PFblockerng-devel 3.2.0_8 on Pfsense 2.7.2-RELEASE fails to resolve dns after restarts
-
Recently updated to 2.7.2-RELEASE
Which also had me update my DHCP server module.I enabled DNS resolver per usual and pfblockerng-devel and set both to unbound python mode.
It works most of the time, but I've just recently had an extended power outage.
I can see resolver running and pfblockerng-devel enabled. Some DNS names will resolve and others won't. If I disable pfblocker-ng, DNS seems to work for all hosts.I don't see anything that stands out in the Error logs, but I thought I'd check to see if people had thoughts.
When DNS isn't resolving all names, I've noticed I can go to Diagnostics table and ask the server to do a dns lookup, it will get the ip from the external interface on the isp side. but it will say 127.0.0.1 failed to respond on the same page, until I restart the resolver and then it works for a minute or two and then stops working with no indication in the log.
-
You mean :
you didn't get an answer within a certain amount of time (me : 22 and 3 msec) ?
My example, of course, doesn't have an answer. But unbound figured out that locally, and on the Internet, there is no host with the name 'hello'.
We could consider this request even illagal or a "syntax error". But its not the answer that counts, but the handling (time).As we can't see what you didn't show, and we don't know what you didn't tell us, no one can draw any conclusion here, except the 'something is wrong'.
Take a look at the many (no, way more) forum threads in the dhcp and DNS section, so you can check if unbound is actually running, as it is maybe time "not take for granted what the GUI shows you".
You have console and or better : SSH access ? -
So It's hard to troubleshoot without causing downtime that wouldn't impact critical stuff. But here's a visual aid/example of what I was saying:
For some reason, DNS resolver and PFBlockerNG stops responding at some point and doesn't have any info in the logs. Sometimes a manual DNS resolver restart fixes it. Sometimes I can just disable PFBlockerNG, sometimesI have to restart. It's usually Chaos when I do.
-
That's bad.
On a 'default' pfSense, unbound is started and listens on 'all' ( !! ) interfaces and 'never' stops doing so.
With default I mean : no pfSense packages installed, no admin ripping out ethernet cables, no ISP tripping the WAN. if unbound still stops, the consider ditching your hardware.
I've never seen unbound dying on me, and believe me, I tried for the last 10++ years or so.It's easy to test this default mode : go console, and reset pfSense. Set up minimal working LAN+WAN and then you're done. Don't add or modify ANY DNS settings. ( no data collectors like 1.1.1.1 - nothing - unbound is a revolver and works just fine with zero setup )
-
I agree it is bad as well. I had to reinstall again and restore my config. I'm going to run it on ufs this time instead of ZFS and see if that has any impact on it.
-
This post is deleted!
