Yes, it is unbound. The pfsense acts as a resolver for the LAN, and should forward requests from the domain override to the remote server.

I don't think unbound was restarting. The option that makes DHCP lease store client names in the resolver has been disabled a long time ago.

@johnpoz Thanks for the quick response, which solved my issue. ☺

They can be the result of expired session, expired key, connectivity hiccup, lost packets, etc
maybe changing Firewall Optimization Options to conservative could help.
but also i found this 3d that can be of help
https://forum.netgate.com/topic/130757/intermittent-err_ssl_protocol_error/
where Steve suggested:
*When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log*

ah ok ill try that.. thank you

@oriagranat9

Well, I doubt you'll ever find a switch that has an address for each port. I don't see why pfSense should be any different. Here's what the docs say:

Only one interface on a bridge should have an IP address! Do not add multiple IP addresses in the same subnet on different bridge member interfaces. Other interfaces on the bridge should remain with an IP type of None.

Well, I will open a ticket, I have a paid service with that provider and I do use the socks5 proxy, recently I came across this, there's a couple of applications that are supposed to use it, and I noticed that the machine where the apps were sitting had cloudflare's DNS on the fixed DHCP lease (because of a previous issue a few months back that got sorted but that config went forgotten) and since we removed the CF's DNS from the lease.... and logs started firing it couldn't be resolved.

I completely agree with you regarding rfc1918's use in public space. Let's see what they say about it. Cheers

@gawainxx said in Unbound regularly crashing, need help creating a service watchdog.:

there is a very distinct error message whenever it does fail

This one

fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

That's a message when it fails to start.
At that moment is had already stopped. Most probably some event provoqued a unbound restart to take into account a hardware event (a NIC came up or down, some route changed == VPN activated - or whatever).
What you need to look for is just before that moment : when i is instructed to stop - or for that matter : how/why it stops.
Other logs will mention info about other process.

This is what is been shown when unbound stops :

Dec 9 12:09:10 unbound 38919:0 info: service stopped (unbound 1.9.1).

Right after that, a boatload of statisticks are dumped to the log (reverse order here) :

Dec 9 12:09:10 unbound 38919:0 info: 32.000000 64.000000 5 Dec 9 12:09:10 unbound 38919:0 info: 1.000000 2.000000 8 Dec 9 12:09:10 unbound 38919:0 info: 0.524288 1.000000 3 Dec 9 12:09:10 unbound 38919:0 info: 0.262144 0.524288 8 Dec 9 12:09:10 unbound 38919:0 info: 0.131072 0.262144 4 ....... Dec 9 12:09:10 unbound 38919:0 info: histogram of recursion processing times Dec 9 12:09:10 unbound 38919:0 info: average recursion processing time 18.671069 sec Dec 9 12:09:10 unbound 38919:0 info: server stats for thread 0: requestlist max 26 avg 12.4819 exceeded 0 jostled 0 Dec 9 12:09:10 unbound 38919:0 info: server stats for thread 0: 103 queries, 20 answers from cache, 83 recursions, 0 prefetch, 0 rejected by ip ratelimiting

Then the restart is shown :

Dec 9 12:09:14 unbound 41526:0 info: start of service (unbound 1.9.1). .....

Right after that moment, your error log line should pop up.

Btw :
Consider

fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

Why not doing what unbound proposes to do ?

First, I shut down unbound with the GUI.
Click on the Stop button :
8e989357-e303-4bf7-b816-515b5bdb17c7-image.png

Then in the console/ssh (option 8) access :

I 'cd' to the unbound working directory :

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]cd /var/unbound

I use 'unbound-checkconf' to check my config :

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: unbound-checkconf unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf

Then I start unbound in debugging mode :

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: unbound -dd [1576165229] unbound[94442:0] notice: init module 0: validator [1576165229] unbound[94442:0] notice: init module 1: iterator [1576165229] unbound[94442:0] info: start of service (unbound 1.9.1). ....

Type Ctrl-C to stop unbound gracefully.

I guess you will see the same lines, because the problem isn't unbound - neither the stopping.
It's when unbound get's restarted by pfSense : the prcoess unbound isn't started like that : first, the working environment is set up :
The chroot dir (/var/bound) is created.
Needed files like the unbound.conf file are copied in place.
Other sub folders and files are created / put in place.
And some more things are done.

Something in the creation of that 'environment' a failure happens. The result will be : unbound gets started and can't find its config file (see error). As I said before : a file system error ?
At that moment, don't do anything but login into ssh and check if the folder /var/unbound exists.
Check if the file in that folder called unbound.conf exists.
Run the command 'top' at that moment : memory is full ?
Run the 'df' command : the first line will show the primary partition : not full ?
This could even be related by the reason why unbound was stopped : was there an OOM failure ?

Another radical solution could be :
Take a copy of the config.
Then : remove all packages).
Then : console / ssh access : reset to default (option 4).
Then : set up WAN access - if needed. If you really have to, change the LAN network.
Then : ... no, no more then ; stop here : pfSEnse works.

Now, test ... and wait .... the longer the better.
Does it happen again : you're good for a hardware issue.
No more issues after a week or so : re do not iport your config backup .... re do all your settings - step by step (wait a day or so between each step) - re install all packages ... slowly. As soon as the error comes back, you will know where to look now.

edit :

The error is already been discussed in this forum :
https://forum.netgate.com/topic/111784/solved-unbound-fails-on-restart-after-pfblockerng-updates

Two issuers where found : unbound needs a lot of time to stop when pfBlockerNG is also present. It was restarted to quickly. The poster also included files outside of the chroot .... that will fail also.

@Gertjan said in Unbound failure after power failure - how to prevent? [solved enough]:

try it out for yourself : take an ordinary Windows PC and rip out the wall power plug - and restart your PC.
I'll bet you have majors boot problems within 10 tries.
So, please, just believe me - and do not tries this @home

Several years ago, I worked at IBM. One day I got a call from someone whose computer wouldn't boot. Her disk was full of garbage. It turned out at the end of the day she'd just turn off the power bar, instead of doing a proper shut down.

Did you use the search function ?

https://forum.netgate.com/topic/148237/unbound-dns-resolver-vulnerability-in-ipsec-module

@johnpoz

c784b6b8-a40f-42fe-9d25-609350236e6b-image.png

By the way your spam protection sucks.. It didn't allow for me to past the contents of the custom options in code for some reason here is that screen shot..

You guys might get that fixed..

0b5cb22e-ba8d-408d-a004-f3ce5b2bb4dd-image.png

@johnpoz

Crud -- I wasn't thinking. I didn't double click the reply packet in Wireshark. The DHCP server is sending both option 66 and option 150 with the correct TFTP server information, so pfsense is doing what it needs to do. I'll reach out on the Cisco forums and see if I can get some assistance on why the phone may not be trying to contact the tftp server.

Thank you for your assistance!

@CAExempt said in VLAN Networks unable to resolve DNS queries. LAN Network works fine? This has me stumped:

Absolutely zero DNS resolution on any VLAN network

Probably because Absolutely one ( 1 ) firewall rules is present on these VLAN interface : the default hidden "Bock all" rule, which does it's job.
Note : DHCP passes, its also a hidden "pass" rule.

@johnpoz said in Domain Override - Driving me crazy:

If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

Exactly how you do it for plex..

custombox.jpg

edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

I was experimenting with this as to why a domain override was always working for me to resolve private addresses when I had the global option disabled in advanced, and did not have a custom option set for domain.

I found out, by looking at /var/unbound/unbound.conf is that unbound automatically adds each domain forward you enter for you in the # DNS Rebinding section with a private-domain. I guess it presumes those DNS servers you forward to are authentic. If I edit the file and restart unbound it seemed to keep re-adding it.

Therefore there is no need to have custom option set if you have domain forward listed.

https://forum.netgate.com/post/878680

I need to use forwarding because ip of requested domain can be changed. Yes i using DNS of pfsense.

If pfsense is set to use default routing - ie you didn't set a gateway via policy routing on rule, and there is a route for a specific destination network to use a specific gateway, then yes it would use that.. More explicit routes are always used over a default route.

@TAC57

Use Packet Capture to see what's actually in the frame. You'll then have to download the capture to view in Wireshark, to see the MAC addresses.