Unbound restarting multiple times an hour

dwighthenry

I am running on a Netgate 3100 system with 23.05.1-RELEASE (arm). I am struggling to consistently in the browser accessing the url's that I click on because of errors stating that the dns is not responding. I also often loose connection in my work application like Teams or Office generating the same errors. Is there an Unbound issue that is out there that needs fixing, or should I be looking at PfBlocker, because I have been trying to optimize those settings as well.

juanzelli

@dwighthenry If you have "Register DHCP leases in the DNS Resolver" checked in the "DHCP Registration" section of Services->DNS Resolver->General Settings, the Unbound service will restart each time a client renews or gets a new IP from the DHCP server. Each restart will flush its cache too.

Gertjan

@dwighthenry said in Unbound restarting multiple times an hour:

Is there an Unbound issue that is out there that needs fixing

You've checked this option :
Register DHCP leases in the DNS Resolver. .... Note that this will cause the Resolver to reload and flush its resolution cache whenever a DHCP lease is issued ....

and now you see the Unbound == DNS is often 'unavailable'.
Checking the Status > System Logs > System > DNS Resolver and you'll see that it is restarting 'a lot'.

From here, it becomes easily understandable that the number of restarts is related to the number of LAN connected devices. Every DHCP lease request and renew will trigger a unbound restart, will create an DNS outage.

Now comes pfBlockerng in play.
Normally, when you install pfSense, there is no "pfBlockerng".
And when you install "pfBlockerng" there are no IP feeds, no DNSBL feeds.

Probably not a surprise : when unbound restarts, pfBlockerng also restarts.
Adding a lot of "DNSBL feeds" won't make things faster. It's the contrary.
edit : although : using the python mode helps a lot.

Default, Register DHCP leases in the DNS Resolver is un checked.
But you can still have the advantage of having devices their DNS name resitred without the consequent unbound restart : add DHCP MAC Leases for every device that you need to know by host name.

This one :

doesn't restart unbound.

markster

Unfortunately current integration between pfsense and Unbound DNS is just full of issues. Fix is on the way scheduled for CE-Next release. When that would happen we don't know.

If you absolutely need Unbound DNS as recursive and caching resolver, I would strongly recommend you run your own Unbound in docker container on external hardware like a NAS drive or PC. That will give you 100% performance and reliability. If you also need to manage tracking and bad domains you don't need pfblockerng to do that. Use out-of-the-box Unbound RPZ (Response Policy Zone) files. Works great and supper fast. Highly recommend.

Gertjan

@markster

Docker ?
My pfSense (unbound) is resolving all the host names of all LAN based devices just fine.
That is, the ones I want to know by (host) name.
All my LAN devices work with DHCP.

I've created (once, when I add a new device) a DHCP static MAC lease outside of the DHCPv4 pool and outside of the DHCPOv6 pool.

Seems less work to me as firing up and maintaining a docker ^^
And everything is nicely centralized in pfSense, with the names of the devices I chose and not the host name proposed by the device over DHCP, like DELL-AGFDTTRZER.
One issue down. I don't have other issues with unbound.

markster

@Gertjan I don't know your setup but given the bag - https://redmine.pfsense.org/issues/5413 - and many, many posts around Unbound DNS on pfsense, it is fare to say that it is not stable. Issues with restarting cache, unnecessary server restarts every time there is a client renewing IP with DHCP server and more. It has been years since the issue first was diagnosed and only recently pfsense team has resources to fix it. We all hope that this will happen soon.

For me it is not an issue since I have decided from day one that from the architecture point it makes more sense for me to run Unbound on a separate box - on enterprise LAN that is what you would want to do. If needed I complie Unbound from source myself when new fixes or version is posted. Many people dont want to do that and thats fine. I like that separation on my network.