No DNS after upgrading from 23.01 to 23.05 - unbound issue?

haraldinho

@SteveITS I'm not sure why it happened, but the high load seems to have resolved itself after one of the many reboots I have done. The original problem remains however, DNS remains behaving erratic.

I changed the DNS from Google to Cloudflare and re-enabled DNS over TLS to see if that would help, but it doesn't.

Things I notice:

Package manager is not able to retrieve list of available packages. Dashboard is not able to load 'Latest version' to determine if there is an update.
Time it takes for 127.0.0.1 to resolve is long (more than 10 seconds is not unusual, sometimes it does not respond at all see below screenshot).
The forwarding part seems to work properly and fast, see below log

Schermafbeelding 2023-06-11 om 14.24.15.png

2023-06-11 14:21:49.471930+02:00	unbound	36056	[36056:0] debug: cache memory msg=80110 rrset=78875 infra=8306 val=0
2023-06-11 14:21:49.471762+02:00	unbound	36056	[36056:0] info: finishing processing for gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.471659+02:00	unbound	36056	[36056:0] info: query response was ANSWER
2023-06-11 14:21:49.471618+02:00	unbound	36056	[36056:0] info: reply from <.> 1.1.1.2#853
2023-06-11 14:21:49.471566+02:00	unbound	36056	[36056:0] info: response for gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.471512+02:00	unbound	36056	[36056:0] info: iterator operate: chased to get-bx.g.aaplimg.com. A IN
2023-06-11 14:21:49.471481+02:00	unbound	36056	[36056:0] info: iterator operate: query gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.471439+02:00	unbound	36056	[36056:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
2023-06-11 14:21:49.470854+02:00	unbound	36056	[36056:3] debug: cache memory msg=80110 rrset=78875 infra=8306 val=0
2023-06-11 14:21:49.470708+02:00	unbound	36056	[36056:3] info: finishing processing for gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470666+02:00	unbound	36056	[36056:3] info: resolving gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470621+02:00	unbound	36056	[36056:3] info: resolving gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470572+02:00	unbound	36056	[36056:3] info: resolving gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470519+02:00	unbound	36056	[36056:3] info: query response was CNAME
2023-06-11 14:21:49.470489+02:00	unbound	36056	[36056:3] info: reply from <.> 1.1.1.2#853
2023-06-11 14:21:49.470456+02:00	unbound	36056	[36056:3] info: response for gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470419+02:00	unbound	36056	[36056:3] info: sanitize: removing extraneous answer RRset: gspx-ssl.ls.apple.com. CNAME IN
2023-06-11 14:21:49.470386+02:00	unbound	36056	[36056:3] info: sanitize: removing extraneous answer RRset: gsp-ssl-geomap.ls-apple.com.akadns.net. CNAME IN
2023-06-11 14:21:49.470337+02:00	unbound	36056	[36056:3] info: iterator operate: query gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.470291+02:00	unbound	36056	[36056:3] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
2023-06-11 14:21:49.465750+02:00	unbound	36056	[36056:0] debug: cache memory msg=80110 rrset=78875 infra=8306 val=0
2023-06-11 14:21:49.465700+02:00	unbound	36056	[36056:0] debug: sending to target: <.> 1.1.1.2#853
2023-06-11 14:21:49.465667+02:00	unbound	36056	[36056:0] info: sending query: get-bx.g.aaplimg.com. A IN
2023-06-11 14:21:49.465624+02:00	unbound	36056	[36056:0] info: processQueryTargets: gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465575+02:00	unbound	36056	[36056:0] info: resolving gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465529+02:00	unbound	36056	[36056:0] info: resolving gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465479+02:00	unbound	36056	[36056:0] info: resolving gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465427+02:00	unbound	36056	[36056:0] info: query response was CNAME
2023-06-11 14:21:49.465395+02:00	unbound	36056	[36056:0] info: reply from <.> 1.1.1.2#853
2023-06-11 14:21:49.465363+02:00	unbound	36056	[36056:0] info: response for gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465327+02:00	unbound	36056	[36056:0] info: sanitize: removing extraneous answer RRset: get-bx.g.aaplimg.com. A IN
2023-06-11 14:21:49.465296+02:00	unbound	36056	[36056:0] info: sanitize: removing extraneous answer RRset: gspx-ssl.ls.apple.com. CNAME IN
2023-06-11 14:21:49.465262+02:00	unbound	36056	[36056:0] info: sanitize: removing extraneous answer RRset: gsp-ssl-geomap.ls-apple.com.akadns.net. CNAME IN
2023-06-11 14:21:49.465206+02:00	unbound	36056	[36056:0] info: iterator operate: query gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.465160+02:00	unbound	36056	[36056:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
2023-06-11 14:21:49.457484+02:00	unbound	36056	[36056:0] debug: cache memory msg=80110 rrset=78875 infra=8306 val=0
2023-06-11 14:21:49.457433+02:00	unbound	36056	[36056:3] debug: cache memory msg=80110 rrset=78875 infra=8306 val=0
2023-06-11 14:21:49.457381+02:00	unbound	36056	[36056:0] debug: sending to target: <.> 1.1.1.2#853
2023-06-11 14:21:49.457331+02:00	unbound	36056	[36056:3] debug: sending to target: <.> 1.1.1.2#853
2023-06-11 14:21:49.457286+02:00	unbound	36056	[36056:0] info: sending query: gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.457241+02:00	unbound	36056	[36056:3] info: sending query: gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.457196+02:00	unbound	36056	[36056:0] info: processQueryTargets: gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.457160+02:00	unbound	36056	[36056:3] info: processQueryTargets: gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.457042+02:00	unbound	36056	[36056:0] info: resolving gsp-ssl.ls-apple.com.akadns.net. A IN
2023-06-11 14:21:49.456976+02:00	unbound	36056	[36056:3] info: resolving gsp-ssl.ls-apple.com.akadns.net. HTTPS IN
2023-06-11 14:21:49.456906+02:00	unbound	36056	[36056:0] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
2023-06-11 14:21:49.456824+02:00	unbound	36056	[36056:3] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new

I still feel that unbound itself is the culprit, but it does not spit out any useful log entries.

SteveITS

@haraldinho is IPv6 working on the router itself? If it isn’t connections will fail if it tries IPv6 first. There is a checkbox in the pfSense settings to prefer IPv4 for (only) the router.

Does it work if you disable forwarding temporarily?

haraldinho

@SteveITS Hey Steve, I appreciate your help. I just tried both settings that you indicated, but they do not resolve the issue. DNS is still erratic and I cannot see available packages in Package Manager and also it does not show the update status on the dashboard.

I had disabled all IPv6 on all interfaces previously.

I was going through the output of ps -auxwwd and my eye caught this section, I am not sure if it is related:

root       46599   0.0  0.0  13336  2820 u0- I    15:02    0:00.00 |-- /bin/sh /etc/rc.update_pkg_metadata now
root       47042   0.0  0.0  13336  2812 u0- I    15:02    0:00.00 | `-- /bin/sh /usr/local/sbin/pfSense-upgrade -uf
root       49188   0.0  0.0  12672  2160 u0- I    15:02    0:00.00 |   `-- /usr/bin/lockf -s -t 5 /tmp/pfSense-upgrade.lock /usr/local/libexec/pfSense-upgrade -uf
root       49640   0.0  0.0  13336  3180 u0- I    15:02    0:00.01 |     `-- /bin/sh /usr/local/libexec/pfSense-upgrade -uf
root       56944   0.0  0.0  13336  2780 u0- I    15:02    0:00.00 |       `-- /bin/sh /usr/local/sbin/pfSense-repo-setup
root       59363   0.0  0.1  17064  5068 u0- I    15:02    0:00.04 |         `-- /usr/local/sbin/pfSense-repoc-static (pfSense-repoc-stati)

It is still there after a reboot. Not sure what it exactly indicates, but it suggests the upgrade did not completely finish? Any thoughts?

Is there any other logging that I could inspect that would be able to shed more light on the DNS matter?

haraldinho

@SteveITS @stephenw10 The issue in this post looks really very much similar to my problem.

TAC57

@haraldinho Our problems look very similar!

My Package manager is not able to retrieve a list of packages. I've tried to delete packages I don't need and I can't.
I can't load Latest version.
System is very sluggish going from tab to tab.

Are you also getting this Notice: 'An error occurred while uploading the encrypted Netgate pfSense Plus configuration to https://acb.netgate.com/save ( Unable to resolve acb.netgate.com ) @ 2023-06-09 18:26:04'

If you come up with something I'd really appreciate hearing from you.

Can you recommend absolute basic DNS Resolver settings just to see if I can get this working.

Gertjan

@TAC57 said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

Can you recommend absolute basic DNS Resolver settings

The default resolver settings.
The one Netgate has put in place when you've installed pfSense.

Note : The certificate selected isn't important, just pick 'one'.
You can leave the Custom option box empty.

and :

If your uplink isn't discriminating your "Internet" access (read : your ISP isn't messing around with 'what you are allowed to visit - and what not) these settings work perfectly well.

haraldinho

@Gertjan Are the settings in the images the default 23.05 resolver settings or are they representing your working 23.05 configuration?
Are you not forwarding?

Gertjan

@haraldinho said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

or are they representing your working 23.05 configuration?

Good question.
The first image : 99 % default, as I'm pretty sure about all these settings.

The second image : I enforce DNSSEC, and keep the local cache updated when resolved host names TTL reaches zero.

Of course I'm not forwarding, as I don't feel the need to hand over all DNS request to some other company. I never understood why I have to do this. I chose pfSense because it can resolve for itself.

Edit : the settings I'm using are pretty much the same for the last .... decade.
I've tested forwarding to 1.1.1.1, 8.8.8.8 etc to port 53 and 853 (TLS) - mixing IPv4 and Ipv6.
Worked perfectly fine for me.
I'm using a Netgate 4100 - and my ISP doesn't play tricks on me ( I guess ).

TAC57

@Gertjan I made all the changes above, rebooted, and thought I was in business. I could get my package list and could (did) delete a number of packages I don't need that I couldn't delete previously. DNS Lookup responses looked good. I didn't have a notice that an error occurred while upload pfSense config.

After logging off and back on I'm back to the way it was. One difference though, DNS Lookup no reports back immediately instead of taking awhile. I'm sure this is because Name server is 127.0.0.1.

Gertjan

@TAC57

"1 ms" because "google.com was already in the local DNS (resolver) cache.

More typical :

You should see hundreds if not thousands if entries here :

This line (arrow) :

should occur as less frequent as possible.

haraldinho

@Gertjan @TAC57 Have a look at this topic. This is exactly what we are experiencing in my opinion. There seems also to be a solution by turning off ASLR, but I need to dig into it more. It's a long thread, I need to read it carefully.

TAC57

@haraldinho Jeez, that is a long thread, thanks for pointing it out! Per my other topic I jumped back to 2.6.0 on my backup box and everything is working just fine now.

How do I turn off 'ASLR'? I'm be glad to jump over to my 23.05 install and give it a try.

Thanks again.

haraldinho

@TAC57 Search the thread, it is in there somewhere

Gertjan

@haraldinho said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

@Gertjan @TAC57 Have a look at this topic. This is exactly what we are experiencing in my opinion. There seems also to be a solution by turning off ASLR, but I need to dig into it more. It's a long thread, I need to read it carefully

I don't need to re read that thread - I was posting there.

Btw : Before, using 23.01 the ALSR bit of my /usr/local/sbin/unbound as unset.
Now, using 23.05, it is set.

[23.05-RELEASE][root@pfSense.going.down]/root: elfctl /usr/local/sbin/unbound
File '/usr/local/sbin/unbound' features:
noaslr          'Disable ASLR' is set.
noprotmax       'Disable implicit PROT_MAX' is unset.
nostackgap      'Disable stack gap' is unset.
wxneeded        'Requires W+X mappings' is unset.
la48            'amd64: Limit user VA to 48bit' is unset.

But, as shown in the other tread, I could not find any issues while using unbound in forwarding mode to 8.8.8.8 or 1.1.1.1. I've been forwarding for two weeks, never had any issues.

I'm back to resolving mode as it is 'less hassle' and 'works out of the box'. That is, if your uplink (ISP) isn't playing tricks on you.

haraldinho

@Gertjan @TAC57 @SteveITS There seems to be some good news: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270912

"Jaap Akkerhuis 2023-06-01 12:41:18 UTC
A fix is developed by upstairs. There will be a new release within weeks with this fix. For the inpatients among us, a prerelease is made available https://github.com/NLnetLabs/unbound/issues/887#issuecomment-1570136710."