SOLVED - GETDNS AND STUBBY W/ OPNSENSE 18.7.6 and UNBOUND 1.8.1

Started by directnupe, October 27, 2018, 11:57:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 27, 2018, 11:57:29 AM Last Edit: October 30, 2018, 05:45:40 AM by directnupe
Dear Community -

ALWAYS READ ENTIRE GUIDE FIRST BEFORE BEGINNING FOR BEST RESULTS

Some folks are dreading that upgrading to Opnsense 18.7.6 which ships with UNBOUND 1.8.1 breaks GETDNS and STUBBY. It ain't necessarily so ! Here are the solutions :

SECTION A
For Opnsense Ports Installation of GETDNS and STUBBY
1- If you installed GETDNS and STUBBY using Opnsense Ports - see this post :

https://forum.opnsense.org/index.php?topic=8748.0

The KEY is to remove GETDNS and STUBBY and all of the configuration files BEFORE YOU UPGRADE !

2 - Then upgrade to Opnsense 18.7.6 which will install UNBOUND 1.8.1

3 - Now re-install the upgraded GETDNS STUBBY port - which is now getdns-1.4.2_1 - this will compile being built against UNBOUND 1.8.1 - this is why the port was upgraded - that being to work with UNBOUND 1.8.1 -   getdns-1.4.2 was for UNBOUND 1.7.3 and - well - you get the picture if not check the screenshot below and / or go here: https://www.freshports.org/dns/getdns/ Note: Pay particular attention to this entry:

18 Sep 2018 18:24:05
Original commit files touched by this commit  1.4.2_1
Revision:480056
dns/unbound: update to 1.8.0
Bump PORTREVISION on to consumers due to library major version change

For instance I have a PfSense 2.4.4 Edge Router set up and it uses UNBOUND 1.7.3 and getdns 1.4.2_1 will break UNBOUND - as getdns 1.4.2 is what it needs. getdns 1.4.2_1 has different library requirements which are not suitable for UNBOUND 1.7.3 - so DNS resolution fails. This why you need to upgrade getdns on Opnsense 18.7.6 as it ships with UNBOUND 1.8.1.

4 - After your upgrade your port installation to getdns-1.4.2_1  All you need to do is refer to the original post here once again: https://forum.opnsense.org/index.php?topic=8611.0 - begin with Step 7 and follow each step from there and you will be up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

END SECTION A

SECTION B
For those who use STAND ALONE DNS OVER TLS STUBBY GETDNS PACKAGE
1 - It is necessary to reconfigure Unbound to stop using Stubby for DNS resolution. Go to System > Settings > General > and Check
     option - A - Allow DNS server list to be overridden by DHCP/PPP on WAN ( Click Save ) . Then go to Services > Unbound DNS > General  and then remove  contents of Custom Options Box:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
Save and apply

2- After this you must delete the GETDNS package from Opnsense BEFORE YOU UPGRADE to 18.7.6
First - issue command - pkg delete getdns
You do that  ( from command line )  then follow these commands to remove configuration files.
Remove the following files by issuing these commands: # rm /usr/local/etc/rc.d/stubby.sh
# rm /usr/local/etc/stubby/stubby.yml and   
# rm /etc/rc.conf.d/stubby

3- Now upgrade to OpnSense 18.7.6 along with UNBOUND 1.8.1
Now all you need to do now is build and install  your new package getdns-1.4.2_1.txz
You do that by following the guide here - https://forum.opnsense.org/index.php?topic=8759.0
As Opnsense Tools installs FREEBSD synced ports on your FREEBSD Build Server - you will also get
getdns-1.4.2_1 - which is designed to work with UNBOUND 1.8.1
After you have built and have your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER- go to Step 8 on this page once again : https://forum.opnsense.org/index.php?topic=8759.0

END SECTION B

SPECIAL CIRCUMSTANCES:
If you already have an existing FREEBSD Build Server and an outdated getdns port on it then you must  remove that  getdns port before building a new one. In order to accomplish that task see here : https://forum.opnsense.org/index.php?topic=8748.0 and follow and complete Step 2 Commands A & B . Now , since Opnsense Tools is already installed on your existing FREEBSD BUILD SERVER you need to update your ports collection. You do that by following these two  steps:  A - cd /usr/tools and B - make update - It is that simple. After the ports collection and everything is updated, you proceed thusly:
1 -  Go to this page : https://forum.opnsense.org/index.php?topic=8759.0 and complete procedures Step 6 and Step 7
2 - After creating your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER simply go to Section B above in this tutorial and follow Steps 1, 2, and 3** in order to get your OpnSense Box up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

**( Obviously you can skip creating another getdns-1.4.2_1.txz package in Section B Step 3 as you have already done so by completing Item Number 1 above earlier on in this SPECIAL CIRCUMSTANCES section. This means that after you have upgraded your OpNsense Box to 18.7.6; you simply start and complete all tasks beginning with Step 8 here on this page : https://forum.opnsense.org/index.php?topic=8759.0  

END SPECIAL CIRCUMSTANCES

The two major things to remember are to to either de-install the GetDns port or delete the GETDNS  package PRIOR  to upgrading to Opnsense 18.7.6

Then upgrade port or build and re-install upgraded package depending on which method you first used to deploy GETDNS and STUBBY on your OpnSense box.

I hope this helps and I have done this myself and it is GUARANTEED to work!

Peace,

directnupe


Parting Thoughts:
For those who in the future may worry about GETDNS and STUBBY ever being being broken due to an UNBOUND DNS version being updated or upgraded, let me say this. You were not paying attention when I told you all from the very beginning that :

For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/   https://www.nlnetlabs.nl/projects/getdns/

So, as NLnet Labs develops both UNBOUND and GETDNS ( along with STUBBY ) I am sure that they will do their best to make sure that both of these work well together.  If you notice GETDNS 1.4.2_1 has been out since mid September 2018 as has UNBOUND 1.8.0 The main issue and concern is when is the Distro that are using going to integrate and update these packages. For example, OpenWrt is on Unbound 1.8.2 and GETDNS 1.4.2_2 - while on Pfsense it's Unbound 1.7.3 and GETDNS 1.4.2
See here for further info: https://repology.org/metapackage/getdns/versions - even for FREEBSD  - it lists the Maintainer as zi@freebsd.org which is correct but lists GETDNS version as 1.4.2 - which is incorrect. We know that the current version for FREEBSD ports is GETDNS 1.4.2_1 - The major point is that NLnet Labs  is running " The Whole GETDNS STUBBY / UNBOUND Show " - so that is a good thing that one developer is handling all components needed for DNS OVER TLS ( aka DNS Privacy Project ).

Notice that this Commit was Submitted by jaap@NLnetLabs.nll (maintainer) in order to fix GETDNS so that it will work with new dns/unbound: update to 1.8.0 - which proves that NLnetLabs.nl is actively involved with development and maintenance of UNBOUND GETDNS and STUBBY

See here for FREEBSD GETDNS COMMIT FOR UNBOUND 1.8.1:

December 16, 2018, 01:32:23 AM #1 Last Edit: December 16, 2018, 09:41:57 PM by Nekromantik
no longer works. did clean install and when I do make clean install on getdns I get:

Code Select
*** Configure:  Fatal Error:  /usr/sbin/dtrace doesn't support -h flag
***
*** Your installed dtrace doesn't support the -h switch to compile a D
*** program into a C header. Can't continue.


on 18.7.9 opnsense it uses perl5.26 maybe thats the issue?

EDIT:
Now the getdns package comes with stubby so no need to compile from ports :)
Print
Go Up Pages1
User actions