Unbound Failure after update to 23.7.11

[Taunt9930]

Hi All,

I seem to have an issue where I have lost all DNS capability following update to 23.7.11. I am using Unbound, DoT configured for Cloudflare (I have also since tried quad9 with no luck). Working config working for over a year now, no changes to config.

If I manually set a secondary DNS (8.8.8.8 ) in Windows, I get internet/DNS access. As soon as I delete the alternate and point it to OPNSense, no connectivity. The firewall has no connectivity/DNS either - update checks fail etc.

I have tried restarting unbound, and looked through logs but to be honest I am out of my depth. Rebooted the firewall, no change. Has anyone else had any issues, or any steps I might be able to take to better diagnose the problem?

I'm not certain, but I think it might be only ipv4 with ipv6 working (I don't use IPv6 much, so am not very familiar).

Unbound logs are showing:

2024-01-07T09:38:23   Critical   unbound   [2797:2] fatal error: Could not initialize thread   
2024-01-07T09:38:23   Error   unbound   [2797:2] error: Could not set root or stub hints   
2024-01-07T09:38:23   Error   unbound   [2797:2] error: reading root hints /root.hints 2:12: Syntax error, could not parse the RR's type   
2024-01-07T08:59:48   Critical   unbound   [78925:1] fatal error: Could not initialize thread   
2024-01-07T08:59:48   Error   unbound   [78925:1] error: Could not set root or stub hints   
2024-01-07T08:59:48   Error   unbound   [78925:1] error: reading root hints /root.hints 2:12: Syntax error, could not parse the RR's type

If I run a checkconf from the shell I get:

root@router:~ # unbound-checkconf /var/unbound/unbound.conf
[1704626241] unbound-checkconf[20216:0] error: pythonmod: can't open file dnsbl_module.py for reading
[1704626241] unbound-checkconf[20216:0] fatal error: bad config for python module

Is that a clue?

Thanks.

[Fright]

Hi

Is that a clue?

nope
because of python module, you need to 'cd /var/unbound' before 'unbound-checkconf'

[meyergru]

Yep. See this.

As for the failure: The error message says that /var/ubnound/root.hints cannot be parsed, so you should look at that file and see what is wrong in there. It it a static file which has the root name servers in it. I wonder why it is broken in your configuration.

[Taunt9930]

Hi

Is that a clue?

nope
because of python module, you need to 'cd /var/unbound' before 'unbound-checkconf'

Thanks @Fright. No errors.

It does seem to to be a general unbound crashing issue, rather than something more specific - my unbound overrides for local *.lan.domain are not working either.

I've since re-installed unbound from the packages section (had to put 1.1.1.1 in the System Nameserver setup & disable unbound), and re-created the root.hints file. Still no dice. In fact, now in the unbound logs I just get an unbound start (Informational   unbound   [2450:0] info: start of service (unbound 1.19.0).) - nothing else.

Statistics page under unbound has nothing (completely blank/broken page) and nothing resolves. When I try to restart the service from the gui (shows green) it just appears to hang once the progess bar comes up.

[Taunt9930]

OK, Several reboots and I seem to be up and running - I've read about a weird race condition (here: https://forum.opnsense.org/index.php?topic=35527.0) that seems to occur very infrequently, could it have been that?

[Taunt9930]

I spoke to soon. Lost DNS/Internet access and cannot get to webgui.

[lar.hed]

I spoke to soon. Lost DNS/Internet access and cannot get to webgui.

Access via IP adress or hostname (which require DNS to work, which is not the case here)?

[notmycomputer]

Similar issues.

Been running stable for a long time but somewhere around 23.7.10 Unbound would stop resolving host overrides for the local network. After a restart it would work again for a while and then back to not resolving.

Updated OPNsense to the latest 24.1_1 and still same problems with Unbound, so I gave up and switched to Dnsmasq and it has been working fine for the last couple of days.

[Fright]

still root-hint file read error?
best i can offer for now:
https://github.com/opnsense/core/commit/2e2294c0642cdc537cccd785464059edea4948a6

Code Select Expand

opnsense-patch -a kulikov-a 2e2294c
then enable "Use built-in root hints" in Services: Unbound DNS: General (with advanced mode "on") and Apply

[joshndroid]

If the patch allows you to not use an external root hints, would it be possible, with this patch applied to manually pull the external root hints and override the internal one?

[Fright]

@joshndroid
I'm not sure I completely understood you..
the built-in roots are exactly the same as in the file (https://github.com/NLnetLabs/unbound/blob/be27499d397e192bd43bff27bf0dcaa79020d024/iterator/iter_hints.c#L130), but no - afaik unbound-control will not allow to manage root hints. only forwarders

[Sensler3000]

iam running 24.1_1 und have the same error, unbound randomly stopps DNS resolution:

After this it stopps:

Code Select Expand

2024-02-15T01:58:19 Error unbound [47314:1] error: reading root hints /root.hints 7:8: Syntax error, could not parse the RR's type
2024-02-15T01:58:19 Error unbound [47314:3] error: reading root hints /root.hints 2:13: Syntax error, could not parse the RR's type

Any ideas how to fix it ?

[joshndroid]

@joshndroid
I'm not sure I completely understood you..
the built-in roots are exactly the same as in the file (https://github.com/NLnetLabs/unbound/blob/be27499d397e192bd43bff27bf0dcaa79020d024/iterator/iter_hints.c#L130), but no - afaik unbound-control will not allow to manage root hints. only forwarders

Excellent, thanks. I was unsure if the external one was going to update and the one used within this patch become old and cause different issues.