Can't start unbound

[arrowd]

On my TrueNAS 12.0-U4 system I've just started using rclone to backup my data files to my OneDrive space. Works well but I notice ~13,000 DNS requests for graph.microsoft.com on my pi-hole at the time the backup occurs. I found the exact problem and a fix in the last entry at https://forum.rclone.org/t/workaround-for-rclone-and-pihone-dns-problems/23054/7.

Although entering the commands "sysrc local_unbound_enable=YES" and "service local_unbound start" at a shell prompt worked for him, I get these as the last two lines after trying to start: "su: unknown login: unbound" and "/etc/rc.d/local_unbound: WARNING: failed precmd routine for local_unbound" and then I have no DNS resolution anymore. I didn't find a web search result for the error. Suggestions for a relative newcomer?
--------------------------------------------------------
/var/unbound/unbound.conf:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid <<< MISSING
auto-trust-anchor-file: /var/unbound/root.key <<< MISSING

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
--------------------------------------------------------
/var/unbound/forward.conf:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
name: .
forward-addr: 192.168.15.5
forward-addr: 192.168.15.1
forward-addr: 2601:<...>::1
--------------------------------------------------------
/var/unbound/lan-zones.conf:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
# Unblock reverse lookups for LAN addresses
unblock-lan-zones: yes
insecure-lan-zones: yes
--------------------------------------------------------
/var/unbound/control.conf:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
remote-control:
control-enable: yes
control-interface: /var/run/local_unbound.ctl <<< MISSING
control-use-cert: no
--------------------------------------------------------
The conf.d directory is empty
--------------------------------------------------------
/etc/resolv.conf:
# Generated by resolvconf
search local
# nameserver 192.168.15.5
# nameserver 192.168.15.1
# nameserver 2601:<...>::1

nameserver 127.0.0.1
options edns0
--------------------------------------------------------

 

[Patrick M. Hausen]

You should not try to run unbound on your TrueNAS proper but create a jail an run it inside the jail instead.

 

[arrowd]

To help me avoid trying things like this in the future, could you give a short reason why running unbound on TrueNAS is not recommended? (Other than the fact that it doesn't work when trying to run it the way I tried it - :)

If I make a jail and run only unbound in it, I'll have to have the main TrueNAS specify that as the DNS server, correct? Then queries will have to go out from TrueNAS and into the jail's IP address. So, will that be any different from retaining the pi-hole as the DNS server for TrueNAS and having TrueNAS continue what it's now doing - which is asking the pi-hole and having the pi-hole return the answer - mostly from its cache?

Looking over my reference again, I now see that he says that he was running rclone in a jail and then enabled unbound in that jail. That would mean manually configuring rclone rather than using TrueNAS's web gui. I may just leave things as they are.

 

[Patrick M. Hausen]

You simply cannot install or activate additional software that is not already in the UI in TrueNAS. This thing is an appliance with a fixed feature set. If you ignore that, you will likely break it.

That being said there are of course two ways to run arbitrary applications on TrueNAS: jails and VMs. So I recommended using a jail for unbound.

The solution to your original problem suggests using a local unbound as the DNS server for rclone, so the unbound will get hit with the 13.000 requests instead of the pi-hole. In that setup unbound should be configured to forward to your pi-hole, of course, but it will cache the replies and not hit the pi-hole thousands of times. Of course you will still have 13.000 requests, only they will be served by unbound instead of by pi-hole.

Why the requests going to pi-hole might be a problem, I honestly don't know. I don't run that software. I was only trying to advise you not to install or enable unsupported things on your TrueNAS host.

 

[arrowd]

I hadn't looked at TrueNAS that way. Previously I was using Windows Home Server 2011 which was built on top of Windows Server 2008 R2. In addition to many plugins that were available, you could install and run normal Windows programs on the same machine with only a few caveats and concerns about interference. I have made one jail on TrueNAS with Logitech Media Server running in it. I will restrict any other effort to work in a jail. Thanks for your explanation.

 

[Elbows]

Hi arrowd,
Did you solve this? I have the exact same problem with rclone failing because pihole gets flooded and blocks graph.microsoft.com.

I tried adding a Jail with unbound using 8.8.8.8 but couldn't get my truenas to use the jailed unbound dns even after setting all three nameservers as the (static) IP address of the unbound jail in the Network Global Config.
When I did a 'dig github.com' it always returned the pihole ip as the server, no matter what settings I changed.

Incidentally, I would have been happy with the workaround (disabling the pihole rate limit) but the pihole got flooded and broke so I need to get Patrick's suggestion working.

Thanks in advance.

 

[Patrick M. Hausen]

When I did a 'dig github.com' it always returned the pihole ip as the server, no matter what settings I changed.

Do you have any network interface set to DHCP? That would overwrite your static configuration. You need to set a static IP address if you want static DNS entries. Don't forget the default gateway.

 

[arrowd]

I think the perfect solution to this is to have rclone not ask to resolve the same domain so many times by using its own cache. Or I would expect rclone to call a FreeBSD routine for DNS resolution and that FreeBSD would keep a cache to handle this case. E.g. for last night's run here, there were 15,458 queries between 1:15 and 1:22 AM.

In my situation I wanted to see the pi-hole usage chart on its dashboard without having rclone take over the graph with so many thousands of hits. Pi-hole scales the graph using the highest value - that pushes to rest of the day's use down into the grass of the graph. Moving the domain resolution to unbound would do what I wanted but I decided that the extra effort and complexity wasn't worth it to me. IOW the DNS requests would still be happening but they would be answered by a different device. I don't think it would have reduced the total time for the rclone procedure.

What kind of Pi are you running your pi-hole on? Maybe a better performing unit would not get overwhelmed. E.g. if you were using a Pi zero, replace it with a Pi 3 or 4. My system uses a Pi 3B and doesn't get overwhelmed. My LAN connections between the Pi and the TrueNAS device are 1GB wired.

Also, do you have IPv6 enabled on your LAN? Perhaps the domain is being resolved via an IPv6 query to the DNS server. I can't tell you how to set this up but maybe it's not using the IPv4 DNS server so the IPv4 addresses you configured don't matter.

 

[Patrick M. Hausen]

I think the perfect solution to this is to have rclone not ask to resolve the same domain so many times by using its own cache.

If you are running rclone in a jail you can just enable the local_unbound that comes with the base system in FreeBSD (inside the jail) and set 127.0.0.1 as the nameserver. Set your PiHole as the forwarder if you prefer or just let unbound reach out to the public Internet for all queries ...