No DNS after upgrading from 23.01 to 23.05 - unbound issue?

Gertjan

@TAC57 said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

Can you recommend absolute basic DNS Resolver settings

The default resolver settings.
The one Netgate has put in place when you've installed pfSense.

Note : The certificate selected isn't important, just pick 'one'.
You can leave the Custom option box empty.

and :

If your uplink isn't discriminating your "Internet" access (read : your ISP isn't messing around with 'what you are allowed to visit - and what not) these settings work perfectly well.

haraldinho

@Gertjan Are the settings in the images the default 23.05 resolver settings or are they representing your working 23.05 configuration?
Are you not forwarding?

Gertjan

@haraldinho said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

or are they representing your working 23.05 configuration?

Good question.
The first image : 99 % default, as I'm pretty sure about all these settings.

The second image : I enforce DNSSEC, and keep the local cache updated when resolved host names TTL reaches zero.

Of course I'm not forwarding, as I don't feel the need to hand over all DNS request to some other company. I never understood why I have to do this. I chose pfSense because it can resolve for itself.

Edit : the settings I'm using are pretty much the same for the last .... decade.
I've tested forwarding to 1.1.1.1, 8.8.8.8 etc to port 53 and 853 (TLS) - mixing IPv4 and Ipv6.
Worked perfectly fine for me.
I'm using a Netgate 4100 - and my ISP doesn't play tricks on me ( I guess ).

TAC57

@Gertjan I made all the changes above, rebooted, and thought I was in business. I could get my package list and could (did) delete a number of packages I don't need that I couldn't delete previously. DNS Lookup responses looked good. I didn't have a notice that an error occurred while upload pfSense config.

After logging off and back on I'm back to the way it was. One difference though, DNS Lookup no reports back immediately instead of taking awhile. I'm sure this is because Name server is 127.0.0.1.

Gertjan

@TAC57

"1 ms" because "google.com was already in the local DNS (resolver) cache.

More typical :

You should see hundreds if not thousands if entries here :

This line (arrow) :

should occur as less frequent as possible.

haraldinho

@Gertjan @TAC57 Have a look at this topic. This is exactly what we are experiencing in my opinion. There seems also to be a solution by turning off ASLR, but I need to dig into it more. It's a long thread, I need to read it carefully.

TAC57

@haraldinho Jeez, that is a long thread, thanks for pointing it out! Per my other topic I jumped back to 2.6.0 on my backup box and everything is working just fine now.

How do I turn off 'ASLR'? I'm be glad to jump over to my 23.05 install and give it a try.

Thanks again.

haraldinho

@TAC57 Search the thread, it is in there somewhere

Gertjan

@haraldinho said in No DNS after upgrading from 23.01 to 23.05 - unbound issue?:

@Gertjan @TAC57 Have a look at this topic. This is exactly what we are experiencing in my opinion. There seems also to be a solution by turning off ASLR, but I need to dig into it more. It's a long thread, I need to read it carefully

I don't need to re read that thread - I was posting there.

Btw : Before, using 23.01 the ALSR bit of my /usr/local/sbin/unbound as unset.
Now, using 23.05, it is set.

[23.05-RELEASE][root@pfSense.going.down]/root: elfctl /usr/local/sbin/unbound
File '/usr/local/sbin/unbound' features:
noaslr          'Disable ASLR' is set.
noprotmax       'Disable implicit PROT_MAX' is unset.
nostackgap      'Disable stack gap' is unset.
wxneeded        'Requires W+X mappings' is unset.
la48            'amd64: Limit user VA to 48bit' is unset.

But, as shown in the other tread, I could not find any issues while using unbound in forwarding mode to 8.8.8.8 or 1.1.1.1. I've been forwarding for two weeks, never had any issues.

I'm back to resolving mode as it is 'less hassle' and 'works out of the box'. That is, if your uplink (ISP) isn't playing tricks on you.

haraldinho

@Gertjan @TAC57 @SteveITS There seems to be some good news: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270912

"Jaap Akkerhuis 2023-06-01 12:41:18 UTC
A fix is developed by upstairs. There will be a new release within weeks with this fix. For the inpatients among us, a prerelease is made available https://github.com/NLnetLabs/unbound/issues/887#issuecomment-1570136710."