Unbound with DHCP Registration Very Slow

jlw52761

So moved my internal DNS and DHCP services to my pfSense box and I'm noticing that with the "Register DHCP" options selected, Unbound pretty much becomes useless. I'm not seeing evidence of restarts in the logs, but I will confess I am not an expert in the Unbound logs. What I do see is lots of NS query timeouts and having to retry the lookups several times. I use dig to see the timeouts and multiple retries making this work.

Is this a known bug with unbound on pfSense? Do I need to move back off of pfSense for my internal DNS and DHCP or is there a good workaround? I would like to have DHCP leases registered in DNS, and I can manually create static entries if need be in the DNS host overrides section.

DNS Servers in General Settings, independently tested and good response times from clients querying directly.
9.9.9.9
208.67.220.220
208.64.222.222
1.0.0.1
1.1.1.1

Additionally, I am using pfBlockerNG-devel and so have the Python modules in Unbound enabled. I've determined pfBlockerNG is not the issue because when I simply uncheck the "Register DNS" settings Unbound responds very fast and as expected, even with pfBlockerNG enabled.

Specs:
pfSense: CE 2.7.2
Hardware Platform: Dell PowerEdge R330
CPU: Intel Xeon CPU E3-1280 v5 @ 3.70GHz (4-Core + HT) - Avg Utilization 20%
RAM: 64GB DDR4 PC2133 - Avg Utilization 21%
HD: Dual Intel SSDSC2BB16 150GB SSD with PLP in Z-Mirror
Storage Adapter: Dell PERC H330 Adapter in HBA Mode

Gertjan

@jlw52761 said in Unbound with DHCP Registration Very Slow:

I'm noticing that with the "Register DHCP" options selected, Unbound pretty much becomes useless

Exact.
Every incoming lease will 'register' the new DNS, which is done be ... restarting unbound.
This is one of the most discussed here on this forum.
The fast solution : uncheck that option, and take an extra couple of minutes to add MAC static leases, as these don't need the unbound restart, as DNS info will be are static.
The good news : 24.08, with the help of KEA and some support logic will end this ongoing story.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

9.9.9.9
208.67.220.220
208.64.222.222
1.0.0.1
1.1.1.1

Who are these ?
Never needed them.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

I am using pfBlockerNG-devel

Making unbound restarts even slower - although Python mode corrected that a lot.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

I simply uncheck the "Register DNS" settings Unbound responds very fast and as expected

You get it by now : with the check, unbound spends the better part of it's live restarting, non serving DNS ^^

jlw52761

Public DNS services that are much more trustworthy than an ISP and has better response times and good DDoS protections
9.9.9.9 <- Quad9 DNS
208.67.220.220 <- OpenDNS (Cisco Umbrella)
208.64.222.222 <- OpenDNS (Cisco Umbrella)
1.0.0.1 <- Cloudlfare
1.1.1.1 <- Cloudlfare

Why does unbound restart when a DNS registration is made? Sounds like a huge bug to me that's only ocuring on pfSense/OpnSense. Sorry, but this is supposed to be an Enterprise grade product, this type of bug is not acceptable in a feature that's been core to the product for a number of years.

So if I have to do static leases, what the hell's the point of DHCP in the first place? And the only way I see Kea fixing this is it's not registering DHCP leases in DNS. Overall, pretty sad that a Windows server can perform DNS and DHCP with lease registration better than a solution from pfSense...

Since I have a lot of DHCP clients and would like to use name resolution that is not mDNS, I guess I will have to go back to what's worked for a number of years, Bind9 and ISC-DHCP or Windows. Very sad indeed. I can't imagine using this in my work setting where I have thousands of workstations and there is no way on gods green earth I am going to statically assign an IP to each of those, just not going to happen. Sounds like folks need to get off their butt and fix whatever is wrong with Unbound or get rid of it in favor of something more stable like Bind.

I am very disappointed in this product at this point.

SteveITS

@jlw52761 it’s been a long-standing issue. However see the note about that here:
https://www.netgate.com/blog/improvements-to-kea-dhcp

Edit: normally unbound restarting is fast. Usually people run into trouble with frequent restarts (short lease times), large pfBlocker DNSBL lists, etc.

jlw52761

@SteveITS said in Unbound with DHCP Registration Very Slow:

https://www.netgate.com/blog/improvements-to-kea-dhcp

Good information I suppose, but still doesn't answer the core question, and really re-enforces it, how can a company that wants to be considered "Enterprise Grade" allow such a buggy piece of software to go unchecked for so long? I'm referring to Unbound in this case as that seems to be the issue.

You alluded to lease time, and I thought that too once I heard that this is from Unbound restarting whenever a DNS update was sent, but then I remembered the DHCP protocol does more activity then the lease time, and also Windows will send DNS registration requests to the DNS server, which not sure if Unbound responds to those or not. I have the default of 7200 for the lease time, but from the moment I enable the lease registration things go south. Also, still can't find in the logs that Unbound is restarting, so curious on that and how long it's taking to restart on the beast of a machine I have.

Overall, just really disappointed in pfSense on this long-term failure. I assume that I can't put the Bind package on and expect it to work with pfBlocker, because that would be a nice easy button in this case.

SteveITS

@jlw52761 DNS Resolver log:
Sep 10 23:33:01 unbound 27313 [27313:0] info: start of service (unbound 1.19.3).

Registration is at lease renewal so ((lease time / 2) / # devices) on average.

Again it doesn’t affect most people, partly because that option is off by default, and what I said above.

I think they just put time into Kea since that’s the path forward.

Gertjan

@jlw52761 said in Unbound with DHCP Registration Very Slow:

Sorry, but this is supposed to be an Enterprise grade product, this type of bug is not acceptable in a feature that's been core to the product for a number of years.

Interesting.
pfSense is a (nearly native) FreeBSD kernel and uses pf which is part of the the kernel.
Both are open source.
The whole is enveloped with a nice GUI, and add to to that, a lot of network related features are added.
A pretty complicated things became easy to handle on first sight. But it's still a 'Enterprise grade product' needing 'Enterprise grade product' knowledge

@jlw52761 said in Unbound with DHCP Registration Very Slow:

So if I have to do static leases, what the hell's the point of DHCP in the first place?

You misunderstood static leases : all network clients still use the default dhcp client. The DHCP server is still needed.
Only the admin decides now what IP every device gets.
@home this isn't' really needed, but for an company or enterprise, this is a must have, as I'm not going to run around on every floor to set a static IP for every new device that comes in.
For info : I'm using pfSense since day one, and actually rarely handle DHCP stuff.
I do have a 'map' in pfSense - nice centralized in one place - where every device has its IP and host name that I choose, like Android-William, instead of seeing this :

edit : wait ... 'a couple of thousands of workstations' .. you already know all this.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

I am very disappointed in this product at this point.

Just wait a couple of .. what .. weeks, and this situation will be something of the past.
You'll get over it, as the other million or so users ^^

@jlw52761 said in Unbound with DHCP Registration Very Slow:

Since I have a lot of DHCP clients and would like to use .... ..... more stable like Bind.

bind9 is the full solution and can do more as unbound. It is available as a pfSense package.
pfSense needed a resolver, was using a forwarder (its still there, in case of), and unbound was chosen.
unbound is stable, though. Its just the "DHCP lease to DNS" integration that was somewhat quirky.
As said, that will be addressed very soon.

Btw : I'm using bind myself for the classic "domain name" services on a Debian server. Using the good old config files method, as interfacing bind with a GUI is just IMHO, plain impossible.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

I have the default of 7200 for the lease time

Another factor : Wifi devices that go off range, come into range, etc every time they come back, a DHCP request is fired ...
If you have 'thousands' of devices that your DHCP server, on all of its interfaces, will see many request per minute.
The "DHCP Registration" isn't an option for you, that's for sure.
With that number of devices, I probably would use the firewall as the firewall, and use a dedicated DHCP server for my internal needs. And even outsource locally DNS also.

@jlw52761 said in Unbound with DHCP Registration Very Slow:

Also, still can't find in the logs that Unbound is restarting, so curious on that and how long it's taking to restart

Look in the unbound (Resolver) logs ?

2,5 seconds.

I'm using pfBlockerng with a couple of hundreds of thousands DNSBL ...

edit :
Posted a couple of hours ago :
https://forum.netgate.com/topic/189752/is-24-08-on-track/28?_=1726035419944

Read the bug report ... its .. yeah, you have (and get the) point.