Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Issues After Upgrading to 25.07

    Scheduled Pinned Locked Moved DHCP and DNS
    24 Posts 7 Posters 5.0k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      smsigroupit
      last edited by

      Good day!

      I recently upgraded to version 25.07 and started running into DNS issues. When I set my pfSense IP as the DNS server, I can't seem to access most websites. But if I switch to 8.8.8.8, everything works perfectly.

      Anyone else run into this? Any idea what might be going on?

      Thank you!

      GertjanG S 2 Replies Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @smsigroupit
        last edited by

        @smsigroupit

        When you installed pfSense, the default DNS settings should work fine. No need to add/change anything.
        Just one condition : your connection has to have access to Internet 'main' root DNS servers (just on of the the avaible 13 would do) and it should be able to contact the TLD servers (the tell you what domain server to contact for a give TLD (== dot com, dot org etc).

        Normally, you don't need a resolver like 8.8.8.8 as pfSense has its own resolver : unbound.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          smsigroupit @Gertjan
          last edited by smsigroupit

          @Gertjan

          Thanks for the explanation!

          Yeah, I was under the impression the default setup should work too. But after upgrading to 25.07, things started acting up when I use pfSense as the DNS, most websites don’t load. Swapping to 8.8.8.8 fixes it instantly.

          I haven’t changed any DNS settings manually, so I’m wondering if the upgrade might’ve affected Unbound somehow or if there’s a new config quirk I missed.

          Appreciate the input! Let me know if there's anything specific I should look into with Unbound.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @smsigroupit
            last edited by

            @smsigroupit

            Get back to 'DNS default', and do some testing :

            The easy to read test (console or SSH, menu option 8) :

            dig cnn.com +trace +nodnssec
            

            The normal test (will include DNSSEC 'requests)

            dig cnn.com +trace
            

            The GUI test :

            f53e1a01-3598-4e7a-ae0c-f1b4b075f2a0-image.png

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              SteveITS Galactic Empire @smsigroupit
              last edited by

              @smsigroupit If you have pfSense DNS set to forward ensure DNSSEC is unchecked.

              Otherwise, is Unbound running? What do the logs show?

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
              Upvote 👍 helpful posts!

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                smsigroupit @Gertjan
                last edited by

                @Gertjan

                ; <<>> DiG 9.20.6 <<>> cnn.com +trace +nodnssec
                ;; global options: +cmd
                . 85484 IN NS l.root-servers.net.
                . 85484 IN NS m.root-servers.net.
                . 85484 IN NS a.root-servers.net.
                . 85484 IN NS b.root-servers.net.
                . 85484 IN NS c.root-servers.net.
                . 85484 IN NS d.root-servers.net.
                . 85484 IN NS e.root-servers.net.
                . 85484 IN NS f.root-servers.net.
                . 85484 IN NS g.root-servers.net.
                . 85484 IN NS h.root-servers.net.
                . 85484 IN NS i.root-servers.net.
                . 85484 IN NS j.root-servers.net.
                . 85484 IN NS k.root-servers.net.
                ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

                ;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
                ;; no servers could be reached
                ;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
                ;; no servers could be reached
                ;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
                com. 172800 IN NS a.gtld-servers.net.
                com. 172800 IN NS b.gtld-servers.net.
                com. 172800 IN NS c.gtld-servers.net.
                com. 172800 IN NS d.gtld-servers.net.
                com. 172800 IN NS e.gtld-servers.net.
                com. 172800 IN NS f.gtld-servers.net.
                com. 172800 IN NS g.gtld-servers.net.
                com. 172800 IN NS h.gtld-servers.net.
                com. 172800 IN NS i.gtld-servers.net.
                com. 172800 IN NS j.gtld-servers.net.
                com. 172800 IN NS k.gtld-servers.net.
                com. 172800 IN NS l.gtld-servers.net.
                com. 172800 IN NS m.gtld-servers.net.
                ;; Received 832 bytes from 192.5.5.241#53(f.root-servers.net) in 7 ms

                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                ;; Received 189 bytes from 192.33.14.30#53(b.gtld-servers.net) in 201 ms

                cnn.com. 60 IN A 151.101.195.5
                cnn.com. 60 IN A 151.101.3.5
                cnn.com. 60 IN A 151.101.67.5
                cnn.com. 60 IN A 151.101.131.5
                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                ;; Received 237 bytes from 205.251.198.116#53(ns-1652.awsdns-14.co.uk) in 64 ms

                ; <<>> DiG 9.20.6 <<>> cnn.com +trace
                ;; global options: +cmd
                . 85421 IN NS f.root-servers.net.
                . 85421 IN NS g.root-servers.net.
                . 85421 IN NS h.root-servers.net.
                . 85421 IN NS i.root-servers.net.
                . 85421 IN NS j.root-servers.net.
                . 85421 IN NS k.root-servers.net.
                . 85421 IN NS l.root-servers.net.
                . 85421 IN NS m.root-servers.net.
                . 85421 IN NS a.root-servers.net.
                . 85421 IN NS b.root-servers.net.
                . 85421 IN NS c.root-servers.net.
                . 85421 IN NS d.root-servers.net.
                . 85421 IN NS e.root-servers.net.
                . 85421 IN RRSIG NS 8 0 518400 20250823170000 20250810160000 46441 . EG7MMAxQxsKwvVN7K1EjgrnErzUrneBhrtyPG68RViCvIEDfZ9sSbStx 6hrXftXXN4v9ZP2MfMyL2ETXnt67MqGr8hoEBS5Goy9I4pKzap6shB2r tesUJh/Ji8eMszZfEI7MWMGaokzlsrafcCI5jCmcpE0dVEcge2tDskgv ChUFzs7e0TQR9YnyYtotoa3CY7iO7RTsPO8fhSRf4qByejUrSsWG7mPa 53QfDBlq2My53tZfk77jXJYAsvwZyuBHAvAoi+IjcBO9LHQNp642r1eJ CPuur9rgnY+T3BZoKWH4pbOTJjktc/Ed61QWn9JNnw7mTZuh9c2zoVZj 2sJuRA==
                ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

                ;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
                ;; no servers could be reached
                ;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
                ;; no servers could be reached
                ;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
                ;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for cnn.com failed: host unreachable.
                com. 172800 IN NS a.gtld-servers.net.
                com. 172800 IN NS b.gtld-servers.net.
                com. 172800 IN NS c.gtld-servers.net.
                com. 172800 IN NS d.gtld-servers.net.
                com. 172800 IN NS e.gtld-servers.net.
                com. 172800 IN NS f.gtld-servers.net.
                com. 172800 IN NS g.gtld-servers.net.
                com. 172800 IN NS h.gtld-servers.net.
                com. 172800 IN NS i.gtld-servers.net.
                com. 172800 IN NS j.gtld-servers.net.
                com. 172800 IN NS k.gtld-servers.net.
                com. 172800 IN NS l.gtld-servers.net.
                com. 172800 IN NS m.gtld-servers.net.
                com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
                com. 86400 IN RRSIG DS 8 1 86400 20250823170000 20250810160000 46441 . XgpyS1RVIAmg/rWR0PDlBDHQKbbXaDYaSNQd9vuQB5g9medQb5/NOymr D/EpA7c0KGkP5y6RNcfEiE2RC9y0u4KKkfCrRSra3LZIS68DXS22dgLc CRr0X7O1H9O4g+k5ER9v0WkJ6y30fek7jAKBzZksz68WGqirSRoGKVMS UY/PiCMM9sJwat2+mZrOI46YfYGjHz/t97St1Ej4gQZTrvkJqQ0AWp8X 4q0pFgGpdeRRiNO6v7phKwU07VTz/MNzLbMG6mVOsSdeUmwZpPEFHgLx LCaKMtTzCuj3LiNZfwhJDVD2156HlO8wUHZ/+Vs2afB07D00smJPCuJ2 fVkCdw==
                ;; Received 1167 bytes from 192.203.230.10#53(e.root-servers.net) in 7 ms

                ;; UDP setup with 2001:503:83eb::30#53(2001:503:83eb::30) for cnn.com failed: host unreachable.
                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250815002515 20250807231515 20545 com. 6n1Mw975eAQUE3zMR5u6LB4NhjV6kmtV7cKxWS6hCh86zHo3e7MdaC2y k1G786DdwL4TXk0PHnLpwiuG63x89Q==
                FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN NSEC3 1 1 0 - FVT7K43DJ0K7KJ384M71US54D3690VUI NS DS RRSIG
                FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN RRSIG NSEC3 13 2 900 20250816012853 20250809001853 20545 com. 0afRonASH5vKKxyBxzPqwOS3DMKhEpoCuBnWuKh4qCeSlaa5xA2YZpHz y/wj2VEI7qXN2PQQCLJD64EH1P74eg==
                ;; Received 546 bytes from 192.48.79.30#53(j.gtld-servers.net) in 177 ms

                ;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
                ;; UDP setup with 2600:9000:5302:4b00::1#53(2600:9000:5302:4b00::1) for cnn.com failed: host unreachable.
                cnn.com. 60 IN A 151.101.195.5
                cnn.com. 60 IN A 151.101.67.5
                cnn.com. 60 IN A 151.101.131.5
                cnn.com. 60 IN A 151.101.3.5
                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                ;; Received 237 bytes from 205.251.198.116#53(ns-1652.awsdns-14.co.uk) in 88 ms

                dns lookup.JPG

                GertjanG 1 Reply Last reply Reply Quote 0
                • S Offline
                  smsigroupit @SteveITS
                  last edited by

                  @SteveITS

                  DNS Resolver

                  dns resolver.JPG

                  1 Reply Last reply Reply Quote 0
                  • X Offline
                    xana
                    last edited by xana

                    I just upgraded to 25.07 a couple of hours ago.
                    Unbound (non-forwarding) has been causing me a headache since. Intermittent DNS loss with no errors or cause in the logs. Only a restart of the service, numerous times, is resolving it.

                    I run pfBlockefNG-dev also.

                    Hopefully this isn't an ongoing bug because it's pretty crippling.

                    C 1 Reply Last reply Reply Quote 0
                    • GertjanG Offline
                      Gertjan @smsigroupit
                      last edited by

                      @smsigroupit

                      So dig - who resolves itself without using unbound (the resolver) works fine.
                      So : resolving from pFsense would work for you.
                      Just onething :

                      ;; UDP setup with 2001:503:83eb::30#53(2001:503:83eb::30) for cnn.com failed: host unreachable.

                      dig also tries to use IPv6 - and that failed.
                      is your pfSense IPv6 setup working correctly ?

                      Your GUI lookup test : was this using forwarding or resolving ?
                      Normally, you don't need all these :
                      368b1865-476b-4576-813e-c0158deeeaa8-image.png

                      There are 13 main root servers build into unbound, and hundreds of TLDs avaible.
                      127.0.0.1 (and ::1) will do just fine.

                      If you are forwarding, disable DNSSEC.

                      @xana :
                      Same remarks :
                      Are you (pfSense, unbound) using IPv6 ?
                      Is unbound running all the time ? ( I presume I listed above how to test that)
                      Are all your NIC always (like always !) up, or going up and down like a dance party ? (thus restarting unbound all the time == DNS loss)
                      Is your Internet connection ok ? Unbound just need to reach one of the 3 root servers, these are never down. If you can reach none of the 13.... consider that a massive problem.
                      Show the dig test
                      Show the nslookup test (while resolving, not forwarding)
                      Etc.

                      Normally ^^ it should be hard to get a stable DNS, and for a simple reason : hundreds of thousands installed and use pfSense with the default settings, and they didn't change (or add) any DNS addresses and/or settings. Nothing. And it works fine. Why would Netgate wants you to 'do something' with DNS ? They would mention that in the installation guide. They didn't because it isn't needed.
                      The thing is : people do change DNS settings for 'some reason' and suddenly they have issues 😊

                      Btw : I presume you have and open non restricted access to the Internet.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      S 1 Reply Last reply Reply Quote 0
                      • S Offline
                        smsigroupit @Gertjan
                        last edited by smsigroupit

                        Hi @Gertjan

                        Thank you for the response.

                        Are you (pfSense, unbound) using IPv6 ?

                        • im not using IPv6

                        If you are forwarding, disable DNSSEC.

                        • is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?

                        Show the dig test, Show the nslookup test (while resolving, not forwarding)

                        • how to do dig test and nslookup test while resolving?

                        I presume you have and open non restricted access to the Internet.

                        • im running pfblockerng, suricata

                        Before upgrading to pfSense Plus 25.07, everything was working fine on pfSense Plus 24.11.

                        After the upgrade to pfSense Plus 25.07, I began experiencing repeated crash reports. Details are as follows:

                        The only change made was switching DNS-BL mode to Python mode, which resolved the issue.

                        System Information:

                        Architecture: amd64
                        
                        Version: 15.0-CURRENT
                        
                        Build: FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07-n256508-719054fb1f90 (Mon Jul 28 16:47:59 UTC 2025)
                        

                        Crash Report (PHP Errors):
                        [06-Aug-2025 09:33:47 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
                        [06-Aug-2025 09:34:23 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
                        [06-Aug-2025 09:35:13 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
                        [06-Aug-2025 09:35:45 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
                        [06-Aug-2025 09:36:18 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
                        [06-Aug-2025 09:37:43 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

                        Thank you.

                        S GertjanG 2 Replies Last reply Reply Quote 0
                        • S Offline
                          SteveITS Galactic Empire @smsigroupit
                          last edited by

                          @smsigroupit said in DNS Issues After Upgrading to 25.07:

                          If you are forwarding, disable DNSSEC.

                          • is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?

                          DNS Resolver by default looks up answers by itself. It can be configured to forward requests to other name servers such as Quad9 or Cloudflare. Leaving DNSSEC enabled can cause errors when also forwarding.

                          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                          Upvote 👍 helpful posts!

                          S 1 Reply Last reply Reply Quote 0
                          • S Offline
                            smsigroupit @SteveITS
                            last edited by smsigroupit

                            @SteveITS

                            Forwarding mode is disabled in the current configuration.

                            dns resolver 2.JPG

                            1 Reply Last reply Reply Quote 0
                            • GertjanG Offline
                              Gertjan @smsigroupit
                              last edited by

                              @smsigroupit said in DNS Issues After Upgrading to 25.07:

                              how to do dig test and nslookup test while resolving?

                              As shown above. See my second post.

                              Also run this command on the command line (console or SSH, menu option 8 )

                              grep 'info: start' /var/log/resolver.log
                              

                              this shows you how often the resolver (re) starts.

                              A restating resolver can't resolve ;)
                              That said, a restart typically uses a couple of seconds.

                              @smsigroupit said in DNS Issues After Upgrading to 25.07:

                              The only change made was switching DNS-BL mode to Python mode, which resolved the issue.

                              Yeah, that one pops up all the time now.
                              The new way how KEA transmits leases into the DNS (unbound) is by parsing the actual unbound local cache, and inserting only new DNS info, and removing old lease info.
                              If the old classic pfBlockerng DNSBL method is uses (= one big file with all the DNSBL info in one go) this cache can become very big. Unbound will also take a lot of time to read and parse this file on every startup. During this startup, DNS doesn't work.
                              That's one of the reason the python mode was invented : it's better faster and asks less resources.
                              I really thought everybody wanted that, and everybody who was using pfBlockerng and DNSBL, was using python mode by now. Apparently ... not everybody. Anyway, you solved that now.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              S 1 Reply Last reply Reply Quote 0
                              • S Offline
                                smsigroupit @Gertjan
                                last edited by

                                @Gertjan

                                grep 'info: start' /var/log/resolver.log

                                Aug 11 00:55:11 shoemakersfw unbound[29460]: [29460:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:39:58 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:03 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:08 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:14 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:22 shoemakersfw unbound[42672]: [42672:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:28 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:33 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:46 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:40:55 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:41:00 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:43:07 shoemakersfw unbound[61105]: [61105:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:44:40 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:44:58 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:45:21 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:45:26 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:47:00 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:47:06 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:47:13 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
                                Aug 11 06:47:18 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:19:57 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:20:03 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:26:19 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:26:25 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:26:49 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:26:56 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:45:50 shoemakersfw unbound[41576]: [41576:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:46:33 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:48:57 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
                                Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
                                Aug 12 00:03:21 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
                                Aug 12 00:04:11 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
                                Aug 12 06:27:26 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
                                Aug 12 06:27:33 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).
                                Aug 12 06:27:39 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).

                                dig cnn.com +trace

                                ; <<>> DiG 9.20.6 <<>> cnn.com +trace
                                ;; global options: +cmd
                                . 57054 IN NS g.root-servers.net.
                                . 57054 IN NS h.root-servers.net.
                                . 57054 IN NS i.root-servers.net.
                                . 57054 IN NS j.root-servers.net.
                                . 57054 IN NS k.root-servers.net.
                                . 57054 IN NS l.root-servers.net.
                                . 57054 IN NS m.root-servers.net.
                                . 57054 IN NS a.root-servers.net.
                                . 57054 IN NS b.root-servers.net.
                                . 57054 IN NS c.root-servers.net.
                                . 57054 IN NS d.root-servers.net.
                                . 57054 IN NS e.root-servers.net.
                                . 57054 IN NS f.root-servers.net.
                                . 57054 IN RRSIG NS 8 0 518400 20250824200000 20250811190000 46441 . Ch2FL9ZmmZExl/aFERtrjuInzUz1gfMiVPS3jsoz3PBaNmKS50N/dfFq 5R2Irct7wBLVAHdgKKFjPvTSFSrznKZSKPg4muqMsS4+CJ55di/GUNhh lSCOp6ZBElRqfPTM464L2wDSaTn6JQ6ZICxrIAPaBPjdKLIE8kVY6XJP wq5RsTCUXUnEkZEmanLLOiAMaNHTIAZ83nSiyraQ0rTG8rbvcooHA54C FU7B9MLpCnDVII/qUYb/M/lqFYSoi3uobopqwTnhYnlwfF62Ao/K6LC/ +eMguMIfLJ5rs+8C/8EYZtzmJPPAGNaK/FFq19mRbKMQ0ZleX/7clH5+ b4PgTg==
                                ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

                                ;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
                                ;; no servers could be reached
                                ;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
                                ;; no servers could be reached
                                ;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
                                com. 172800 IN NS a.gtld-servers.net.
                                com. 172800 IN NS b.gtld-servers.net.
                                com. 172800 IN NS c.gtld-servers.net.
                                com. 172800 IN NS d.gtld-servers.net.
                                com. 172800 IN NS e.gtld-servers.net.
                                com. 172800 IN NS f.gtld-servers.net.
                                com. 172800 IN NS g.gtld-servers.net.
                                com. 172800 IN NS h.gtld-servers.net.
                                com. 172800 IN NS i.gtld-servers.net.
                                com. 172800 IN NS j.gtld-servers.net.
                                com. 172800 IN NS k.gtld-servers.net.
                                com. 172800 IN NS l.gtld-servers.net.
                                com. 172800 IN NS m.gtld-servers.net.
                                com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
                                com. 86400 IN RRSIG DS 8 1 86400 20250825050000 20250812040000 46441 . DVTu+B/+DFQ/7N53YKXuJdaUtPomtpmH9++OS2K5Z4xf2SGpVuwZi4H8 47FmcUFd68+sXU61DCEj+jYMPKUsQYbr8ymtXZMSpC/9NRV2BQn+1D7E KhAMMPU/ltt14DU0j0+hYt2p6ABoSy9FpNaCLvfjwnKPMApf5jYpzFfD FmM6Q5PpQNthq2mKmBcJWZjuTvA32Iys15nJot+Zg1tcVD88T03Wm+F8 ojU0ecjCU+1U28GgibVuhCMZwDKzhNI83a2Cetdxi7hKyYQllnpq/SOt PLTmgqPkZk6w5NS9csKycoXyolW0UFNGVV6osjGUE1FIiA0LRUDoYEC2 7X4R6Q==
                                ;; Received 1167 bytes from 170.247.170.2#53(b.root-servers.net) in 47 ms

                                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
                                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250819002508 20250811231508 20545 com. IgcCaCYvFc9ADNjiGojHLa7mrwCn9mzzwOxHxHdhhypOuigpHPHtbgA2 CoMOVJ38n57s7Kkh7iP2/fdKRX9Shg==
                                FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN NSEC3 1 1 0 - FVT7K43DJ0K7KJ384M71US54D3690VUI NS DS RRSIG
                                FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN RRSIG NSEC3 13 2 900 20250816012853 20250809001853 20545 com. 0afRonASH5vKKxyBxzPqwOS3DMKhEpoCuBnWuKh4qCeSlaa5xA2YZpHz y/wj2VEI7qXN2PQQCLJD64EH1P74eg==
                                ;; Received 546 bytes from 192.31.80.30#53(d.gtld-servers.net) in 205 ms

                                ;; UDP setup with 2600:9000:5304:da00::1#53(2600:9000:5304:da00::1) for cnn.com failed: host unreachable.
                                ;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
                                cnn.com. 60 IN A 151.101.131.5
                                cnn.com. 60 IN A 151.101.3.5
                                cnn.com. 60 IN A 151.101.195.5
                                cnn.com. 60 IN A 151.101.67.5
                                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                                ;; Received 237 bytes from 205.251.194.75#53(ns-587.awsdns-09.net) in 27 ms

                                ; <<>> DiG 9.20.6 <<>> cnn.com +trace +nodnssec
                                ;; global options: +cmd
                                . 56974 IN NS f.root-servers.net.
                                . 56974 IN NS g.root-servers.net.
                                . 56974 IN NS h.root-servers.net.
                                . 56974 IN NS i.root-servers.net.
                                . 56974 IN NS j.root-servers.net.
                                . 56974 IN NS k.root-servers.net.
                                . 56974 IN NS l.root-servers.net.
                                . 56974 IN NS m.root-servers.net.
                                . 56974 IN NS a.root-servers.net.
                                . 56974 IN NS b.root-servers.net.
                                . 56974 IN NS c.root-servers.net.
                                . 56974 IN NS d.root-servers.net.
                                . 56974 IN NS e.root-servers.net.
                                ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

                                ;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
                                ;; no servers could be reached
                                ;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
                                ;; no servers could be reached
                                ;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
                                ;; UDP setup with 2001:500:a8::e#53(2001:500:a8::e) for cnn.com failed: host unreachable.
                                com. 172800 IN NS g.gtld-servers.net.
                                com. 172800 IN NS f.gtld-servers.net.
                                com. 172800 IN NS h.gtld-servers.net.
                                com. 172800 IN NS d.gtld-servers.net.
                                com. 172800 IN NS i.gtld-servers.net.
                                com. 172800 IN NS j.gtld-servers.net.
                                com. 172800 IN NS m.gtld-servers.net.
                                com. 172800 IN NS l.gtld-servers.net.
                                com. 172800 IN NS e.gtld-servers.net.
                                com. 172800 IN NS b.gtld-servers.net.
                                com. 172800 IN NS c.gtld-servers.net.
                                com. 172800 IN NS k.gtld-servers.net.
                                com. 172800 IN NS a.gtld-servers.net.
                                ;; Received 860 bytes from 192.36.148.17#53(i.root-servers.net) in 34 ms

                                ;; UDP setup with 2001:502:8cc::30#53(2001:502:8cc::30) for cnn.com failed: host unreachable.
                                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                                ;; Received 189 bytes from 192.5.6.30#53(a.gtld-servers.net) in 207 ms

                                ;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
                                cnn.com. 60 IN A 151.101.131.5
                                cnn.com. 60 IN A 151.101.67.5
                                cnn.com. 60 IN A 151.101.3.5
                                cnn.com. 60 IN A 151.101.195.5
                                cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
                                cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
                                cnn.com. 172800 IN NS ns-378.awsdns-47.com.
                                cnn.com. 172800 IN NS ns-587.awsdns-09.net.
                                ;; Received 237 bytes from 205.251.196.218#53(ns-1242.awsdns-27.org) in 26 ms

                                GertjanG 1 Reply Last reply Reply Quote 0
                                • GertjanG Offline
                                  Gertjan @smsigroupit
                                  last edited by

                                  @smsigroupit

                                  About the (restarts) :
                                  Check with the system log what happened, why unbound was told to restart.
                                  A very common reason is : an interface used by unbound was taken down for a moment.
                                  If possible, stop this from happening.

                                  About the dig : dig bypasses the resolver (unbound), it does all the work 'itself'.
                                  As it get back DNS records with IPv6 addresses, it will use these to 'check' them. Because your don't have Ipv6 support, these will fail.

                                  A cleaner result can be obtained by specifying dig to use IPv4 only :

                                  dig -4 cnn.com +trace
                                  

                                  But dig isn't the resolver.
                                  There are special options for unbound that you can specify here :
                                  2ac224f4-05e6-45e9-b42a-d29db06e1a6b-image.png

                                  so you can inform unbound not to use Ipv6 (just to be sure).

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  S 1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    smsigroupit @Gertjan
                                    last edited by

                                    @Gertjan

                                    is this the correct parameters to inform unbound not to use Ipv6?

                                    server:
                                    do-ip6: no

                                    dig 4.JPG

                                    GertjanG 1 Reply Last reply Reply Quote 0
                                    • GertjanG Offline
                                      Gertjan @smsigroupit
                                      last edited by

                                      @smsigroupit said in DNS Issues After Upgrading to 25.07:

                                      server:
                                      do-ip6: no

                                      That's the one.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      S 1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        smsigroupit @Gertjan
                                        last edited by

                                        @Gertjan

                                        Thank you for your assistance. I will continue to monitor the system status.

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          freph533
                                          last edited by

                                          Been seeing a similar issue after upgrading to 25.07. Internal resolver just stops working completely at random and can't recover on its own. Never had issues with this on 24.11, and no package changes or settings changes. Restarting unbound doesn't even fix it most of the time; I have to resort to allowing DNS to fall back to remote servers to get it working again. Nothing interesting in the logs other than failed DNS resolutions and an occasional restart message. Even trying to ping google.com from the UI fails until I've toggled the DNS fallback behavior (which shouldn't be a thing given that my DNS setup is effectively a mirror of https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html). In my case DHCP is disabled and pfBlocker is in Python mode so no DHCP issues should be at play here. Sounds like there's a nasty bug floating around but not really sure where to look in logs and filing a bug with no supporting information other than 'it's not working' doesn't seem productive. In the meantime, I'm just glad I no longer use pfSense for my DNS because it's unreliable after this upgrade.

                                          GertjanG 1 Reply Last reply Reply Quote 0
                                          • GertjanG Offline
                                            Gertjan @freph533
                                            last edited by

                                            @freph533 said in DNS Issues After Upgrading to 25.07:

                                            In my case DHCP is disabled

                                            So all your LAN devices have a static IP, network, gateway and DNS set.
                                            DNS points to where - what IP ?

                                            If 'unbound' (the resolver) had a problem, this forum would 'explode' right now with hundreds of thousands complaining about DNS not working - you agree ?
                                            Your pfSense resolver setup is not default, as you 1) forward, and 2) over TLS.
                                            If you go back to default resolver mode, your issue is gone ?
                                            You forward (over TLS) to where ?
                                            Still, if unbound couldn't forward over TLS to, for example 1.1.1.1, then the https://github.com/NLnetLabs/unbound/issues would mention this.

                                            The bad and good news rule probably apply : it's your setup/connection/ISP ...
                                            I've tested this https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html many times, (but not yet with the latest 25.07.1).

                                            @freph533 said in DNS Issues After Upgrading to 25.07:

                                            Even trying to ping google.com from the UI

                                            If DNS is down, google.com won't get resolved, and ping can't work. Ping needs an IP, not a host name.
                                            If you were using an IP, ping would work, right ?

                                            @freph533 said in DNS Issues After Upgrading to 25.07:

                                            and pfBlocker

                                            I have to ask / check : pfBlockng isn't blocking the DNS server you forward to, right ?

                                            No "help me" PM's please. Use the forum, the community will thank you.
                                            Edit : and where are the logs ??

                                            F 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.