Pfblockerng-devel 3.1 stops unbound
-
@jperezme said in Pfblockerng-devel 3.1 stops unbound:
Any idea?
Try this :
In the GUI, go to Firewall > pfBlockerNG and disable pfBlockerNG
Open a console, goto option 8
Now stop unbound, use the stop button :
In the console, type
ps ax | grep 'unbound'
Kill every unbound instance still running :
For example, if you see this28952 - Ss 0:08.15 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
type
kill 28952
to kill it.
Do this for every instance still running.Now, activate unbound using the GUI.
Activate Pfblockerng. -
@gertjan Hello again.
I have been able to verify that the problem has not been solved. I have stopped dns resolve, there was no unbound process to kill and then I have stopped pfnblockerng. I've restarted dns resolver and then pfblockerng, but it fails again.I have forced a reload by hand and the dns has started without problem. I'll wait to see if when I do it automatically it doesn't fail again.
===[ DNSBL Process ]================================================Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch... disabled
Loading DNSBL Whitelist... completed[ UT1_adult ] exists.
[ UT1_mixed_adult ] exists. [ 09/18/22 00:00:56 ]
[ UT1_sexual_education ] exists.
[ StevenBlack_ADs ] Downloading update . ( md5 feed ) .
Whitelist: 5726.bapi.adsafeprotected.com|6063.bapi.adsafeprotected.com|aax-cpm.amazon-adsystem.com|aax-eu-retail-direct.amazon-adsystem.com|aax-eu.amazon-adsystem.com|aax-fe-sin.amazon-adsystem.com|aax-fe.amazon-adsystem.com|aax-us-east-retail-direct.amazon-adsystem.com|aax-us-east-rtb.amazon-adsystem.com|aax-us-east.amazon-adsystem.com|aax-us-pdx.amazon-adsystem.com|aax-us.amazon-adsystem.com|aax.amazon-adsystem.com|adsafeprotected.com|amazon-adsystem.com|anycast.dt.adsafeprotected.com|appvast.adsafeprotected.com|bs.eyeblaster.akadns.net|bs.serving-sys.com|c.amazon-adsystem.com|cdn-a.amazon-adsystem.com|cdn.adsafeprotected.com|control.kochava.com|device-metrics-us-2.amazon.com|dra.amazon-adsystem.com|dt.adsafeprotected.com|dtvc.adsafeprotected.com|fls-eu.amazon-adsystem.com|fls-fe.amazon-adsystem.com|fls-na.amazon-adsystem.com|fls-na.amazon.com|fw.adsafeprotected.com|fwvc.adsafeprotected.com|images-aud.sourceforge.net|imp.control.kochava.com|ir-de.amazon-adsystem.com|ir-jp.amazon-adsystem.com|ir-na.amazon-adsystem.com|ir-uk.amazon-adsystem.com|localhost.localdomain|mads.amazon-adsystem.com|mobile-static.adsafeprotected.com|mobile.adsafeprotected.com|nyidt.adsafeprotected.com|orfw.adsafeprotected.com|orpixel.adsafeprotected.com|pixel.adsafeprotected.com|pm.adsafeprotected.com|ps-eu.amazon-adsystem.com|ps-jp.amazon-adsystem.com|ps-us.amazon-adsystem.com|px.moatads.com|rcm-eu.amazon-adsystem.com|rcm-fe.amazon-adsystem.com|rcm-na.amazon-adsystem.com|s.amazon-adsystem.com|secure-gl.imrworldwide.com|sgfw.adsafeprotected.com|sgpixel.adsafeprotected.com|spixel.adsafeprotected.com|static.adsafeprotected.com|unified.adsafeprotected.com|vafw.adsafeprotected.com|vapixel.adsafeprotected.com|vast.adsafeprotected.com|video.adsafeprotected.com|web-sdk.control.kochava.com|wildcard.moatads.com.edgekey.net|wms-eu.amazon-adsystem.com|wms-na.amazon-adsystem.com|wrapper-vast.adsafeprotected.com|ws-eu.amazon-adsystem.com|ws-fe.amazon-adsystem.com|ws-na.amazon-adsystem.com|z-eu.amazon-adsystem.com|z-na.amazon-adsystem.com|Orig. Unique # Dups # White # TOP1M Final
140907 140907 42 76 0 140789
Assembling DNSBL database...... completed [ 09/18/22 00:01:23 ]
TLD:
TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]** TLD Domain count exceeded. [ 2000000 ] All subsequent Domains listed as-is **
TLD finalize.....
Original Matches Removed Final
4635210 1850200 239 4634971
TLD finalize... completed [ 09/18/22 00:08:49 ]
Saving DNSBL statistics... completed [ 09/18/22 00:08:59 ]
Stopping Unbound Resolver..............................
Starting Unbound Resolver.
DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***====================
[1663452576] unbound[38316:0] error: bind: address already in use
[1663452576] unbound[38316:0] fatal error: could not open ports====================
Stopping Unbound Resolver..............................
Starting Unbound Resolver.. Not completed. [ 09/18/22 00:11:03 ]
[1663452613] unbound[85507:0] error: bind: address already in use
[1663452613] unbound[85507:0] fatal error: could not open ports
error: SSL handshake failed*** DNSBL update [ 4633655 ] [ 4634971 ] ... OUT OF SYNC ! *** [ 09/18/22 00:11:07 ]
-
The solution will be :
Make this go away :@jperezme said in Pfblockerng-devel 3.1 stops unbound:
TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]
** TLD Domain count exceeded. [ 2000000 ] All subsequent Domains listed as-is **this
@jperezme said in Pfblockerng-devel 3.1 stops unbound:
Stopping Unbound Resolver..............................
and be aware that every dot printed is a one (1) second delay :
So, just to stop your unbound, it needs more then 10 minutes .....Two solutions :
Ditch your system, take something with a big fat Xeon processor. Multi threading is meaningless here, as PHP is execute on one core.
Or lower the number of feeds / DNSBL entries.
Lower it until this line :TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]
doesn't show 'x' anymore.
-
@gertjan
This is my system cpu:
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
Current: 2100 MHz, Max: 2101 MHz
16 CPUs: 1 package(s) x 8 core(s) x 2 hardware threadsIt's strange because I have three other systems exactly like this one and it doesn't happen.
Could you tell me exactly where I can download the number of feeds?
Thanks in advance. -
@jperezme said in Pfblockerng-devel 3.1 stops unbound:
Could you tell me exactly where I can download the number of feeds?
What do you mean ?
You don't know what (how much) you download ?The info is here :
Or here : /var/db/pfblockerng/dnsbl
Or here - example of one feed :
'DNSBL feeds' or just 'Internet' text pages - big files with host names.
The thing is : you have to many of them : it seems that unbound can't handle it.
If unbound needs more then, 10 minutes to react on a stop signal, something is definitely wrong. While its stopping, your pfSense has no DNS ....
pfBlocker fails to stop it, fails to start it. -
@gertjan
I understand you. Could be my ut1 list?
This is my dnsbl groups:
-
This :
would be a lot to keep in memory if the file was read by a binary executable.
PHP is interpreted language, so a 1000 times slower.
Added to that, for every DNS request, the entire list hast to be parsed through to see if there is a DNSBL hit.Solution : don't use such a big list.
edit : with just 5 hits ... -
@gertjan As I was saying, it is very strange because on other exactly the same machines with the same software installation, even with some more lists, it never happens. In this image can you see.
-
@jperezme
I know.
Start hating me for this one : between pfSense 1&2 and this third one, there is a difference ^^Also : 23 hits for a 4 million+ list ..... , I wouldn't bother.
-
@gertjan
Calm. I don't hate you, on the contrary.
I really appreciate your comments. Blame it on my ignorance. Really the most important thing for me is to be able to block porn, because we are in a school. -
-
@gertjan
Where a good list to block porn pages?Thanks.
-
You could try replacing Unified hosts = (adware + malware) with Unified hosts + porn
https://github.com/StevenBlack/hosts