Like this ? ?

You have to indicate the unbound.conf being used :

unbound-control -c /var/unbound/unbound.conf dump_cache

This is something that should be used in the pfSense core glue unbound code.
Maybe it is / isn't, I didn't look.

@Gertjan said in Intermittent connection issue:

@kevindd992002 said in Intermittent connection issue:

Are you saying ISP themselves just forward to Google for example?

Well. Yes.
I don't know what they do, as they don't tell me, and I did not asked them.
But what would you do, being an ISP - and you have to pay the POP's ?
Resolve ? Or use Google DNS and billing them with thousands every month ? or not paying that POP thousands a month ?

Again, you should be able to 'contact' the main 13 first core DNS servers. If not, something is very wrong.

I am able to contact the root hints servers but they're randonly dropping traffic, as if they're traffic shaping or something. Oh well, I'm still making them have a hard time about this.

@jimp , it's not work if you have more than one networks (vlan)
i have Guest and i have Main (and more others) Wi-Fi SSID (VLAN)
if i make static IP with blank IP and description and connect after that to other network, i got IP from other range DHCP, so description with static IP stay on other DHPC leease (vlan) and in new i don get description....

i have number of phones and more devices for teting purpose moved from one vlan to other....

So you're say it's just dying ?

Go to console ssh option 8 and type :

ps ax | grep unbound .... 68283 - Ss 0:23.59 /usr/local/sbin/unbound -c /var/unbound/unbound.conf ...

I understand the hosts file is on the client machine, which is exactly what I want.

@jeecee said in Clients unable to resolve specific site - query response was THROWAWAY:

The way I understand it: DNSSEC provides a secured path between client (unbound) and its upstream (root / forwarder).

No that is not what dnssec does... Not even close, maybe your thinking of dnscrypt?

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Here is the main take away "DNS data itself is signed by the owner of the data."

Here is a post where I have shown why you don't need to set dnssec if your forwarding.. I have gone over it many times actually..
https://forum.netgate.com/post/867353

That whole thread is a discussion on the subject ;)

What is handling DHCP, or are the clients static? If DHCP, it should be running on the DC, not PFSense, and option 006, DNS Servers, should have your DC as the DNS server. Also configure the router role for the default gateway setting as the PFSense box- (003 Router), and also should configure 015 DNS domain name, for your domain name. This info will then be handed out as part of the DHCP to clients. The clients should NOT be pointing to internet or PFSense for DNS. Point the clients DNS to your DC directly and have the DC resolve the internal IPs that way. If your clients are static and there is no DHCP, set them with your DC as the DNS, and PFSense as the gateway. As far as the PFSense DNS goes, set your Internet DNS servers there, not your internal DNS. Set your DC's DNS to forward to PFSense. End result- clients go to your DC to resolve DNS. Your DC resolves internal IPs. Anything it can't handle, it forwards to PFSense. PFSense uses the internet DNS servers you configured in General Setup, to resolve those external IPs, and hand them back to your DC which then sends them to its clients.

@kiokoman said in DNS not resolving:

ahh regitrar are like mafia, most of them ask money to add ...

Not mafia. They are members of the free world. Any one can ask money for their services.
Maybe you a have registrar with real people that actuality answer the phone and think with you ^^ That's worth some €.

Most registrars have a web interface to 'admin' your domain yourself. Or an API, or a web interface that uses their own API to update the registrar manipulations. No need to call them for that (and if you tried, you would be waiting for them, they have to answer the guy that bought a domain name before yesterday, uploaded a site yesterday and wanted to know why his site isn't listed rank 1 Google today).

I do rotate my KSK's manually every xx months using my registrars web interface because it's somewhat time critical over a several weeks period. ZSK can be done on the DNS server itself - I'm not using my domain registrar facilities. "bind" has been made to that just fine.
Here you have an out-phasing ZSK on one of my domains : "39459"' : ZSK's are easy to handle.
KSK's, on the other hand, ask for some concentration. An error WILL blow you site of the Internet and a "restart service" will not bring it back.

Btw : sorry - went out of subject .... which was
"/var/unbound/root.key" using PPPoE (using SG1100 ?) (using non-public pfSEnse firmware ?) refuses to refresh.

First, thank you @kiokoman for the link.

When I tried to edit a file, I discovered that pfBlocker caused my /var to fill up.

Since unbound creates a /var/unbound/test and writes tmp files to it, it could not.

Interesting side effect, before it does, it appears that it zero's out the /var/unbound/root.key BEFORE recreating all the necessary files in /var/unbound/test first.

So if /var is full, it appears to break unbound.

I see several issues like:
https://redmine.pfsense.org/issues/8287
https://redmine.pfsense.org/issues/6442

One is not reproducible and the other is labeled not a bug.

Fill up /var as a test to reproduce.

I would think on memory constrained devices (like Arm based pfSense hardware) you would want to check free space before writing temp/test files but maybe that's not considered a bug.... but removing the root.key (the file ends up zero length) and not being able to restart unbound after freeing up space in /var seems like a bug to me... ?

Use dot.. Good luck using doh with something like unbound since doh needs to use the fqdn to access, etc.

@andrewK said in Appliance not ping-able via routing when DHCP made static.:

3's look like 1's, right?

hehehee - if you said 3 could look 8's I might agree ;) Or 1 like 7's

Glad you got it sorted..

I found another thread with a solution. Aparently its a bug when you have CODEL limiters on to fix bufferbloat.

I created a floating firewall rule for IPV4 and IPV6 ICMP all, any direction, and apply immediately.

Credit, this thread : https://forum.netgate.com/topic/142274/traceroute-not-working-from-lan-to-any-internet-destination

@Thisisme I don't have vlans but I also never used the hostname of pfSense...

@Stewart said in Tough time with Unbound:

/usr/local/sbin/unbound -c /var/unbound/unbound.conf

Removed pfBlockerNG-devel and rebooted but that didn't help. Still the same errors. Went into services and restarted unbound and it started working. Rebooted and it's working. This is the first time I haven't seen error messages. Maybe some setting in pfBlockerNG-devel?