21.02.02 on SG-5100 - Every Reboot Requires Restart of DNS Resolver

SteveITS

One of the fixes in 21.05 was to revert Unbound to an older version due to "instability." (Presumably there will be another 2.x release shortly...)

plfinch

There is no change or improvement for me with 21.05. I must still restart unbound after reboot.

Peter

scottlindner

@steveits

@steveits said in 21.02.02 on SG-5100 - Every Reboot Requires Restart of DNS Resolver:

One of the fixes in 21.05 was to revert Unbound to an older version due to "instability." (Presumably there will be another 2.x release shortly...)

I have noticed a huge improvement with unbound after upgrading to 21.05. I was getting recurring errors in my unbound logs that no longer appear. I also have noticed my overall disk usage is way down with the same packages and configuration with 21.05. I had the feeling there was something up with the previous version (was it 21.02?) that was filling logs much faster and it seemed to all be related to DNS Resolver and DHCP Static maps. My steady state disk usage went from 94% to 64% and there is no apparent disk usage growth with 21.05. Although I did have a serious problem initially with 21.05. It somehow got to the point it was reporting 105% disk usage. I did a factor reset, installed the same packages and loaded my config and it has been solid since. Again, it all felt like it was DNS Resolver and DHCP Static map related, but I don't have proof of that.

plfinch

@plfinch said in 21.02.02 on SG-5100 - Every Reboot Requires Restart of DNS Resolver:

There is no change or improvement for me with 21.05. I must still restart unbound after reboot.

Peter

Same with 21.05.1. I must still restart unbound after reboot.

Peter

SteveITS

@plfinch The closest I've come to that is that unbound usually stops during pfBlocker package installation, which is a known issue. What kind of WAN connection do you have? Seems like there has to be something specific to your setup that's different.

I think the only change in 21.05.1 for non-3100 hardware is the captive portal fix, at least per the readme.

plfinch

@steveits

I’m pretty sure this started with the move to 21.02 and has continued with all updates since. It is quite annoying, obviously, since manual action is required after every reboot.

WAN is 500Mb Xfinity cable via an Arris SB8200.

Packages are:
apcupsd
arpwatch
bandwidthd
darkstat

I did verify problem still exists with arpwatch removed but not the others.

This firewall (SG-5100) is overkill for the traffic and config I have and typically loafs at 1-2% CPU.

Peter

plfinch

I finally updated my spare firewall, an SG-2440, directly from 2.4.5_1 to 21.05.1. No issues with upgrade and the DNS Resolver works fine immediately following a reboot. This firewall has the exact same packages and configuration settings as my SG-5100. I still think this is a race condition in startup between when the LAN comes up and when the DNS Resolver comes up that leaves the DNS Resolver not answering queries from the LAN. Not sure where to go from home. Maybe a complete re-install and see what happens…

javen

Ive got an SG3100 with 21.05.1-RELEASE and also have to manually restart unbound whenever I reboot the router, power goes out, etc. I have everything set to factory defaults.

None of my other non-pfsense routers require any touch labor when power cycled. Why would this behavior make it to a released version of pfsense running on Netgate-developed and -tested hardware for one release, let alone several?

This needs to get fixed. Installing a cron plugin to restart the unbound server after boot up is a hack.

mer

I'm just a user, offering opinions and observations, not connected to Netgate/pfSense, so take it for what it's worth.

So what is the biggest difference when you restart by hand? All the interfaces are up.

As @Gertjan points out setting the interfaces to ALL puts a listening socket everywhere.
Why does that matter? Well if an interface isn't up when unbound starts, eventually when it does, unbound will be listening there.

If everyone having trouble has not selected all, but specifically LAN (as in only service requests coming in on LAN) maybe the unbound rc script needs to somehow wait for LAN to be up. As a simple test, try selecting ALL and doing the reboot and see if it works. It would be a workaround, cleaner than a cron job and something you could easily mark as "fix the config when the issue gets fixed".

As for unbound listening on all interfaces, don't forget that WAN has a default deny in rule: even with the listen socket on WAN:53, an inbound request should be dropped because of default deny. That inbound request is not tied to anything outbound so there is no state and it should be dropped.

Yes, I know, good security says "don't have any open ports where you don't need them" but in this case at least the door may be shut, just not locked.

scottlindner

I have the SG-2220 and do not have this issue. I know this doesn't help a whole lot but someone suggested it could be hardware specific. I hadn't used my SG-2220 for about two years due to divorce and just recently got it going again which is what led me here. I did have this problem and when I did an update when it came out I still had some troubles but not this trouble. I did a factory reset twice and for whatever reason the second reset is what made everything happy. I started with all new settings and didn't restore a thing. I know this doesn't necessarily help a whole lot, but I wanted to offer additional relevant info. It isn't failing on my Netgate SG-2220. What can you do with that? I don't know exactly, but I don't think it is just the software. It might be hardware specific race conditions as another user noted.