pfBlockerNG - unbound-control process spikes CPU to 100% every few seconds [SOLVED]

nimrod

@stephenw10 said in Strange issue with CPU usage.:

Are you running DNS-BL in Python mode?

Does it go away if you use Unbound mode instead?

Steve

Hi Steve.

No. Its running in default Unbound mode. So far i tried this:

• Disabling TLD and reloading all.
• Upgrading to pfSense v2.7.x DEVEL.
• Clean install of pfSense 2.6.0, and then full config restore.
• Disabling DNS forwarder mode.
• Applying patch that @johnpoz suggested.

Nothing helped. Only disabling pfBlocker completely eliminates the issue.

I found two posts on pfSense Reddit page here and here, and both of them are describing exactly the same issue as i am having. First one was resolved by upgrading to pfSense v2.5.1, and the other one was miss configured resolver.

johnpoz

@nimrod said in Strange issue with CPU usage.:

Applying patch that @johnpoz suggested.

That patch cleared it up for me - but when first did it I messed up and forgot the space between the 's and didn't work - so make sure if you hand edited that line that there is a space where the ( was, so it was like '(' and should be ' ' with space between.

I didn't catch my mistake for quite some time, week or so at least. I had done it and didn't really bother to watch cpu usage.. because mine was never spiking even that high, it was just higher than before. But after I put in the space it made a drastic difference as you can see from the graph I posted.

nimrod

@johnpoz said in Strange issue with CPU usage.:

@nimrod said in Strange issue with CPU usage.:

Applying patch that @johnpoz suggested.

That patch cleared it up for me - but when first did it I messed up and forgot the space between the 's and didn't work - so make sure if you hand edited that line that there is a space where the ( was, so it was like '(' and should be ' ' with space between.

I didn't catch my mistake for quite some time, week or so at least. I had done it and didn't really bother to watch cpu usage.. because mine was never spiking even that high, it was just higher than before. But after I put in the space it made a drastic difference as you can see from the graph I posted.

I used System Patches package to apply the patch. The code i pasted looks like this:

diff --git a/net/usr/local/pkg/pfblockerng/pfblockerng.inc b/net/usr/local/pkg/pfblockerng/pfblockerng.inc
index 7fa8c1d2f8bf..2abbef30578b 100644
--- a/net/usr/local/pkg/pfblockerng/pfblockerng.inc
+++ b/net/usr/local/pkg/pfblockerng/pfblockerng.inc
@@ -4136,7 +4136,7 @@ function pfb_filterrules() {
         foreach ($results as $result) {
             if (substr($result, 0, 1) == '@') {

-                $r = explode(')', $result, 2);
+                $r = explode(' ', $result, 2);

                 // pfSense > v2.6 uses an 'ridentifier' string
                 if (strpos($result, 'ridentifier') != FALSE) {

johnpoz

@nimrod I would directly look at the file and make sure it actually applied, if your not seeing any difference in your cpu usage after applying..

you can find the inc file in this dir

/usr/local/pkg/pfblockerng

nimrod

@johnpoz said in Strange issue with CPU usage.:

@nimrod I would directly look at the file and make sure it actually applied, if your not seeing any difference in your cpu usage after applying..

you can find the inc file in this dir

/usr/local/pkg/pfblockerng

It seems ok. I also see pfblockerng.inc.orig file, which i think is the backup created by system patches package.

This file is 300 megs, and it has 10000 lines of code in it. I guess, the file size depends on how many feeds/lists i have loaded.

johnpoz

@nimrod said in Strange issue with CPU usage.:

300 megs

no - 300k, not 300M hehehe

nimrod

@johnpoz said in Strange issue with CPU usage.:

@nimrod said in Strange issue with CPU usage.:

300 megs

no - 300k, not 300M hehehe

Yeah. 300k, sry. My mind is going out...

Anyway, @stephenw10 gave me idea with his question. So i actually switched pfBlocker from Unbound mode to Python mode. And guess what. Issue is gone.

Now im puzzled.

Is Python mode less effective, or inferior in any way to unbound mode ?

johnpoz

@nimrod I don't use DNSBL, so not sure - but if you click the little i next to it says it uses less memory. And can do more advanced DNSBL

But again I don't use that..

nimrod

Had to switch back to unbound mode, because python mode is just not working correctly when TLD is enabled.

Of course, CPU is spiking to 100% again, and i dont know what else to try and resolve this.

stephenw10

I'd probably open a thread in the pfBlocker forum section with all the details you have found.

nimrod

Update.

1. Setting pfBlocker into Unbound python mode.
2. Performing DNSBL reload.
3. Setting pfBlocker into Unbound mode.
4. Performing DNSBL reload.

These 4 steps are resolving the issue. However, when i reboot, issue comes back again. Then i repeat those 4 steps from above, and issue is gone again.

Is there any way to locate what changes are made when switching modes ? What logs should i analyze ?

Edit: @johnpoz, @stephenw10, or @jimp can you please move this thread to pfBlocker forum section ?

Thank you.

nimrod

Here is another update.

When i perform 4 steps that i described in previous post, pfBlocker is blocking hosts, but its not showing what feed was used, and there are no whitelisting buttons available.

It looks like this:

When i reboot, blocking is still working as it should, but feed is also displayed properly along with whitelisting buttons. It looks like this:

I hope ill narrow this down some more.

stephenw10

Moved. You may want to re-title it so others can find it more easily.

nimrod

@stephenw10 & @johnpoz i have finally resolved the issue after weeks of digging.

It turned out that i caused the issue by adding this DNSBL list in my DNSBL feeds. First i thought that the amount of entries in this list was the cause, but then i replaced it with with this one, which has over million entries in it and everything is still working fine.

On top of all that, the problematic list of domains is no longer supported and it was last updated 2 years ago. "Project" is abandoned and moved to another github page.

Lesson learned here. Make sure you know what are you adding in your feeds. Make sure to use only verified lists that get consistently updated.

Thank you guys for your help.

stephenw10

So just the list containing a bunch of obsolete domains?

nimrod

@stephenw10 said in pfBlockerNG - unbound-control process spikes CPU to 100% every few seconds [SOLVED]:

So just the list containing a bunch of obsolete domains?

Not sure how many domains in that list are obsolete, and if that was the issue, however, what led me to actually remove the list is the fact that there are tons of legit domains in that list that pfBlocker was blocking. If you check the list, you will see asus.com and sony.com in there. And there is absolutely no reason to blacklist those sites. They are legit.

Then I thought this was actually a whitelist that i was using as blacklist, but then you find all those porn sites in there and tons of other entries that are present in legit block lists. Its a mess.

I just removed it and it all works.