[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Juched
"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."
If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained
Code:[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory [1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones ***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Try changing 'unbound.conf'Juched
"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."
If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained
Code:[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory [1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones ***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone # v1.09 Match @juched's 'rpzsites'
e = Exit Script
A:Option ==> uf dev
Still having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation
I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.
Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.
Here is the output:
unbound_rpz.sh downloaded successfully
Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.
unbound DNS Firewall ENABLED
[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones
***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Any advice?
e = Exit Script
A:Option ==> i dev
Your unbound.conf should have thisStill having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation
I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.
Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.
Here is the output:
unbound_rpz.sh downloaded successfully
Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.
unbound DNS Firewall ENABLED
[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones
***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Any advice?
see this error report by @joe scianYour unbound.conf should have this
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
Also, confirm that rpz.urlhaus.abuse.ch.zone file exists in the same location as unbound.conf. Further make sure you have rpzsites file in /opt/share/unbound/configs location.
Please have a little patience, I'm sure they will appear when the scripting is ready.is it possible to show DNS firewall stats in GUI ?
i am curious if in my network i will see some activity. no hurry, keep your time ...
grep RPZ /opt/var/log/unbound.log
Apr 14 18:08:19 RT-AC68U unbound: [13142:0] info: RPZ applied [rpz.urlhaus.abuse.ch] testentry.rpz.urlhaus.abuse.ch. nxdomain 127.0.0.1@33916 testentry.rpz.urlhaus.abuse.ch. A IN
awk '/RPZ/ {print $1" "$2" "$3}' /opt/var/log/unbound.log | awk -F: '{h[$1]++;m[$1":"$2]++;}END{for(x in h)print x,h[x]; print "---"; for(x in m)print x,m[x]}'
Apr 14 18 1
---
Apr 14 18:08 1
#!/bin/sh
curl -o /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone "https://urlhaus.abuse.ch/downloads/rpz/"
dos2unix /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone
unbound-control auth_zone_reload rpz.urlhaus.abuse.ch
I'm sure @juched will comment, but there should be a scheduled every-15 min cron job, but you can execute the script manuallyHi @Martineau. I ended up bailing on using the supplied script to create/update the zone file.
I did use the script to make a simplified cron script:
Code:#!/bin/sh curl -o /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone "https://urlhaus.abuse.ch/downloads/rpz/" dos2unix /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone unbound-control auth_zone_reload rpz.urlhaus.abuse.ch
Seems to be working fine. I attempted to access a few places in the zone file. This showed in the unbound.log:
./unbound_rpz.sh download
Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Reload unbound for zone named rpz.urlhaus.abuse.ch
ok
It's reading it from the file at the end of the loop.Thanks, I did put the short script into cron - every 15 mins.
As far as @juched script, It would never install correctly - first complained it could not find the file rpzsites
I then created an rpzsites file and put the https line pointing to rpz.urlhaus.abuse.ch into it. (so curl would would work)
It then complained it could not create a directory.
I looked over the script and simply dumbed it down with constants. Just to see if I could get the RPZ zone working with unbound.
BTW, maybe a question for @juched , in looking at the function download_reload, it seems to be called with 2 arguments.
How does it derive $3 on this line?
$UNBOUNCTRLCMD auth_zone_reload "$3"
If it helps, this is on an AX88u running 384.16.
It's reading it from the file at the end of the loop.
Indeed.I can confirm, even though the check conf call shows that error, the file is loaded and run by unbound. If you open the rpz zone file and pick a newly entered entry (ie. search for today's date), you can try it in a browser and it will generate an RPZ event.
Good to know that a full path will stop the error, that is a good fix.
download_reload() {
sitesfile=$1
reload=$2
count=1
while read -r line
do
set -- $line
#[ "${$line:0:1}" == "#" ] && continue
logger -st unbound $$ "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sitesfile | wc -l) from $1."
curl --progress-bar $1 > $2
dos2unix $2
if [ "$reload" == "reload" ] && [ ! -z "$(pidof unbound)" ]; then
logger -st unbound $$ "Reload unbound for zone named $3"
$UNBOUNCTRLCMD auth_zone_reload "$3"
fi
count=$((count + 1))
done < "$sitesfile"
}
Apr 14 23:33:24 RT-AC68U unbound: 15925 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
Apr 14 23:33:24 RT-AC68U unbound: 15925 Reload unbound for zone named rpz.urlhaus.abuse.ch
I concur @Martineau statement as the echo is only useful if outputting to a file or viewing it in the ssh terminal from a dry-run/manual-run.Indeed.
Might I suggest that to provide feedback that the script is working that you replace the 'echo' statements with 'logger' statements where appropriate?
e.g.
resulting in confirmation download messages in the logCode:download_reload() { sitesfile=$1 reload=$2 count=1 while read -r line do set -- $line #[ "${$line:0:1}" == "#" ] && continue logger -st unbound $$ "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sitesfile | wc -l) from $1." curl --progress-bar $1 > $2 dos2unix $2 if [ "$reload" == "reload" ] && [ ! -z "$(pidof unbound)" ]; then logger -st unbound $$ "Reload unbound for zone named $3" $UNBOUNCTRLCMD auth_zone_reload "$3" fi count=$((count + 1)) done < "$sitesfile" }
It's late here so I will delay releasing v3.03 until tomorrow to see if there is anything you wish to investigate further with @JGrana etc.Code:Apr 14 23:33:24 RT-AC68U unbound: 15925 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/. Apr 14 23:33:24 RT-AC68U unbound: 15925 Reload unbound for zone named rpz.urlhaus.abuse.ch
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!