Discussion:
[pfSense] Unbound DNS Resolver doesn't listen on IP aliases even when selected in settings
Paul Mather
2015-11-12 19:38:20 UTC
Permalink
I recently started using "DNS Resolver" on my pfSense 2.2 system, which had been previously using "DNS Forwarder." The pfSense install has a WAN network and two local networks, LAN and INTERNAL. The INTERNAL network has two IP aliases defined for it.

In DNS Resolver -> General Settings -> Network Interfaces I have LAN, INTERNAL, Localhost, and the two IP aliases selected; All and WAN are unselected. In "Outgoing Network Interfaces" I have All selected.

Unfortunately, with this configuration, unbound does not listen on the IP aliases: it only listens on the primary IP addresses of LAN, INTERNAL, and localhost.

Is anyone else having this problem? If so, is there a way to get unbound to listen on all the *selected* interfaces?

Cheers,

Paul.
Steve Yates
2015-11-17 17:45:57 UTC
Permalink
Post by Paul Mather
Unfortunately, with this configuration, unbound does not listen on the
IP aliases: it only listens on the primary IP addresses of LAN,
INTERNAL, and localhost.
I don't have quite the same configuration, but with a CARP shared LAN IP, it listens on that alias. Did you check your firewall log/rules?

--

Steve Yates
ITS, Inc.
Paul Mather
2015-11-18 13:54:57 UTC
Permalink
Post by Steve Yates
Post by Paul Mather
Unfortunately, with this configuration, unbound does not listen on the
IP aliases: it only listens on the primary IP addresses of LAN,
INTERNAL, and localhost.
I don't have quite the same configuration, but with a CARP shared LAN IP, it listens on that alias. Did you check your firewall log/rules?
I don't believe it is an issue of firewall/log rules. Unbound is simply not listening on those interfaces, as shown by a "sockstat -4l":

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
[[...]]
unbound unbound 1123 10 udp4 10.5.5.1:53 *:*
unbound unbound 1123 11 tcp4 10.5.5.1:53 *:*
unbound unbound 1123 12 udp4 10.0.0.7:53 *:*
unbound unbound 1123 13 tcp4 10.0.0.7:53 *:*
unbound unbound 1123 14 udp4 127.0.0.1:53 *:*
unbound unbound 1123 16 tcp4 127.0.0.1:53 *:*
unbound unbound 1123 19 tcp4 127.0.0.1:953 *:*
[[...]]

Those IP addresses correspond to the primary addresses of LAN, INTERNAL, and localhost. Missing are entries listening on the IP aliases, 10.0.0.1 and 10.0.0.14.

Also, even though I also have 10.0.0.14 and 10.0.0.1 checked in the DNS Resolver settings, they are not included in the active /var/unbound/unbound.conf file:

[[...]]
# Interface IP(s) to bind to
interface: 10.5.5.1
interface: 10.0.0.7
interface: 127.0.0.1
interface: ::1
[[...]]

Only the primary addresses of the network NICs are included.

If I add "interface:" lines myself to this file and stop and start unbound from the command line then unbound listens correctly on the IP aliases, too. For some reason, they are not making it into the unbound.conf file from the GUI settings page for DNS Resolver.

Cheers,

Paul.

Loading...