I had a similar issue going from 7.1 -> 7.2 (though looking back, I
think the issue is
I made my config change and never rebooted until I upgraded to 7.1).
However, my issue was not so much unbound waiting for an interface, but
rather I wanted to allow listening on IPv6 and thus added my router's IPv6
address to be an interface. Since the IP didn't exist (since I had to
wait for
dhcpcd to get the delegation) I had to change my order of operations since
unbound would start before dhcpcd. unbound is an early boot script, so
setting the order with rcctl doesn't work. My solution was to disable
unbound.
rcctl disable unbound
Then add it to /etc/rc.local:
rcctl -f start unbound
Now unbound starts last when everything else is done.
Courtney
On 11/9/22 12:24, Jonathan Thornburg wrote:
Hi,
since upgrading my router to 7.1 unbound doesn't start up automatically anymore,
instead it times out:
starting early daemons: syslogd pflogd unbound(timeout) ntpd.
It can be started successfully manually later. This setup worked with 7.0.
I have a very similar configuration (apu2 acting as a firewall/router
for home network), with a similar unbound.conf (given below) which is
working fine as of 7.1-stable. I recently switched from one ISP to another
and there was no problem (literally: unplug ethernet cable from $OLD_ISP
router, plug into $NEW_ISP router, reboot firewall). My outside interface
has
--- begin /etc/hostname.em0 ---
inet autoconf
--- end /etc/hostname.em0 ---
Does the -d unbound flag give any useful output for you? More generally,
how are you starting unbound, i.e., what (if any) flags are you passing in
/etc/rc.conf.local? I have
--- begin /etc/rc.conf.local ---
dhcpd_flags="em1 em2 em3"
unbound_flags=""
dhcpleased_flags=
--- end /etc/rc.conf.local ---
Here is my unbound.conf
--- begin /var/unbound/etc/unbound.conf ---
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
interface: 127.0.0.1
interface: em1 # wired
interface: em2 # wifi
interface: em3 # voip
#interface: 127.0.0.1@5353 # listen on alternative port
#interface: ::1
do-ip6: no
prefer-ip4: yes
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 192.168.155.0/24 allow # any internal address
private-address: 192.168.0.0/16 # block DNS rebinding attacks
# where local browser becomes
# a trojen
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
root-hints: "/var/unbound/etc/root.hints"
auto-trust-anchor-file: "/var/unbound/db/root.key"
qname-minimisation: yes
#val-log-level: 2
# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
tls-cert-bundle: "/etc/ssl/cert.pem"
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
name: "." # use for ALL queries
##forward-addr: 192.168.1.254 # Telus router
# next non-comment line configures Cloudflare DNS-over-TLS
# ... hostname after the '#' is not a comment, it is used for TLS checks
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-tls-upstream: yes
forward-first: no # don't fallback to insecure DNS
--- end /var/unbound/etc/unbound.conf ---
ciao,
