pfSense CE 2.8.0: kea2unbound causes high CPU load even when DNS registration is disabled

hostage131077

After updating from pfSense 2.7.2 to 2.8.0 CE, I started noticing high and constant CPU usage. Even when the system was basically idle, the unbound, php, and unbound-control processes were constantly active.

Turns out this is caused by kea2unbound, which is triggered by the new Kea DHCP server on every lease update. The script pushes lease info into Unbound using unbound-control, even if you don’t really need it.

In my case, global DNS registration was disabled under:

Services > DHCP Server > Settings

Both checkboxes for DNS registration and early registration were off, and interfaces were set to "Track Server". Still, the script was being run regularly.

This is on an i5-7200U box, not underpowered, and ran completely idle under 2.7.2. The issue only appeared after upgrading to 2.8.0.

Workaround

To stop it, I just removed the executable bit from the script:

chmod -x /usr/local/bin/kea2unbound
chmod -x /conf/kea4_scripts.d/kea2unbound.sh

To make it survive a reboot, I added this:

/usr/local/etc/rc.d/disable_kea2unbound.sh

With:

#!/bin/sh
chmod -x /usr/local/bin/kea2unbound 2>/dev/null
chmod -x /conf/kea4_scripts.d/kea2unbound.sh 2>/dev/null

And made it executable:

chmod +x /usr/local/etc/rc.d/disable_kea2unbound.sh

Result

CPU dropped back to normal (idle above 90%), and Unbound is quiet again unless it’s actually being queried. DHCP and DNS still work fine — I just don’t get DNS entries for leases anymore, which is fine in my setup.

Suggestion

The DNS registration disable setting in the GUI should really prevent the script from running at all. Or at least there should be a proper toggle somewhere. Right now, it’s not obvious why CPU usage is high, and it’s not easy to find out that this script is the cause.

Happy to help test or contribute if needed.

rpsmith

I have tried it several time in the past and it screwed me every time! I have no plans to try it again unless I have no other choice!

RPSmith...

stephenw10

@rpsmith said in pfSense CE 2.8.0: kea2unbound causes high CPU load even when DNS registration is disabled:

I have tried it several time in the past and it screwed me every time!

You mean Kea in general or Kea with DHCP registration?

rpsmith

@stephenw10 ~ Kea in general. Last time I tried it a month or so ago everything looked normal but when the DHCP lease ran out the all my devices went offline! I've never had a single problem with the original one!

dennypage

@rpsmith said in pfSense CE 2.8.0: kea2unbound causes high CPU load even when DNS registration is disabled:

Last time I tried it a month or so ago everything looked normal but when the DHCP lease ran out the all my devices went offline!

This?

https://redmine.pfsense.org/issues/16022

eldest

@hostage131077 was this ever getting to the point of locking up your system? I'm also running an i5-7200u box and noticed something similar. Unbound (under kea) sometimes taking 90% cpu utilization that eventually ends up with DNS timeouts and the system locks up.

Gertjan

@eldest @rpsmith @hostage131077

None of you use 'light' equipment.
How many dynamic (classic) leases ? Special DHCP lease time like '60 seconds' or more like 7200 sec ? How many lease request and/or renewals are coming in per second ? minute ?
Static MAC leases ?
And, average, how many DHCP devices over all DHCP servers over all the LANs ? dozens ? hundreds ? more ?

I'm using myself a 4100 ( Intel(R) Atom(TM) CPU C3338R @ 1.80GHz ) and bit over 50 LAN devices, most is office equipment and use DHCP with a 'fixed' (static mac lease IP).
Ones in a while "kea2unbound" starts, does it thing (take 1 second of script time) and done.

Btw : be aware of wifi connected devices, these can be connected on the border of what is reachable, so the connect, banish ... re connect etc. This will produce a lot of DHCP requests.
Wifi device most often don't offer server apps, they are there to make use of the connection, a phone normally doesn't offer a web server (service). So : the dns name of this device is less important.
For example : I don't register the host names of the devices, owned by my clients, connected on the hotel's captive portal, as I don't need them (to be known).

eldest

@Gertjan I have a measly 11 leases with a default lease time of 7200 seconds. I think the symptoms I have and described by OP point to a bug or a problem with configuration after the 2.7.2 -> 2.8.0 upgrade.

hostage131077

Hi @Gertjan, thanks for your input.

To answer your questions:
• Approx. 150 leases, of which 78 are static mappings (classic MAC → IP).
• DHCP lease time is default at 7200, not shortened.
• Based on log parsing, I see about 3–5 DHCPACKs per hour, so roughly 80–100 per day.
• One active DHCP server on the LAN.
• About 20 WiFi clients, managed via a UniFi Controller, connected to pfSense.
• Typical clients: mostly Linux systems (servers, VMs, containers), some macOS devices, smartphones etc. No captive portal or guest networks.

Let me know if I can provide any more detail.