DNS unbound issues DNS_PROBE_

automatted

Any combination of errors below is what I get in Chrome when browsing the internet:

ERR_CONNECTION_TIMED_OUT

DNS_PROBE_FINISHED_NXDOMAIN

DNS_PROBE_FINISHED_NO_INTERNET

DNS_PROBE_FINISHED_BAD_CONFIG

During these errors I can ping my DNS servers form the ISP and unbound (127.) just fine through the clients console (terminal for instance) but web pages still wont load. I can also ping those google servers like 10.10 and 8.8 just fine.

I also did a ping from the Diagnostics/DNS Lookup tool and for one of the tries 127.0.0.1 gave a 'NO RESPONSE' and the ISP DNS worked fine at 20ms response.

After running the DNS Lookup immediately after, the 127.0.0.1 gave a 0ms response properly.

stephenw10

What pfSense version?

Is this a clean install?

Was it working previously?

Do all clients show this behaviour?

Steve

automatted

@stephenw10 said in DNS unbound issues DNS_PROBE_:

What pfSense version?

Is this a clean install?

Was it working previously?

Do all clients show this behaviour?

Steve

v2.4.4-p1
Not a clean install it's been running for years now.
This issue has been ongoing in and out for a long time (1 yr +) but there was a time when it did not happen, yes.

Clients - I have wired and wireless and the wireless clients IE laptops with browsers are the main recipients of the issues. I can't really tell if a FireTV, Smart TV, appliance, etc on wifi or wired is having these issues in the background.

Although as an interesting point of information, I've been seeing degraded service on wired devices like the FireTVs ever since implementing the pfSense tutorial for DNS redirecting to unbound as seen here: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

So I can only assume this backs up the fact that its an issue with unbound somewhere.

Also before submitting this post I tried using the DNS Lookup tool again these address and got responses on 127.0.0.1 of:

CNN.com on 127.0.0.1
NO RESPONSE
1089ms
0ms
0ms

Then I did msn.com on 127.0.0.1 and got;
7389ms
27ms
NO RESPONSE
0ms
0ms

stephenw10

Hmm, well you should upgrade! 2.4.4p1 is fairly old at this point.

Are you running Unbound in resolving mode? With DNSSec enabled?

Steve

automatted

@stephenw10

Yes I’m running as a resolver not forwarder, nothing is checked for forwarding in the resolver and nothing is filled out in the general settings for that and yes DNSsec support is active.

I’m on the “if it ain’t broke” upgrade train but if this maybe clears something out and fixes it I may upgrade to 2.5.X?

Gertjan

@automatted said in DNS unbound issues DNS_PROBE_:

I’m on the “if it ain’t broke” upgrade train

Didn't you notice you're all alone in your train ?
Ok to ask for help .... but no one here will remember what possible issues existed way back in 2018.

Also, when something breaks, you are forced to install (upgrade) to a version you don't know yet, making the process more difficult for you.

And : you can't take advantage of pfSense packages, as they are only maintained for 'the latest' version.

I don't say you have to upgrade on every release, but keep following the main queue closely. If the wolves are coming, they always start chasing at the back ^^

automatted

@gertjan said in DNS unbound issues DNS_PROBE_:

@automatted said in DNS unbound issues DNS_PROBE_:

I’m on the “if it ain’t broke” upgrade train

Didn't you notice you're all alone in your train ?
Ok to ask for help .... but no one here will remember what possible issues existed way back in 2018.

Also, when something breaks, you are forced to install (upgrade) to a version you don't know yet, making the process more difficult for you.

And : you can't take advantage of pfSense packages, as they are only maintained for 'the latest' version.

I don't say you have to upgrade on every release, but keep following the main queue closely. If the wolves are coming, they always start chasing at the back ^^

Is there a downside to using the native 'upgrade' from 2.4.4 to latest 2.5.X if all goes properly and given my issues? I will do a clean install if something fails/breaks - but is a clean install of 2.5.x with a backup config reload better regardless?

stephenw10

Both should result in the same thing. A clean install removes any possibility of carrying some issue through the upgrade though.

Steve

automatted

So I decided to update first.

2.4.4 would not update straight to 2.5.1 or .2 so I had to update to 2.4.5 first and then switch to 2.5.2 stable and now pfsense is running on the latest version without issue during the update process - and all packages are back in without issue, either.

The problem still persisted.

After looking at my new 2.5.2 DNS Resolver logs which are much more verbose I saw;

Jan 1 22:08:45	unbound	40175	[40175:0] debug: cache memory msg=66072 rrset=66072 infra=551192 val=119453
Jan 1 22:08:45	unbound	40175	[40175:0] debug: close of port 46221
Jan 1 22:08:45	unbound	40175	[40175:0] debug: close fd 22
Jan 1 22:08:45	unbound	40175	[40175:0] notice: Restart of unbound 1.12.0.
Jan 1 22:08:47	unbound	40175	[40175:0] debug: duplicate acl address ignored.
Jan 1 22:08:52	unbound	40175	[40175:0] info: implicit transparent local-zone . TYPE0 IN

What i did was change my search terms on google slightly to 'unbound restarting' and another previous post showed up here:

https://forum.netgate.com/topic/153913/solved-unbound-stops-resolving-intermittently

The solution in this article was that pfsense was restarting unbound for each new DHCP request or something like that and when you are running pfBlockerNG like I am with LOTS of blocked URLs/IPs the unbound restrt can take more time than anticiapted leading to DNS issues and timeouts.

Unchecking 'DHCP Registration' in the DNS Resolver settings just above the OVPN checkbox as mentioned in the above posting seems to have solved it for now.