyone assist.

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4667418046464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=MyKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-Country&license_key=MyKey&suffix=tar.gz download failed

After upgrading Opnsense to 20.7 ntopng geoip showing authentication error while trying to get geoip
Tried with new key still fails to download

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
SSL certificate subject doesn't match host download.maxmind.com
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz download failed

Anything changed or anyone has direction to fix this?

Thanks,
How about adding DoH, more specifically i want to use DNS servers like cleanbrowsing is it possible to add.
As you mentioned earlier in the post, where i can now add manual blacklist in unbound+

I have now installed unbound plus and cloud see Blacklist, few queries
1. Does unbound + replaces DNSCrypt-Proxy 2? Both has identical DNSBL providers
2. How to add custom blacklist for TLDs? like i want to block *.xyz
3. Is it possible to add Shalla or UT1 links to Blacklist for domains filtering based on web categorization?
4. What changes required in firewall and NAT rules if only unbound+ is used? eg. now with DNSCrypt Proxy port forwarding DNS 5353 is used along with unbound + port 53
5. should unbound + Adv options required
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

Thanks for prompt reply.
how can i add this blacklist https://github.com/notracking/hosts-blocklists/wiki/Install-dnscrypt-proxy
or any other public blacklist and create a cron job for daily updates.

I have installed Dnscrypt-proxy2: plugin with following version
OPNsense 20.1.3-amd64
os-dnscrypt-proxy: 1.7_1 [OPNsense]
dnscrypt-proxy2: 2.0.39 [OPNsense]

Looking to add custom domain e.g. to blacklist.txt file in /usr/local/etc/dnscrypt-proxy directory
*.tv
*.xyz
It looks that this blacklist.txt file not accept any manual entries, as after some time it rollbacks to the original.
So how can additional domains and IP address or add github links to download could be added as custom blacklist

Also i could not see any Blacklist tab as such in Opnsense - Dnscrypty-Proxy under services


looking to hear for some directions

Thanks