Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfblockerng-devel 3.1 stops unbound

    Scheduled Pinned Locked Moved pfBlockerNG
    14 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @jperezme
      last edited by

      @jperezme said in Pfblockerng-devel 3.1 stops unbound:

      Any idea?

      Try this :
      In the GUI, go to Firewall > pfBlockerNG and disable pfBlockerNG
      Open a console, goto option 8
      Now stop unbound, use the stop button :
      27bb17ab-dbe5-4dc7-99df-7f144302d740-image.png

      In the console, type

      ps ax | grep 'unbound'
      

      Kill every unbound instance still running :
      For example, if you see this

      28952  -  Ss    0:08.15 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
      

      type

      kill 28952
      

      to kill it.
      Do this for every instance still running.

      Now, activate unbound using the GUI.
      Activate Pfblockerng.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      J 1 Reply Last reply Reply Quote 0
      • J
        jperezme @Gertjan
        last edited by jperezme

        @gertjan Hello again.
        I have been able to verify that the problem has not been solved. I have stopped dns resolve, there was no unbound process to kill and then I have stopped pfnblockerng. I've restarted dns resolver and then pfblockerng, but it fails again.I have forced a reload by hand and the dns has started without problem. I'll wait to see if when I do it automatically it doesn't fail again.
        ===[ DNSBL Process ]================================================

        Loading DNSBL Statistics... completed
        Loading DNSBL SafeSearch... disabled
        Loading DNSBL Whitelist... completed

        [ UT1_adult ] exists.
        [ UT1_mixed_adult ] exists. [ 09/18/22 00:00:56 ]
        [ UT1_sexual_education ] exists.
        [ StevenBlack_ADs ] Downloading update . ( md5 feed ) .
        Whitelist: 5726.bapi.adsafeprotected.com|6063.bapi.adsafeprotected.com|aax-cpm.amazon-adsystem.com|aax-eu-retail-direct.amazon-adsystem.com|aax-eu.amazon-adsystem.com|aax-fe-sin.amazon-adsystem.com|aax-fe.amazon-adsystem.com|aax-us-east-retail-direct.amazon-adsystem.com|aax-us-east-rtb.amazon-adsystem.com|aax-us-east.amazon-adsystem.com|aax-us-pdx.amazon-adsystem.com|aax-us.amazon-adsystem.com|aax.amazon-adsystem.com|adsafeprotected.com|amazon-adsystem.com|anycast.dt.adsafeprotected.com|appvast.adsafeprotected.com|bs.eyeblaster.akadns.net|bs.serving-sys.com|c.amazon-adsystem.com|cdn-a.amazon-adsystem.com|cdn.adsafeprotected.com|control.kochava.com|device-metrics-us-2.amazon.com|dra.amazon-adsystem.com|dt.adsafeprotected.com|dtvc.adsafeprotected.com|fls-eu.amazon-adsystem.com|fls-fe.amazon-adsystem.com|fls-na.amazon-adsystem.com|fls-na.amazon.com|fw.adsafeprotected.com|fwvc.adsafeprotected.com|images-aud.sourceforge.net|imp.control.kochava.com|ir-de.amazon-adsystem.com|ir-jp.amazon-adsystem.com|ir-na.amazon-adsystem.com|ir-uk.amazon-adsystem.com|localhost.localdomain|mads.amazon-adsystem.com|mobile-static.adsafeprotected.com|mobile.adsafeprotected.com|nyidt.adsafeprotected.com|orfw.adsafeprotected.com|orpixel.adsafeprotected.com|pixel.adsafeprotected.com|pm.adsafeprotected.com|ps-eu.amazon-adsystem.com|ps-jp.amazon-adsystem.com|ps-us.amazon-adsystem.com|px.moatads.com|rcm-eu.amazon-adsystem.com|rcm-fe.amazon-adsystem.com|rcm-na.amazon-adsystem.com|s.amazon-adsystem.com|secure-gl.imrworldwide.com|sgfw.adsafeprotected.com|sgpixel.adsafeprotected.com|spixel.adsafeprotected.com|static.adsafeprotected.com|unified.adsafeprotected.com|vafw.adsafeprotected.com|vapixel.adsafeprotected.com|vast.adsafeprotected.com|video.adsafeprotected.com|web-sdk.control.kochava.com|wildcard.moatads.com.edgekey.net|wms-eu.amazon-adsystem.com|wms-na.amazon-adsystem.com|wrapper-vast.adsafeprotected.com|ws-eu.amazon-adsystem.com|ws-fe.amazon-adsystem.com|ws-na.amazon-adsystem.com|z-eu.amazon-adsystem.com|z-na.amazon-adsystem.com|

        Orig. Unique # Dups # White # TOP1M Final

        140907 140907 42 76 0 140789


        Assembling DNSBL database...... completed [ 09/18/22 00:01:23 ]
        TLD:
        TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]

        ** TLD Domain count exceeded. [ 2000000 ] All subsequent Domains listed as-is **

        TLD finalize.....

        Original Matches Removed Final

        4635210 1850200 239 4634971

        TLD finalize... completed [ 09/18/22 00:08:49 ]

        Saving DNSBL statistics... completed [ 09/18/22 00:08:59 ]
        Stopping Unbound Resolver..............................
        Starting Unbound Resolver.
        DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***

        ====================

        [1663452576] unbound[38316:0] error: bind: address already in use
        [1663452576] unbound[38316:0] fatal error: could not open ports

        ====================

        Stopping Unbound Resolver..............................
        Starting Unbound Resolver.. Not completed. [ 09/18/22 00:11:03 ]
        [1663452613] unbound[85507:0] error: bind: address already in use
        [1663452613] unbound[85507:0] fatal error: could not open ports
        error: SSL handshake failed

        *** DNSBL update [ 4633655 ] [ 4634971 ] ... OUT OF SYNC ! *** [ 09/18/22 00:11:07 ]

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @jperezme
          last edited by

          The solution will be :
          Make this go away :

          @jperezme said in Pfblockerng-devel 3.1 stops unbound:

          TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]
          ** TLD Domain count exceeded. [ 2000000 ] All subsequent Domains listed as-is **

          this

          @jperezme said in Pfblockerng-devel 3.1 stops unbound:

          Stopping Unbound Resolver..............................

          and be aware that every dot printed is a one (1) second delay :
          So, just to stop your unbound, it needs more then 10 minutes .....

          Two solutions :
          Ditch your system, take something with a big fat Xeon processor. Multi threading is meaningless here, as PHP is execute on one core.
          Or lower the number of feeds / DNSBL entries.
          Lower it until this line :

          TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]

          doesn't show 'x' anymore.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          J 1 Reply Last reply Reply Quote 0
          • J
            jperezme @Gertjan
            last edited by jperezme

            @gertjan
            This is my system cpu:
            Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
            Current: 2100 MHz, Max: 2101 MHz
            16 CPUs: 1 package(s) x 8 core(s) x 2 hardware threads

            It's strange because I have three other systems exactly like this one and it doesn't happen.
            Could you tell me exactly where I can download the number of feeds?

            ec9106a2-8a75-4760-8214-5f08c06b8a7f-image.png
            ad8a0f92-be6e-48b8-ba05-882852f86666-image.png
            Thanks in advance.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @jperezme
              last edited by

              @jperezme said in Pfblockerng-devel 3.1 stops unbound:

              Could you tell me exactly where I can download the number of feeds?

              What do you mean ?
              You don't know what (how much) you download ?

              The info is here :

              f5bd35a7-301b-4a74-83b4-7438f5e7fd92-image.png

              Or here : /var/db/pfblockerng/dnsbl

              Or here - example of one feed :

              881b3405-df9a-4ebd-9e62-1d76b0d2cde2-image.png

              'DNSBL feeds' or just 'Internet' text pages - big files with host names.

              The thing is : you have to many of them : it seems that unbound can't handle it.
              If unbound needs more then, 10 minutes to react on a stop signal, something is definitely wrong. While its stopping, your pfSense has no DNS ....
              pfBlocker fails to stop it, fails to start it.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              J 1 Reply Last reply Reply Quote 0
              • J
                jperezme @Gertjan
                last edited by

                @gertjan
                I understand you. Could be my ut1 list?
                b248959e-eec3-474a-903c-8ca1c57fe4c1-image.png
                This is my dnsbl groups:
                19322e9b-494e-4d20-b283-d36f12303b1c-image.png

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @jperezme
                  last edited by Gertjan

                  @jperezme

                  This :

                  ab03a440-1d8d-485a-b7f2-37f249d22ca1-image.png

                  would be a lot to keep in memory if the file was read by a binary executable.
                  PHP is interpreted language, so a 1000 times slower.
                  Added to that, for every DNS request, the entire list hast to be parsed through to see if there is a DNSBL hit.

                  Solution : don't use such a big list.
                  edit : with just 5 hits ...

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    jperezme @Gertjan
                    last edited by

                    @gertjan As I was saying, it is very strange because on other exactly the same machines with the same software installation, even with some more lists, it never happens. In this image can you see.

                    5506b05e-81bc-48ad-9b63-27c5da50d7b9-image.png

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @jperezme
                      last edited by

                      @jperezme
                      I know.
                      Start hating me for this one : between pfSense 1&2 and this third one, there is a difference ^^

                      Also : 23 hits for a 4 million+ list ..... , I wouldn't bother.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        jperezme @Gertjan
                        last edited by

                        @gertjan
                        Calm. I don't hate you, on the contrary. 😊
                        I really appreciate your comments. Blame it on my ignorance. Really the most important thing for me is to be able to block porn, because we are in a school.

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @jperezme
                          last edited by

                          @jperezme

                          A small one : Pfblockerng never download my custom list new entries?

                          https://github.com/klabacita

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            jperezme @Gertjan
                            last edited by

                            @gertjan
                            Where a good list to block porn pages?

                            Thanks.

                            NogBadTheBadN 1 Reply Last reply Reply Quote 0
                            • NogBadTheBadN
                              NogBadTheBad @jperezme
                              last edited by

                              @jperezme

                              You could try replacing Unified hosts = (adware + malware) with Unified hosts + porn

                              https://github.com/StevenBlack/hosts

                              Andy

                              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.