Unbound DNS DoT config contact to root server

Started by tillsense, December 15, 2022, 06:20:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 15, 2022, 06:20:59 PM
Hi all,

Unbound contacts the root server(s) at startup. With a DoT config and firewall rules that prevent port 53 makes no sense. An option in the gui to prevent this would be suitable at the point or even in this case the default?

cheers
till
December 16, 2022, 04:05:41 PM #1
Hi!
is 22.7.9_3 applied?
December 16, 2022, 05:37:33 PM #2
Hi,
oops... yes the version is 22.7.9_3

cheers
till
December 16, 2022, 06:29:09 PM #3
uh...looks like unbound-checkconf is screwing up in one more place
can you test with
Code Select
opnsense-patch -a kulikov-a f0f1bed
please?
December 16, 2022, 07:37:51 PM #4
very nice that's ok :) but the unbound service starts 3 times for one start I just see?
December 16, 2022, 07:47:09 PM #5
sorry, I didn't quite understand )
no roots poking with the patch applied?
Quoteservice starts 3 times for one start I just see?
patch only change working dir before unbound config test (unbound-checkconf chroot issue) so that a false-error does not trigger the trust anchor update
https://github.com/kulikov-a/core/commit/f0f1bed75801b097a4d53a59484c0b386cf961e7
nothing else changes in behavior
December 16, 2022, 07:51:21 PM #6
yes must be older this is already longer so according to logs
December 17, 2022, 08:23:57 PM #7
sorry for the noise, is the problem gone or does it still shows up sometimes?
December 19, 2022, 07:34:30 PM #8
Hi Fright,

currently not but i have an eye on it. why unbound start 3 times for the service runs through is not yet clear to me but thanks for your quick support and the patch!

cheers
till
December 19, 2022, 07:49:19 PM #9
Thanks, @tillsense

patch is merged (https://github.com/opnsense/core/pull/6197) it just remained not completely clear whether it is guaranteed to eliminate the issue

about 3-time starts: maybe there are additional inputs? unbound now starts way faster (with the py module). is it possible that you just click the Apply button on the DoT page a few times?
December 23, 2022, 08:27:27 PM #10
Quote from: Fright on December 19, 2022, 07:49:19 PM
... is it possible that you just click the Apply button on the DoT page a few times?
..no at boot the same. Logs say only start and stop 3x within 2-3min... have an internal ca so i notice that immediately.

cheers
till
December 26, 2022, 03:28:21 PM #11
yes, it is possible and depends on the actual system configuration and events (the patch didn't change anything about it). afaiu plugin management has "hooks" that manage plugin actions in response to system events (to let plugins "know" about system changes). for unbound it is: https://github.com/opnsense/core/blob/bdab4f6970ed0975f132bdf0879ad51b7bca3b57/src/etc/inc/plugins.inc.d/unbound.inc#L43-L48
you can see what hook triggers unbound action in general log (search by "unbound_" keyword)
Print
Go Up Pages1
User actions