DNS Resolver (unbound) fails after reboot unless manually restarted

bingo600 · Aug 30, 2021, 6:37 PM

@josh-hall
Well you could "just" kill unbound , and let SW start it again.

josh.hall · Aug 30, 2021, 7:07 PM

@bingo600 That's a very good (and obvious) point I completely overlooked. I'll try that next time. Thanks!

Gertjan · Aug 31, 2021, 9:43 AM

@josh-hall said in DNS Resolver (unbound) fails after reboot unless manually restarted:

Doesn't this approach lead to DNS leaks as unbound is no longer constrained to specific network interfaces for outbound communication? Kinda defeats the point if I don't want my ISP selling my behavioral data.

Binding unbound to "All" interfaces doesn't mean it starts to look for "main root server" on one of your LAN's. pfSense knows that "198.41.0.4" or "a.root-servers.net" isb't reacable on LAN. As LAN exposes a route to "192.168.1.0/24".

True, if you have a working WAN at first - and afterwards a VPN connection comes up - as pfSense is using its VPN client to replace the WAN for all (or a part of) the traffic, then you should take care of that situation.

In one of the Netgate "OpenVPN" videos you'll find a firewall rule that starts routing traffic over a "VPN" out as soon as that interface exists.
As an interface (VPN) is created, unbound gets restarted. The (floating ?) firewall rule get active, and now all DNS goes over VPN instead of the default WAN.

pfSEnse is not using your ISP DNS servers.
Way back, in the past, our ISP routers were forwarding DNS requests to the ISP DNS. Just to gain some time, and later on they invented 'commercial reasons" to do so.
That's all finished now.
pfSense (unbound) use these https://en.wikipedia.org/wiki/Root_name_server to resolve domain names.

MoonKnight · Aug 31, 2021, 1:08 PM

@gertjan
Hi, it seems to work when i changed the "Nerwork Interface" to ALL
Not like you suggested :)

I have now reboot my pfs 5 times and everytime the DNS Resover worked like it should for me.

Gertjan · Aug 31, 2021, 1:18 PM

@ciscox

I wasn't suggestion anything about "Network interfaces" as you didn't show that setting (see your image above).

"WAN" as a selected outgoing interface should work.
"All" is best, and for that reason the default setting.

MoonKnight · Aug 31, 2021, 1:52 PM

@gertjan
Yeah, i know my bad :( But i had "WAN" selected in the Network Interface, after chancing that one, didn't had any problems with DNS Resolver. I have no idea of why. But it worked.
I tried "All" in the "outgoing network interface" but didn't seems to work, so that's why i tried "All" in Network Interface instead :)
I like to thank you for pointing me to the right direction :)

josh.hall · Sep 20, 2021, 3:52 PM

Finally found the time to dig into this again, and have a workaround to the original problem.

The cron package doesn't actually use crontab (I assume it's a PHP-based cron-like implementation). This means, the @reboot syntax wasn't working as I expected. I thought I'd tested that successfully, but either something changed between 2.4 -> 2.5, or I'm an idiot and it never worked. I'm betting on the latter in this case.

To get around this, I had to log in via console to manually install a cron job. This just calls a simple script that waits 30 seconds for everything to finalize after reboot, then restarts unbound (ensuring the devices are initialized when unbound restarts).

I created the script at /usr/home/unbound_restart.sh. You also need to make sure the script has executable permissions (via console, chmod +x /usr/home/unbound_restart.sh)

Here's the script. You can remove the poor-man's logging if you want. I was using it to diagnose some of the above issues, and figured it's worth keeping around to double check after an upgrade (just to make sure the crontab isn't cleared or something).

#!/bin/sh

# IMPORTANT: This must be manually installed into the root crontab via terminal.
# The GUI interface appears to use a PHP based version of cron, which can't 
# support @reboot. Add this line to the root crontab using `crontab -e`
#
# @reboot /usr/home/unbound_restart.sh

echo "$(date +%T) Sleeping for 30 seconds" >> /usr/home/restart.log
sleep 30

echo "$(date +%T) Restarting unbound" >> /usr/home/restart.log
/usr/local/sbin/pfSsh.php playback svc restart unbound

# This also works if you're using the service monitor.  It'll just be slower 
# as the monitor may not notice the service is down for a minute
#/usr/bin/killall -9 unbound

Bit of a hack, but gets the job done. Given how long this issue has persisted in pfSense, I don't expect a proper solution anytime soon.

Gertjan · Sep 21, 2021, 8:11 AM

@josh-hall said in DNS Resolver (unbound) fails after reboot unless manually restarted:

The cron package doesn't actually use crontab

Look again ;)

The cron package maintains (== creates) the system file /etc/crontab.

PHP is used to create the "config file" (pfSense, the GUI, is mostly a huge FreeBSD + FreeBSD processes config file editior ;) )

Btw : what about this option :
Do not use cron, but install the package

Btw : why creating something in /home/ ?
You login using SSH ( or console if you have to ) using admin, which has root rights. So, put everything you make yourself over there.
Like

/root/unbound_restart.sh

and

chmod +x /root/unbound_restart.sh

What about this solution :
Install this package.

Now you have a new option in the Services menu.
Choose type "Shellcmd" and point it to your /root/unbound_restart.sh script file.

@boot, this will get executed.

I'm using the Shellcmd package myself :

As you can see, the Patches package is already adding a line for itself.
This way, patches get checked when the system boots.

I create a "socket" for FreeRadius so I can ready FreeRadius statistics. The socket is placed in the package folder, so it will get wiped on any Freeradius package update.

I map the connected keyboard to the correct language - for some reasons there are only French keyboards here around me.

robotox · Jan 17, 2023, 10:41 PM

Added my plea in https://redmine.pfsense.org/issues/13707.

robotox · Sep 5, 2023, 7:48 AM

Hi,
I now have an SG-2100 with 23.05.1 for the same setup and still the same problem.
Unbound fails to start as I have OpenVPNs as Outgoing Network Interfaces.
Still trying to get attention at https://redmine.pfsense.org/issues/13707.

robotox · Sep 10, 2023, 5:32 PM

Now testing the SG-2100 with 23.05.1 for the similar setup but with multiple Wireguards instead of multiple OpenVPNs.
Unbound starts correctly.
I am guessing that Wireguard is faster than OpenVPN starting at boot.
Thanks again.