after updating host override - resolver takes over 2 minutes to come back online.

mooncaptain

running resolver. not using forwarding.
custom option: server:include: /var/unbound/pfb_dnsbl.*conf
dnssec is checked all other options unchecked
never visited the other tabs.

1. added a new host override
2. clicked save
3. apply changes
4. start stopwatch
5. changes applied after 39 seconds
6. pinged amazon.com
7. started stopwatch and kept pinging after each error message
   Windows error message:
   "Ping request could not find host amazon.com. Please check the name and try again."
8. after 110 seconds the ping started to work
9. also my new entry started to work.

I started looking into this when it was taking a new entry a long time to start working but it turns out that the resolver isn't working for any requests local or internet.

I am on a fiber optic line 90mbits up and down more or less.

pfsense is running on :

Intel(R) Celeron(R) CPU J3060 @ 1.60GHz
2 CPUs: 1 package(s) x 2 core(s) 

Is this normal amount of time to come back online?

Gertjan

@mooncaptain said in after updating host override - resolver takes over 2 minutes to come back online.:

Is this normal amount of time to come back online?

The same test, with more details :
Open the console, or even better SSH, use option 8, and enter :

tail -f / var/log/resolver.log

When you do this :

@mooncaptain said in after updating host override - resolver takes over 2 minutes to come back online.:

added a new host override
clicked save
apply changes

what actually happens is : a new unbound config file is created.
Then unbound is told to stop ..... and then start.

@mooncaptain said in after updating host override - resolver takes over 2 minutes to come back online.:

Intel(R) Celeron(R) CPU J3060 @ 1.60GHz
2 CPUs: 1 package(s) x 2 core(s)

I've the same (I guess) :

Intel(R) Atom(TM) CPU C3338R @ 1.80GHz

I restart my unbound :

<29>1 2024-02-23T18:13:49.591137+01:00 pfSense.bhf.tld unbound 23860 - - [23860:0] notice: init module 0: python
......
<30>1 2024-02-23T18:13:50.589616+01:00 pfSense.bhf.tld unbound 23860 - - [23860:0] info: generate keytag query _ta-4f66. NULL IN

That took 1 second.

No need for the stopwatch anymore.
Wait until you see the line that contains "generate keytag query _ta-4f66. NULL IN" and you'll know unbound finished restarting.

I have to add a very important detail : I use also pfBlockerng, with some small (!) 'DNBDBL' feeds.
You have this custom line : /var/unbound/pfb_dnsbl.*conf in the unbound config.
Why ?
Do you have a file in the /var/unbound/ that starts with pfb_dnsbl and ends with *conf ?
Do you have pfBlockerng ?

mooncaptain

@Gertjan Do you have a file in the /var/unbound/ that starts with pfb_dnsbl and ends with *conf ?
Do you have pfBlockerng ?

yes and yes

There are 7 pfb_* files.

I really loaded up pfb when I installed it.

So this is where all the time is spent reloading these guys.

OK - thanks for the insight.

line where I clicked apply:

Feb 23 14:16:18 unbound[25103]: [25103:0] info: service stopped (unbound 1.18.0).

line where ping started to work

Feb 23 14:19:11 unbound[38256]: [38256:0] info: generate keytag query _ta-4f66. NULL IN

Almost 3 minutes.

pfblockerng with lots of stuff to process makes this happen.

I'll see if I can trim this down.

Thanks again.

SteveITS

@mooncaptain said in after updating host override - resolver takes over 2 minutes to come back online.:

I really loaded up pfb when I installed it.

How big are the files?

I’d guess you’re more CPU limited than disk limited. Run top while restarting unbound.