DNS Resolver not resolving part 1234
-
What repos are you using on your PFSense device??
-
What? - the official Netgate ones -- you should never go to any other repo for updates or packages.
Maybe I'm not understanding your question?
-
@jrey
I asked that because of the Unbound 1.8.0.1 version you wrote about in the other article.
I only got 1.18.0 version so i was wondering if that had something to do with the repos. -
@henkbart said in DNS Resolver not resolving part 1234:
I only got 1.18.0 version so i was wondering if that had something to do with the repos.
Ah
The unbound 1.18.0_1 was slipstreamed into the release package after it was first released. (so was curl) as discussed in the thread referenced.
however as noted even on the system that was updated after that original release (and therefore would have received the updated versions) unbound still reports itself as 1.18.0 in both the logs and when you do a "unbound -V" - the system's update log in that case says 1.18.0_1 was installed
on that system the file's time stamp does reflect that it was from the 9th build, suggesting it should be 1.18.0_1, it just doesn't report that.
-
@henkbart there was a new version of unbound that you could get via pkg update and then upgrade.. But that was pushed in the latest 23.09.1 but it doesn't really show that if you just do a version on unbound.
[23.09.1-RELEASE][admin@sg4860.local.lan]/root: pkg info | grep unbound unbound-1.18.0_1 Validating, recursive, and caching DNS resolver [23.09.1-RELEASE][admin@sg4860.local.lan]/root:
[23.09.1-RELEASE][admin@sg4860.local.lan]/root: unbound -V Version 1.18.0 Configure line: --with-libexpat=/usr/local --with-ssl=/usr --enable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pythonmodule=yes --with-pyunbound=yes ac_cv_path_SWIG=/usr/local/bin/swig LDFLAGS=-L/usr/local/lib --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd14.0 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 3.0.12 24 Oct 2023 Linked modules: dns64 python dynlib respip validator iterator DNSCrypt feature available BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues [23.09.1-RELEASE][admin@sg4860.local.lan]/root:
I don't recall ever having any issue where unbound just wouldn't resolve, but was still running.. And sure haven't seen as of late.. A good test might be to try and resolve something just local.. say your pfsense fqdn via your fav local tool, nslookup, dig, host, doggo, etc.. Does that work, just not external? Its best to use a cmd line tool because then you can see the actual response from unbound, be it NX or servfail, refused, etc.
-
-
-
@jrey said in DNS Resolver not resolving part 1234:
I've never had an issue with DNS resolver stopping or "Freezing"
and
@johnpoz said in DNS Resolver not resolving part 1234:
I don't recall ever having any issue where unbound just wouldn't resolve, but was still running
yup this ^
-
@henkbart said in DNS Resolver not resolving part 1234:
45451 - Is 0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d private.lan -p /var/run/unbound.pid -u /var/unbound/dhcpleases_entries.conf -h /etc/hosts
This is the one I was talking about when I mentioned the Resolver "DHCP Client Registration" check box, the option you don't have (under Services > DNS Resolver > General Settings) as you are running Kea ..... as in that case the option doesn't show up.
Is this correct, are you using Kea ?
Or Dhcpd ?If you are using kea, you should see this :
If you are using kea, this process "/usr/local/sbin/dhcpleases" can not - should not exist.
As this is the one that shoots unbound in the face every time ..... see above.edit :
You have this :
== kea DHCP checked ?
-
Lucky you,
But there are a lot of people having troubles with it, including me.
That makes it difficult to pinpoint the location of the problem.... -
@Gertjan
Yes i have the Kea DHCP enabled. -
Can you re confirm that this one :
= dhcpleases process - maybe it has another pid now - is still running ?
-
-
@henkbart said in DNS Resolver not resolving part 1234:
Lucky you,
But I think the point being made by both myself and @johnpoz is that is not likely a unbound issue as such.
many people do indeed report problems and when doing so they are assuming it to be unbound because that is what they see. But that is generally not the root cause..
They see the effect, not the cause.unbound generally just works. Right out of the box.
That's all we are saying.
@Gertjan is giving you some good advice on things to look for. including the current path you are on: re: DHCP.
edit: however if DHCP is causing the issue, you'd likely see a stream of unbound restarts and you say they are not there in the log. -
The problem is, that every now and then (and that could be weeks) i loses the ability to connect to the internet.
I have my own PBX here that uses VOIP and SIP trunks.
Some time they can no register with the host.
And from that time, also no other can connect to any internet address.
Modem is UP,
WAN is UP.
LAN is UP.
Than all DHCP mus fail because the are on differnt ip addresses.
But also no entries in the log files to give any clue.So where to look else for....
-
@henkbart said in DNS Resolver not resolving part 1234:
The problem is, that every now and then (and that could be weeks) i loses the ability to connect to the internet.
sounds interesting. so when you "lose the ability to connect to the internet" unbound would not be able to up stream resolve, but would still be running. If it can't talk upstream how would it resolve.
so the question you might start looking into is why have you lost ability to connect to the internet?
do you have a timestamp from the last time this happened?
check the logs (not unbound logs specifically) for events that might tell you why you lost the internet.
If you can't find anything in current logs regarding the last time it happened
Then the next time it does.... do this...
@johnpoz said in DNS Resolver not resolving part 1234:
A good test might be to try and resolve something just local.. say your pfsense fqdn via your fav local tool, nslookup, dig, host, doggo, etc.. Does that work, just not external? Its best to use a cmd line tool because then you can see the actual response from unbound, be it NX or servfail, refused, etc.
-
@henkbart said in DNS Resolver not resolving part 1234:
45451 root 1 52 0 12M 2252K kqread 1 0:00 0.00% dhcpleases
Ok.
Doesn't make any sense.I propose :
Switch back to 'dhcp' mode.
Save.
Goto the Resolver settings.
Now, the DHCP Client registration (and "Static DHCP Client Registration") should be visible.
Note that your "DHCP Client registration" is checked - is this the case ?
Uncheck it.
Save, and then Apply.Go back to System > Advanced > Networking and select kea again.
The "dhcpleases" process is gone now. Correct ?
Btw :
As far as I can see on my my pfSense, while using kea, the /var/dhcpd/var/db/dhcpd.leases file isn't used. That file is "watched" by the dhcpleases process, and if it changes, unbound is send a signal to restart.
So, harmess, I guess.
But still, strange, as it should even be started in the first place. -
@henkbart said in DNS Resolver not resolving part 1234:
The problem is, that every now and then (and that could be weeks) i loses the ability to connect to the internet.
You can check your uplink quality.
It should be constant, flat and as small as possible.
If it start to go up and down, or worse :- you are saturating your connection, and if the 'pipe', up or down is to full, dpinger starts to miss ping packets, it can go in panic mode, and 'restart' your WAN interface.
No need to explain that if the pipe (uplink) is bad or full, or not working well, the resolver can't do its work neither. Right ?
..... - call your ISP and say : good bye, I'll leave you for a better one.
- you are saturating your connection, and if the 'pipe', up or down is to full, dpinger starts to miss ping packets, it can go in panic mode, and 'restart' your WAN interface.
-
@Gertjan
Hello,
I did what you wrote.
Enable DHCP.
Got :
So disabled the DHCP Client Registration.
Saved it.
And then switch to KEAAnd the dhcpleases is gone now.
-
@Gertjan said in DNS Resolver not resolving part 1234:
dpinger starts to miss ping packets,
if that's the problem OP might be able to mitigate some of that by changing the ping times / loss interval etc or by selecting a different monitor IP. (if that is even setup)
Most users wouldn't notice the difference between the default 500ms setting and even 2-3-4 or 5 seconds.
if Applicable OP could look https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html
for the Probe Interval, Loss Interval, Time Period, and Alert Interval seeing how the adjusts could be made and the rules to follow.