Frequent DNS timeouts

johnpoz · Mar 24, 2023, 9:21 PM

@nedyah700 said in Frequent DNS timeouts:

disable DNS registration??

Is that really such a bad thing? What dhcp clients are you resolving via name - how many clients?

Here is the thing, if unbound is restarting - even if you don't notice and issue with resolving.. it clears its cache ever time it restarts.

I simple work around to the problem is just to setup reservations - so you devices always get the same IP.. Unless you have hundreds of clients.. Or you have lots of clients that come and go onto your network without any clue to what they are - then why would you want/need to resolve them?

Sure in a perfect world, unbound wouldn't restart and it could register your dhcp clients - maybe someday that will be an option. But its a been a known issue and long time standing thing that dhcp registrations restarts unbound. Many users may never notice - they have a handful of clients, they have a long time lease - unbound only restarts a now and then during a day..

But if your dns is restarting every 5 minutes - that is going to be problematic for sure. Be it you wanting to query something during the restart, or just that its loosing all of its cache every 5 minutes is not very efficient..

While it might seem daunting to setup reservations - its a one time thing, do a few at a time when you have a chance, etc. All of the like 40+ some devices on my network have reservations.. the only thing I don't have reservations for is like guest devices - which I could care less about resolving their names..

nedyah700 · Mar 24, 2023, 9:38 PM

@johnpoz
I just don't understand why with 0 configuration changes this upgrade made the impact so much more sever. Multiple times a day I am getting DNS resolution timeouts lasting one to two minutes. Prior to upgrading the restarts had no notable impact.

johnpoz · Mar 24, 2023, 10:05 PM

@nedyah700 unbound has restarted with dhcp reservations since for ever.. Can tell you that for sure..

Timeout lasting a few minutes shouldn't happen unless your getting a flood of renews like all in a row or something.. Maybe before your registrations were more spread out and didn't come in groups.

nedyah700 · Mar 24, 2023, 10:07 PM

@johnpoz Agree, and I've seen it in my logs like this since day 1 with pfSense. But all of a sudden now it's actually causing experienced issues with users. Clearly I am not alone judging by all the various posts here on the forums.

JonH · Mar 24, 2023, 10:10 PM

@nedyah700 I've had the same problems except my unbound service was not restarting, it was hanging and if I did nothing it would eventually get going again. I was manually restarting it rather than waiting it out. Now I rarely have that 2 min delay and have not observed it hanging. I set the logging up to level 3 and noticed a lot of "debug: outnettcp got tcp error -1" errors when it was hung.

I am using pfBlockerNG and under DNSBL I have DNS set to "unbound python mode". I have my dhcp set to a limited pool range and have some clients with static IP's outside the pool range.

The changes I made, and I don't know which one or combo that helped me but here are some things I changed:

1). In System->General setup I changed the default "use local, fall back to remote DNS" to "Use local, ignore remote"

2). In DNS Resolver I previously had all interfaces selected under "outgoing network interfaces". I changed that to select WAN only.

3). Under Resolver -> Advanced I changed the 'outgoing' and the 'incoming' TCP Buffers from the default 10 to 20. When I changed this I was still experiencing the problem but now I have not observed the problem. I have not idea if changing this setting is applicable to the problem, I only know that after changing this and rebooting pfSense, my switch, and my AP everything is better.

nedyah700 · Mar 24, 2023, 10:23 PM

@jonh said in Frequent DNS timeouts:

pfBlockerNG

Thanks! I'll give some of these a try. I am using pfBlockerNG but not DNSBL.

johnpoz · Mar 24, 2023, 10:54 PM

@nedyah700 are you forwarding or doing a normal resolve, which is default. If your forwarding are you forwarding over tcp? ie dot?

"use local, fall back to remote DNS" to "Use local, ignore remote"

This setting has zero to do with anything - this is what pfsense would do when it needed to resolve something. Ie look to see if there was an update, checking for packages, etc. Or you click to resolve an IP in your firewall log, etc.

That settings has nothing to do with clients asking unbound, or unbound resolving or forwarding.

login-to-view

I have it set to ignore - because I don't have any remote dns, I only resolve.. I could of just left it at default, but was like why - there is no remote dns set, and even if there was I sure wouldn't want pfsense using them ;)

If I recall correctly that setting came to be when they added dot and such, and you were adding the forwarders into the general settings.. You were not sure before if pfsense would ask unbound, which would use dot to talk to forwarders you had set. Or if pfsense used them it would just ask them via normal dns.. This setting allows you to ignore the forwarders you might have setup for dot use, because while unbound will use dot to talk to them. Pfsense would only just query them over normal 53..

This has nothing to do with unbound restarting, or clients on your network asking unbound for dns.. This is what pfsense will do for its own dns needs.

thundergate · Mar 26, 2023, 3:48 PM

For me those Unbound restarts do still exist.

I do not have any forwarded DNS. Only using direct Unbound with the system.

DHCP registration is turned off.

Only pfblockerNG in python mode.

And my DNS Resolver log is full of entries.... Don't really know what is causing this issues?!

login-to-view

johnpoz · Mar 26, 2023, 4:42 PM

@thundergate yeah unbound would be pretty much useless if its restarting that often.. Something is wrong - can you up the verbose level so you might be able to see more info.. Or it looks like you filtered that output, what else is the log?

You sure you have dhcp registrations off? That sure looks like what I had posted in this or some other dns related thread where my wifes phone was constantly asking for dhcp, mine doesn't restart unbound because dhcp registrations are off..

Do you have dhcp stuff in its log that might match up - maybe the setting didn't take and for some reason its still restarting on dhcp

thundergate · Mar 26, 2023, 5:23 PM

@johnpoz said in Frequent DNS timeouts:

You sure you have dhcp registrations off? That sure looks like what I had posted in this or some other dns related thread where my wifes phone was constantly asking for dhcp, mine doesn't restart unbound because dhcp registrations are off..

Thx. Yes. See screenshot. Even disabling static DHCP doesn't help.

Also disabled python mode - and still all the unbound restarts.

Activated Level 2 Logging and will have a look into it.

login-to-view

thundergate · Mar 26, 2023, 5:28 PM

@johnpoz said in Frequent DNS timeouts:

Do you have dhcp stuff in its log that might match up

Within DHCP I do have a lot of those messages (see screenshot):

login-to-view

johnpoz · Mar 26, 2023, 5:50 PM

@thundergate do those times match up? I see you have register dhcp off in your settings.. But maybe it didn't take?

Something is clearly restarting unbound, and a lot.. And the only thing comes to mind that would restart it that often would be dhcp registrations.

I would guess for whatever reason your setting of not to register dhcp is not actually working.. For whatever reason.

Quick test of that might be to just turn off all your dhcp services on pfsense.. Do your restarts stop? You don't need dhcp running 24/7 it can be off for a while. if you you have all your dhcp services off on pfsense, and your still seeing unbound restart like crazy like that - then you know its not dhcp registrations doing it. With the amount of restarts your seeing - I would think you should be able to tell in 10 minutes or so if that is the problem..

JonH · Mar 26, 2023, 7:24 PM

@thundergate said in Frequent DNS timeouts:

And my DNS Resolver log is full of entries.... Don't really know what is causing this issues?!

Do you use Service Watchdog? Is it possible that these restarts could be from the Watchdog restarting it? I removed unbound from my Watchdog monitoring because it was restarting it too often. It was a month ago and I've forgotten if my problems created a log like you posted.

Also note that my Resolver was not stopping, it was hanging and would simply 'fix itself' after 3-6 minutes or so. In my case not using Watchdog has been useful for me.

JonH · Mar 26, 2023, 7:43 PM

@thundergate said in Frequent DNS timeouts:

Within DHCP I do have a lot of those messages (see screenshot):

The other day i had similar entries in DHCP log for one IP. These started after I had removed power from one of my IoT devices that I was also blocking with a firewall rule.

This particular device is a bed that also monitors sleep patterns. I have rules that block it's access to 'the motherland'. It also uses an iPhone app so there is also this extra chatter. The app is unused so I deleted it. I also found entries in the States table for that IP and deleted the State for the specific IP. I also deleted the arp entry and rebooted pfSense and my wifi AP at the same time prior to repowering the device that was causing this issue.

That problem has now stopped.

thundergate · Mar 29, 2023, 9:52 AM

Sorry for my late feedback.

But after disabling and re-enabling some settings the issues are gone.

Don't know why - but at the moment no unbound restarts.

level4 · Mar 29, 2023, 10:22 AM

Be aware that pfBlocker-NG cron/update also restarts Unbound, when (for instance) DNSBL lists are updated.

thundergate · Mar 29, 2023, 1:15 PM

Oh no... The stop/start of unbound started again.

What I could figure out is, that is has somehow be related to my Mac going into standby/hybernate mode. Than those unbound stop/start begins.

As it's a testing setup and my Mac is the only network device within the pfSense setup I can say, that it has to be something related to the Mac and pfSense / pfBlockerNG?!

johnpoz · Mar 29, 2023, 1:28 PM

@thundergate said in Frequent DNS timeouts:

Mac going into standby/hybernate mode.

Or is asking for dhcp all the time like my wife's iphone.. Would seem more like it - what would your mac going into standby have to do with pfblocker ???

See above where I posted my wife phone doing this

Mar 16 01:38:52 	dhcpd 	93450 	DHCPACK on 192.168.2.203 to 88:b2:91:98:d6:f0 via igb2
Mar 16 01:38:52 	dhcpd 	93450 	DHCPREQUEST for 192.168.2.203 from 88:b2:91:98:d6:f0 via igb2
Mar 16 01:37:41 	dhcpd 	93450 	DHCPACK on 192.168.2.203 to 88:b2:91:98:d6:f0 via igb2
Mar 16 01:37:41 	dhcpd 	93450 	DHCPREQUEST for 192.168.2.203 from 88:b2:91:98:d6:f0 via igb2
Mar 16 01:31:44 	dhcpd 	93450 	DHCPACK on 192.168.2.203 to 88:b2:91:98:d6:f0 via igb2
Mar 16 01:31:44 	dhcpd 	93450 	DHCPREQUEST for 192.168.2.203 from 88:b2:91:98:d6:f0 via igb2
Mar 16 01:30:01 	dhcpd 	93450 	DHCPACK on 192.168.2.203 to 88:b2:91:98:d6:f0 via igb2
Mar 16 01:30:01 	dhcpd 	93450 	DHCPREQUEST for 192.168.2.203 from 88:b2:91:98:d6:f0 via igb2
Mar 16 01:29:20 	dhcpd 	93450 	DHCPACK on 192.168.2.203 to 88:b2:91:98:d6:f0 via igb2
Mar 16 01:29:20 	dhcpd 	93450 	DHCPREQUEST for 192.168.2.203 from 88:b2:91:98:d6:f0 via igb2

If your unbound is restarting on dhcp then yeah that is going to be horrible.. That was when my wifes phone is on the charger, it shouldn't of been doing shit, let also be asking for dhcp..

Gertjan · Mar 29, 2023, 2:00 PM

@thundergate said in Frequent DNS timeouts:

related to my Mac going into standby/hybernate mode. Than those unbound stop/start begins

MAC directly connected by wire on the LAN port ?
In that case, when mac goes down, LAN port goes down == NIC event == unbound restarts.
Solution : use a switch.
Or is this not your case ?

johnpoz · Mar 29, 2023, 2:09 PM

@gertjan said in Frequent DNS timeouts:

MAC directly connected by wire on the LAN port ?

That would be odd, but yeah that could do it ass well ;)