UnboundBL crashes the Unbound service

[ManuelOS]

I use these instructions - After installing and adding the DNSBL and the custom tptions, the service no longer starts - Clean install carried out and the Sense runs on 21.1

Please correct me if something is wrong here I would be happy to hear from mimugmail as well.

https://github.com/alectrocute/UnboundBL

opnsense code tools plugins

cd / usr / plugins / dns
git clone https://github.com/alectrocute/UnboundBL.git

cd UnboundBL
make package
pkg add work / pkg / *. txz


chmod + x /usr/local/opnsense/scripts/OPNsense/Unboundbl/*.sh

The latter line is required because during the installation the UnboundBL scripts cannot be executed due to an error. At the time of reading, the error may already have been resolved.

Services / Unbound DNS / General / Custom Options

include: /var/unbound/dnsbl.conf

[newsense]

It's a list (or more) that causes the crash. No need to use tutorials, everything is readily available on 21.1


Out of 4 FWs on 21.1 (standard install, nothing add-hoc added to any of it), 2 had unbound crash over the weekend, and the only difference in unbound config is the number of blocking lists selected.

Also, it's not a matter of not being able to start the service, the crash happens after a while which could be related to the refreshing of the lists, but i didn't see anything conclusive in the logs yet.

[mimugmail]

So the usual way to debug is sadly disabling one by one and see when it crashes, or checking the logs for wrong syntax in these list files.

[Fright]

i think it can be related to https://forum.opnsense.org/index.php?topic=20284.30
so you can try to use some regex to "whitelist" garbage records.
in my opinion, a more reliable way to solve the problem is to move from using a conf-file to use unbound-control for dnsbl load (in this case, the unbound just skips invalid entries, and does not block the launch of the daemon. and this reduces downtime).
https://github.com/opnsense/core/pull/4528
AdSchellevis hasn't had time to return to this request yet.
Just waiting

[koushun]

@ManuelOS

Do you have DHCP Registration / DHCP Static Mappings enabled? Under Services > Unbound.

I have another firewall which is on pfSense 2.5 where Unbound was upgraded, due to CVE. The temporarily solution was to disable those features mentioned above.

I am still on OPNsense 20.7.8_4-amd64 on my other site, and I have not experienced anything there yet.

https://forum.netgate.com/topic/160005/unbound-crashes-periodically-with-signal-11/73

A permanent fix was to upgrade Unbound and restart the service: https://forum.netgate.com/post/966932

Do not know if this is related or is of any help.

koushun

[dave]

(Unsurprisingly) it's generally the porn lists that do it, I find.
Also, Unbounds performance and memory usages takes a big hit when using it for widescale blocking.
I've switched to using AdGuard by adding the 3rd party repo and it's waaaaaaaay better, and built for purpose.  Highly recommended if it's an option.