Unbound dns resolver stops resolving every few days after 22.05 upgrade
-
@gertjan then why even offer this option if it breaks everything. I spin up and down hosts/servers everyday that I need resolved by name, adding static records and then removing them just for that would be chore. But lets end this.
Question is then why it has been working in 22.01 for months no problems, upgraded to 22.05 and it breaks every few days. (haven't changed any config or network size)
if you only option that you suggest is disable that setting then I thank you I got you. Will wait maybe there another people that have other valid solutions. -
@vaidas said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
Will wait maybe
Check the forum, you will find hundreds if not thousands of posts about this subject.
Check pfSEnse redmine, proposals and bug reports have been made. Some are years old.
Check this one : https://redmine.pfsense.org/issues/5413
Yours : https://redmine.pfsense.org/issues/13337 fits right into first one, already 6 years old.
edit : and I saw you found that one ^^For the last several ( ! ) years many people (like a lot) have asked about this issue.
I'm not saying my proposal is 'the' solution. It's 'a' workaround.Btw : start thinking about what needs to be done when IPv6 isn't optional any more.
@vaidas said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
Question is then why it has been working in 22.01 for months no problems, upgraded to 22.05 and it breaks every few days.
Probably pure luck ? Dono.
Nothing changed in 22.05 - was different in 22.01.
For me 22.01 and 22.05 are not showing any differences about DHCP/DNS. And I have the graphs to confirm this, you saw them. -
@gertjan well thanks for trying to help, will need to change my workflows then and try the workaround or maybe migrate to windows server dns/dhcp stack as it would be nice to also have it with AD :) don't want to say this, but windows dns seems to be more stable nowadays :)
Maybe there is a hope they seem to finally fixed multiple console problem on same network after many years, even thought I don't own any consoles, saw many people wanted it fixed.
hey at least I got great bug number 13337I was hit by this
https://redmine.pfsense.org/issues/11316
hard that's why used watchdog at least in that case unbound would die so watchdog would be useful. -
Disabled register DHCP leases in DNS setting and outages still happening.
logs don't even show unbound restart.
the only 2 records for unbound log today when outage happenedJul 8 20:56:06 unbound 28376 [28376:0] info: generate keytag query _ta-4f66. NULL IN Jul 8 09:11:23 unbound 28376 [28376:0] info: generate keytag query _ta-4f66. NULL INwhat is happening ?
Is there a way to download 22.05 image for reinstall maybe that would solve problem, I seriously considering rolling back to 22.01. -
possibly related to
https://forum.netgate.com/topic/173148/slow-dns-after-22-05/11now at least DNS resolves recover after ~15 min (when disabled DNS registration of dhcp leases) but still 15min outages is annoying
Just getting dns time out or ip address not found in browser. -
@vaidas said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
query _ta-4f66.
Or 20326 decimal.
Nothing special, '20326' is the mother of all DNSSEC keys at this moment. Its re fetched regularly. A correct fetch is the start of a good DNSSEC functionality.
So these messages :
are sometimes the only sign of life that unbound is giving while it's humming.
-
Strange but it seems that problem mostly went away after unchecking(disabling) DNSSEC setting. Still testing but for a more then a day I haven't seen any problems.
Even reenabling register DHCP leases did not cause any noticeable problems.
-
@vaidas said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
unchecking(disabling) DNSSEC setting.
DNSSEC is an extension of DNS. It's a complicated thing, but 'on the wire' you'll find some more requests. There are the use A, AAAA, PTR, MX, CNAME. Added to that, thewe will be some DS, NSEC and DNSKEY.
These are just other UDP TCP packets addressed to the same DNS name servers unbound was already talking to.
If these are unknownon the domain name server, no issue, unbound proceeds without DNSSEC checking without any time lost.
Most, if not all TLDs (com org net etc etc etc) are DNNSEC signed.
The top level dot "." are signed , that's the 4f66 key you see in the unbound logs.
If a web site owner took the time to sign its domain name, like this one, a domain name I own/rent, the the entire chain will be ok, and dnssec will work.
DNS will work with DNSSEC as nearly fast as without DNSSEC.It should not make DNS work slower or worse or something like that. If that's the case, there is an underlying access- or DNS problem.
-
I own a Netgate 6100 and have been having the same issue. DNS resolving went to shit after 22.05 update. Until then it was working fine. Most of times wouldnt resolve until after a restart. have had to resort to 4G a few times :-(
I have been fiddling with a few settings but I think these last 2 have made it better for me:
Untick Enable DNSSEC Support
And on the outgoing interfaces I reduced it to only use WAN ( removed my VPN outgoing interfaces ).
I will be changing everything back to what I was using before the update but want to confirm slowly each option to try to single out the one that has broke it for me.
Will keep an eye here and in this other thread https://forum.netgate.com/topic/173148/slow-dns-after-22-05
to see if anyone has managed to single out the main issue...Kind of big one for Netgate... not sure how they managed to screw this one.
-
@pajinha said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
not sure how they managed to screw this one.
The forum mentions a couple of 'DNS' issues since 22.05.
But, what is a couple ?
22.05 has been downloaded and installed many thousands times (I can't tell, but I'm pretty sure).@pajinha said in Unbound dns resolver stops resolving every few days after 22.05 upgrade:
( removed my VPN outgoing interfaces )
If your DNS also goes over this VPN and the VPN is bad - as this can happen, they are not all equal and perfect - then, yeah, DNS looks bad.
Because your uplink is bad.
DNS is mostly UDP, these can get lost. unbound won't hammer away, and return a SERVFAIL.
TCP get renegotiated and is far more resilient.For now, my DNS using 22.05 using default settings and no VPN is working as before. And don't tale my word for it, see for yourself.
