• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS unbound issues DNS_PROBE_

General pfSense Questions
3
9
991
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    automatted
    last edited by automatted Dec 27, 2021, 4:19 PM Dec 27, 2021, 4:17 PM

    Any combination of errors below is what I get in Chrome when browsing the internet:

    ERR_CONNECTION_TIMED_OUT

    DNS_PROBE_FINISHED_NXDOMAIN

    DNS_PROBE_FINISHED_NO_INTERNET

    DNS_PROBE_FINISHED_BAD_CONFIG

    During these errors I can ping my DNS servers form the ISP and unbound (127.) just fine through the clients console (terminal for instance) but web pages still wont load. I can also ping those google servers like 10.10 and 8.8 just fine.

    I also did a ping from the Diagnostics/DNS Lookup tool and for one of the tries 127.0.0.1 gave a 'NO RESPONSE' and the ISP DNS worked fine at 20ms response.

    After running the DNS Lookup immediately after, the 127.0.0.1 gave a 0ms response properly.

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Dec 27, 2021, 6:37 PM

      What pfSense version?

      Is this a clean install?

      Was it working previously?

      Do all clients show this behaviour?

      Steve

      A 1 Reply Last reply Dec 27, 2021, 8:49 PM Reply Quote 0
      • A
        automatted @stephenw10
        last edited by automatted Dec 27, 2021, 8:51 PM Dec 27, 2021, 8:49 PM

        @stephenw10 said in DNS unbound issues DNS_PROBE_:

        What pfSense version?

        Is this a clean install?

        Was it working previously?

        Do all clients show this behaviour?

        Steve

        v2.4.4-p1
        Not a clean install it's been running for years now.
        This issue has been ongoing in and out for a long time (1 yr +) but there was a time when it did not happen, yes.

        Clients - I have wired and wireless and the wireless clients IE laptops with browsers are the main recipients of the issues. I can't really tell if a FireTV, Smart TV, appliance, etc on wifi or wired is having these issues in the background.

        Although as an interesting point of information, I've been seeing degraded service on wired devices like the FireTVs ever since implementing the pfSense tutorial for DNS redirecting to unbound as seen here: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

        So I can only assume this backs up the fact that its an issue with unbound somewhere.

        Also before submitting this post I tried using the DNS Lookup tool again these address and got responses on 127.0.0.1 of:

        CNN.com on 127.0.0.1
        NO RESPONSE
        1089ms
        0ms
        0ms

        Then I did msn.com on 127.0.0.1 and got;
        7389ms
        27ms
        NO RESPONSE
        0ms
        0ms

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Dec 28, 2021, 1:42 AM

          Hmm, well you should upgrade! 2.4.4p1 is fairly old at this point.

          Are you running Unbound in resolving mode? With DNSSec enabled?

          Steve

          A 1 Reply Last reply Dec 28, 2021, 2:01 AM Reply Quote 0
          • A
            automatted @stephenw10
            last edited by Dec 28, 2021, 2:01 AM

            @stephenw10

            Yes I’m running as a resolver not forwarder, nothing is checked for forwarding in the resolver and nothing is filled out in the general settings for that and yes DNSsec support is active.

            I’m on the “if it ain’t broke” upgrade train but if this maybe clears something out and fixes it I may upgrade to 2.5.X?

            G 1 Reply Last reply Dec 28, 2021, 9:20 AM Reply Quote 0
            • G
              Gertjan @automatted
              last edited by Gertjan Dec 28, 2021, 9:20 AM Dec 28, 2021, 9:20 AM

              @automatted said in DNS unbound issues DNS_PROBE_:

              I’m on the “if it ain’t broke” upgrade train

              Didn't you notice you're all alone in your train ?
              Ok to ask for help .... but no one here will remember what possible issues existed way back in 2018.

              Also, when something breaks, you are forced to install (upgrade) to a version you don't know yet, making the process more difficult for you.

              And : you can't take advantage of pfSense packages, as they are only maintained for 'the latest' version.

              I don't say you have to upgrade on every release, but keep following the main queue closely. If the wolves are coming, they always start chasing at the back ^^

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              A 1 Reply Last reply Dec 28, 2021, 1:44 PM Reply Quote 0
              • A
                automatted @Gertjan
                last edited by Dec 28, 2021, 1:44 PM

                @gertjan said in DNS unbound issues DNS_PROBE_:

                @automatted said in DNS unbound issues DNS_PROBE_:

                I’m on the “if it ain’t broke” upgrade train

                Didn't you notice you're all alone in your train ?
                Ok to ask for help .... but no one here will remember what possible issues existed way back in 2018.

                Also, when something breaks, you are forced to install (upgrade) to a version you don't know yet, making the process more difficult for you.

                And : you can't take advantage of pfSense packages, as they are only maintained for 'the latest' version.

                I don't say you have to upgrade on every release, but keep following the main queue closely. If the wolves are coming, they always start chasing at the back ^^

                Is there a downside to using the native 'upgrade' from 2.4.4 to latest 2.5.X if all goes properly and given my issues? I will do a clean install if something fails/breaks - but is a clean install of 2.5.x with a backup config reload better regardless?

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Dec 28, 2021, 1:47 PM

                  Both should result in the same thing. A clean install removes any possibility of carrying some issue through the upgrade though.

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • A
                    automatted
                    last edited by Jan 2, 2022, 3:56 PM

                    So I decided to update first.

                    2.4.4 would not update straight to 2.5.1 or .2 so I had to update to 2.4.5 first and then switch to 2.5.2 stable and now pfsense is running on the latest version without issue during the update process - and all packages are back in without issue, either.

                    The problem still persisted.

                    After looking at my new 2.5.2 DNS Resolver logs which are much more verbose I saw;

                    Jan 1 22:08:45	unbound	40175	[40175:0] debug: cache memory msg=66072 rrset=66072 infra=551192 val=119453
                    Jan 1 22:08:45	unbound	40175	[40175:0] debug: close of port 46221
                    Jan 1 22:08:45	unbound	40175	[40175:0] debug: close fd 22
                    Jan 1 22:08:45	unbound	40175	[40175:0] notice: Restart of unbound 1.12.0.
                    Jan 1 22:08:47	unbound	40175	[40175:0] debug: duplicate acl address ignored.
                    Jan 1 22:08:52	unbound	40175	[40175:0] info: implicit transparent local-zone . TYPE0 IN
                    

                    What i did was change my search terms on google slightly to 'unbound restarting' and another previous post showed up here:

                    https://forum.netgate.com/topic/153913/solved-unbound-stops-resolving-intermittently

                    The solution in this article was that pfsense was restarting unbound for each new DHCP request or something like that and when you are running pfBlockerNG like I am with LOTS of blocked URLs/IPs the unbound restrt can take more time than anticiapted leading to DNS issues and timeouts.

                    Unchecking 'DHCP Registration' in the DNS Resolver settings just above the OVPN checkbox as mentioned in the above posting seems to have solved it for now.

                    1 Reply Last reply Reply Quote 1
                    5 out of 9
                    • First post
                      5/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.