Hi,
> since upgrading my router to 7.1 unbound doesn't start up automatically
> anymore,
> instead it times out:
>
> starting early daemons: syslogd pflogd unbound(timeout) ntpd.
>
> It can be started successfully manually later. This setup worked with 7.0.
I have a very similar configuration (apu2 acting as a firewall/router
for home network), with a similar unbound.conf (given below) which is
working fine as of 7.1-stable. I recently switched from one ISP to another
and there was no problem (literally: unplug ethernet cable from $OLD_ISP
router, plug into $NEW_ISP router, reboot firewall). My outside interface
has
--- begin /etc/hostname.em0 ---
inet autoconf
--- end /etc/hostname.em0 ---
Does the -d unbound flag give any useful output for you? More generally,
how are you starting unbound, i.e., what (if any) flags are you passing in
/etc/rc.conf.local? I have
--- begin /etc/rc.conf.local ---
dhcpd_flags="em1 em2 em3"
unbound_flags=""
dhcpleased_flags=
--- end /etc/rc.conf.local ---
Here is my unbound.conf
--- begin /var/unbound/etc/unbound.conf ---
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
interface: 127.0.0.1
interface: em1 # wired
interface: em2 # wifi
interface: em3 # voip
#interface: 127.0.0.1@5353 # listen on alternative port
#interface: ::1
do-ip6: no
prefer-ip4: yes
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 192.168.155.0/24 allow # any internal address
private-address: 192.168.0.0/16 # block DNS rebinding attacks
# where local browser becomes
# a trojen
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
root-hints: "/var/unbound/etc/root.hints"
auto-trust-anchor-file: "/var/unbound/db/root.key"
qname-minimisation: yes
#val-log-level: 2
# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
tls-cert-bundle: "/etc/ssl/cert.pem"
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
name: "." # use for ALL queries
##forward-addr: 192.168.1.254 # Telus router
# next non-comment line configures Cloudflare DNS-over-TLS
# ... hostname after the '#' is not a comment, it is used for TLS checks
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-tls-upstream: yes
forward-first: no # don't fallback to insecure DNS
--- end /var/unbound/etc/unbound.conf ---
ciao,
--
-- "Jonathan Thornburg [remove -color to reply]" <dr.j.thornb...@gmail-pink.com>
on the west coast of Canada
"Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity. How did things change?" -- Ross Anderson
