Unbound service routinely stopping/crashing following 20.7.7 update

[mimugmail]

Just install the patch previously posted here

[alexroz]

For now, I *think* I've setup a monit test to restart unbound if it crashes. Never used monit before, so we'll see if I did it right...

Hi,

I'm also newbie, and also having the same issue with the unbound service stopping. Where you able to create a monit service to restart unbound when stop? can you share the configuration?

Thank you very much

I'm newbie myself but found this topic in documentatin: https://docs.opnsense.org/manual/monit.html#example-1

[potes]

For now, I *think* I've setup a monit test to restart unbound if it crashes. Never used monit before, so we'll see if I did it right...

Hi,

I'm also newbie, and also having the same issue with the unbound service stopping. Where you able to create a monit service to restart unbound when stop? can you share the configuration?

Thank you very much

I'm newbie myself but found this topic in documentatin: https://docs.opnsense.org/manual/monit.html#example-1

As I said before i'm newbie (learning with an opnsense at home), and I don't know which ''condition'' should I put to test that unbound is working and for the ''service settings'' which statements to put on ''PID File'', ''Start'' and ''Stop''.

Regarding the patch, i though it was good idea to learn how to use monit to restat a service that stop

[deeler]

thanks ; opnsense-revert -r 20.7.6 unbound did the trick for me as well

[MBfromOK]

Please upgrade rather than downgrade :-)

New Unbound version (1.13.0) was released to deal with CVE issues, patch (1.13.0_1) is minor and keeps those improvements:

Here's the latest Unbound revision 1 from FreeBSD ports to try:

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/misc/unbound-1.13.0_1.txz

Edits: Include version and package information

[Mks]

for the record,

I upgraded to 20.7.7_1 last week and immediately applied the patch:

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/misc/unbound-1.13.0_1.txz

No issues identified, everything works.

br

[toxic]

Same issue here, unbound keeps crashing. I tyed the opnsense-revert thing, we'll see if it holds

For now, I *think* I've setup a monit test to restart unbound if it crashes. Never used monit before, so we'll see if I did it right...

Meanwhile I tried monit for the first time as well.
I *think* also I got it, but it took me a lot of tries, so for those who might be even more lost than I am, here is what I did in the monit>settings>service settings : add a new service as you can see in the attached picture.

Attached as well, in the monit>status you'll see it has found the proper process id.

I even stopped unbound and it got restarted within the 120 seconds of polling interval.

If you want to make it check faster, it happens on the first settings page, I think that is what would be the polling interval.

Couldn't find a way to get an email notification when the service gets restarted though... At least it restarts ;)

[Tol Phobos]

Just to confirm I am observing this problem on 20.7.7 as well ("notice: sendto failed: Permission denied" 4 times in 4 days). I have reverted unbound to 1.12.0, waiting for a OPNsense fix (via 20.7.7_X or 20.7.8 ).

And YES, I am aware of the CVE-2020-28935, but this vulnerability is *only* CVSS-3 scoring 5.5 as this is *only* a local vulnerability that could create a DoS of the system Unbound/NSD is running on. A very limited security risk in my personal situation.

Thank you and stay safe.

[PeterZaitsev]

Unbound crashes for me too.  Have not tried downgrading at this point.

One surprising thing was to see it does not  restart itself - I would imagine for key system services there would be some auto restart process.  Is there not such a thing in opnsense or is it disabled for unbound ?

[Steven]

Unbound crashes for me too.  Have not tried downgrading at this point.

One surprising thing was to see it does not  restart itself - I would imagine for key system services there would be some auto restart process.  Is there not such a thing in opnsense or is it disabled for unbound ?

On my system it does restart but after 5 crashes it triggers the HBSD SEGVGUARD which suspends processes for 600s after 5 crashes.

[mimugmail]

Unbound crashes for me too.  Have not tried downgrading at this point.

One surprising thing was to see it does not  restart itself - I would imagine for key system services there would be some auto restart process.  Is there not such a thing in opnsense or is it disabled for unbound ?

No, but you can add this via monit

[Spacefish]

affected by this as well.

15min ago someone release a fixed version of the unbound package: https://github.com/mat813/freebsd-ports/commit/95a05e89eda2ed7629addb4a28117e463b69eeb0

could we just get that upgrade via official update repos for OpnSense as fast as possible?

[Greelan]

Looks like you missed the post above - see post #37

[alexroz]

Unbound crashes for me too.  Have not tried downgrading at this point.

One surprising thing was to see it does not  restart itself - I would imagine for key system services there would be some auto restart process.  Is there not such a thing in opnsense or is it disabled for unbound ?

No service can restart itself by itself when it dead. Only an OS or an another service can do it.

[citydweller]

Same issue here...