Frequent DNS timeouts
-
@steveits Thanks for pointing me to the other threads.
I'm thinking of just giving up on using forwarding. I need to figure out if my ISP limits access to DNS servers when not forwarding.
-
After turning off DNS forwarding, resolution was nearly instantaneous for a couple of days. But the random timeouts have returned.
I don't see anything in the logs to indicate something is failing.
Can someone point me to a DNS debugging guide or something that will help me figure out what the root cause is here.
Thank you.
-
@oopohj5oo8shieze1ree There are a few here:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/index.html#dnsAlso take a look through https://forum.netgate.com/category/19/dhcp-and-dns as there are other posts for 23.01.
-
Hi. Do have nearly the same issues.
But for me I don't use and DNS forwarding or anything else. Just pfSense Unbound in combination with pfBlockerNG.
Don't have any DNS fails at all. But looks like name resolution does hang after some amount of time. After that it looks like it is cached again and resolution works fine.
But I do have this issues nearly every day.Something like a cleared unbound cache - what's not the case.
-
@thundergate said in Frequent DNS timeouts:
cleared unbound cache
This can only happens when the resolver -unbound is told to stop, or restart, which is a controlled stop, to be started right afterwards.
It can take several seconds to do so.
The cache will be lost, but subsequent DNS resolving won't take long, typical is a fraction of a second.If unbound restarts happen very often, you can start to 'feel' the absence of the DNS sub system.
So, ask your pfSense how often it restarts :
grep "Restart" /var/log/resolver.logIf it's just couple of times a day (lesser == better) : this is not your issue.
-
@steveits After switching from forwarding to normal resolving I let things sit for a bit to see what would happen. It looks like unbound is restarting a lot:
Mar 15 08:01:04 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:08:33 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:12:20 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:12:45 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:13:39 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:29:45 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:34:44 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:35:41 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:42:09 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:42:34 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:49:47 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1. Mar 15 08:52:13 netgate unbound[20724]: [20724:0] notice: Restart of unbound 1.17.1.Is there a known workaround for this?
-
@oopohj5oo8shieze1ree The most common cause for restarts is having DHCP set to register DHCP leases in DNS, which triggers a restart after each and every DHCP lease. Options are to not do that, or to make the lease long enough that it renews in "days" not "hours." (renewal is 1/2 of the lease duration)
-
@steveits I believe I have that turned off (in Services -> DHCP Server -> Dynamic DNS ->
Enable registration of DHCP client names in DNS). However, it does appear to be registering DHCP host names with the DNS server regardless of this setting.I've increased the lease time and will report back.
Thank you.
-
@oopohj5oo8shieze1ree unbound starting that often is going to be problematic that is for sure..
-
Same for me - a lot of unbound restarts and I actually don't know why?!
-
@thundergate well no restarts here
[23.01-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.17.1 verbosity: 1 threads: 4 modules: 2 [ validator iterator ] uptime: 196553 seconds options: control(ssl) unbound (pid 56217) is running... [23.01-RELEASE][admin@sg4860.local.lan]/root:196K seconds - 54 hours... Which was when I restarted pfsense to fix my swap not showing on widget..
If unbound is restarting - especially that often, your not going to have a good time.. You need to figure out why its restarting, registration of dhcp is typical reason you would see restarts like that..
-
-
@thundergate no - it has been a known issue for years that registering dhcp restarts unbound. I only register static mappings
-
@johnpoz said in Frequent DNS timeouts:
known issue for years that registering dhcp restarts unbound
-
@johnpoz
Oh no - That's stupid?!But I do need those DHCP leases to be seen to know what device does make all those requests.... Cannot stand with IP addresses only.
Used OPNsense before - but didn't had those issues, if I remember correctly?
-
@thundergate Then until resolved, as I noted above make your lease time longer. It will restart on average every ( (lease duration/2) / # leases ).
-
@steveits Will have to look into it.
I'm quite disappointed. Never thought that such an error does exist within pfSense (and it does exist since a few years now).
Are you all not interested in name resolution and do only handle IPs?
For me unbound restarts every 2-5 minutes (doesn't look like it is the DHCP lease issue at all?!).
-
@thundergate said in Frequent DNS timeouts:
re you all not interested in name resolution and do only handle IPs?
All of the devices I have that I need to resolve or want to resolve via name I have reserved IP for ;)
-
@thundergate said in Frequent DNS timeouts:
DHCP lease issue at all?!).
well look in your dhcp log - does it match up or not.. My leases are 4 days long.. But 2 hour lease, with lots of devices yeah you could have a few an hour for sure..
-
@thundergate said in Frequent DNS timeouts:
not interested in name resolution and do only handle IPs?
Depends on the setup. Clients with Windows domains use Windows DNS so it's handled. Windows in general/SMB will discover an address by NetBIOS name anyway. Printers get static or reservations. So in most cases it isn't really needed.
