Unbound errors in log file

[lar.hed]

Unbound crashed this time - just stopped without any for me visible reason. From Unbound Log.

Code: [Select]

2024-01-03T20:17:27 Informational monit 'unbound' trying to restart
2024-01-03T20:17:23 Error monit 'unbound' process is not running

[lar.hed]

Question: Why should one use Unbound if I can not use Block Lists, Block Countries and DoT?

[cookiemonster]

We haven't proven that my thinking theory is right and the block list is the problem or a contributor. I could very well be wrong.
Albeit your question is generic, I imagine other users don't have a problem, and therefore the cause is specific. In light of this, I can't answer your question but can keep trying to help if you allow.
Again, with my thinking that needs proving, may I ask where are you getting the blocklist from and how are you adding it to the Unbound configuration? Same for whitelist you seem to have included.

[doktornotor]

Maybe someone could finally post the contents of /var/unbound/root.hints when hitting this issue.

[cookiemonster]

maybe useful but looking at the log screenshot, that seems -to me-, something that fails after.

[doktornotor]

Yeah, maybe, considering unbound is a recursive resolver, unless configured otherwise, it obviously cannot work without knowing what the root servers are.

[cookiemonster]

agreed but I'm looking at the actual error posted and the line appears clear and the function has:

Code: [Select]

   265     def _load_dnsbl(self):
   266         with open(self.dnsbl_path, 'r') as f:
   267             try:
   268                 self.dnsbl = json.load(f)
   269                 log_info('dnsbl_module: blocklist loaded. length is %d' % len(self.dnsbl['data']))
   270                 with open(self.size_file, 'w') as sfile:
   271                     sfile.write(str(len(self.dnsbl['data'])))
   272                 if mod_env and type(self.dnsbl.get('config')) is dict:
   273                     mod_env['context'].set_config(self.dnsbl['config'])
   274             except (json.decoder.JSONDecodeError, KeyError) as e:
   275                 if not self.dnsbl:
   276                     log_err("dnsbl_module: unable to bootstrap blocklist, this is likely due to a corrupted \
   277                             file. Please re-apply the blocklist settings.")
   278                     self.dnsbl_available = False
   279                     return
   280                 else:
   281                     log_err("dnsbl_module: error parsing blocklist: %s, reusing last known list" % e)
See the line 277 referenced in the inner exception and what the code is trying to do. Seems to me more relevant to blocklist, but maybe I am on the wrong track.

[doktornotor]

Well, the idea was: if the default config file was not pointing to the (malformed) one, it'd use the built-in ones just fine. Remove that line form the template and try to reproduce the error after that.

[cookiemonster]

Are you referring to the root.hints file? If yes, then I don't know what line from what template you're suggesting to modify. The particular template where this class and function is, has no reference to the hints file.

[doktornotor]

Code: [Select]

# grep root.hints /usr/local/etc/inc/plugins.inc.d/unbound.inc
root-hints: /var/unbound/root.hints


https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/unbound.inc#L286

[cookiemonster]

right. Then OP as per this, maybe you could do this when you hit the problem:

Code: [Select]

$diff -u /var/unbound/root.hints /usr/local/opnsense/service/templates/OPNsense/Unbound/core/root.min.hints That will compare them and report differences.

[lar.hed]

right. Then OP as per this, maybe you could do this when you hit the problem:

Code: [Select]

$diff -u /var/unbound/root.hints /usr/local/opnsense/service/templates/OPNsense/Unbound/core/root.min.hints That will compare them and report differences.

Absolutely! No problem what so ever - but I think I might need to re-enable the blocklist part for this? Or?

I leave the blocklist disabled for now, until I get "other orders" from you 

Edit - for the moment the two files are identical, just so we all know.

[lar.hed]

One thing is a bit important here: The previous version of Unbound (1.04?) that was in OPNsense pre-23.7, worked 100% with my config. All this started after I updated to 23.7, so what ever it is that I am having challenges with, it is part of something that changed (1.04 -> 1.08).

[CJ]

Question: Why should one use Unbound if I can not use Block Lists, Block Countries and DoT?

Not sure what Block Countries is, but I use several DNSBL and DoT with Unbound and have no problems.

Yeah, maybe, considering unbound is a recursive resolver, unless configured otherwise, it obviously cannot work without knowing what the root servers are.

Unbound shouldn't be running in recursive mode since the OP has DoT configured.

[Fright]

looks like a 'template generation' vs 'unbound start' racing for me
@lar.hed how many "generate template OPNsense/Unbound/*" messages in Backend log you see in time when this happens?