DNS Issues After Upgrading to 25.07

xana

I just upgraded to 25.07 a couple of hours ago.
Unbound (non-forwarding) has been causing me a headache since. Intermittent DNS loss with no errors or cause in the logs. Only a restart of the service, numerous times, is resolving it.

I run pfBlockefNG-dev also.

Hopefully this isn't an ongoing bug because it's pretty crippling.

Gertjan

@smsigroupit

So dig - who resolves itself without using unbound (the resolver) works fine.
So : resolving from pFsense would work for you.
Just onething :

;; UDP setup with 2001:503:83eb::30#53(2001:503:83eb::30) for cnn.com failed: host unreachable.

dig also tries to use IPv6 - and that failed.
is your pfSense IPv6 setup working correctly ?

Your GUI lookup test : was this using forwarding or resolving ?
Normally, you don't need all these :

There are 13 main root servers build into unbound, and hundreds of TLDs avaible.
127.0.0.1 (and ::1) will do just fine.

If you are forwarding, disable DNSSEC.

@xana :
Same remarks :
Are you (pfSense, unbound) using IPv6 ?
Is unbound running all the time ? ( I presume I listed above how to test that)
Are all your NIC always (like always !) up, or going up and down like a dance party ? (thus restarting unbound all the time == DNS loss)
Is your Internet connection ok ? Unbound just need to reach one of the 3 root servers, these are never down. If you can reach none of the 13.... consider that a massive problem.
Show the dig test
Show the nslookup test (while resolving, not forwarding)
Etc.

Normally ^^ it should be hard to get a stable DNS, and for a simple reason : hundreds of thousands installed and use pfSense with the default settings, and they didn't change (or add) any DNS addresses and/or settings. Nothing. And it works fine. Why would Netgate wants you to 'do something' with DNS ? They would mention that in the installation guide. They didn't because it isn't needed.
The thing is : people do change DNS settings for 'some reason' and suddenly they have issues

Btw : I presume you have and open non restricted access to the Internet.

smsigroupit

Hi @Gertjan

Thank you for the response.

Are you (pfSense, unbound) using IPv6 ?

• im not using IPv6

If you are forwarding, disable DNSSEC.

• is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?

Show the dig test, Show the nslookup test (while resolving, not forwarding)

• how to do dig test and nslookup test while resolving?

I presume you have and open non restricted access to the Internet.

• im running pfblockerng, suricata

Before upgrading to pfSense Plus 25.07, everything was working fine on pfSense Plus 24.11.

After the upgrade to pfSense Plus 25.07, I began experiencing repeated crash reports. Details are as follows:

The only change made was switching DNS-BL mode to Python mode, which resolved the issue.

System Information:

Architecture: amd64

Version: 15.0-CURRENT

Build: FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07-n256508-719054fb1f90 (Mon Jul 28 16:47:59 UTC 2025)

Crash Report (PHP Errors):
[06-Aug-2025 09:33:47 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:34:23 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:35:13 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:35:45 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:36:18 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:37:43 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

Thank you.

SteveITS

@smsigroupit said in DNS Issues After Upgrading to 25.07:

If you are forwarding, disable DNSSEC.

• is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?

DNS Resolver by default looks up answers by itself. It can be configured to forward requests to other name servers such as Quad9 or Cloudflare. Leaving DNSSEC enabled can cause errors when also forwarding.

smsigroupit

@SteveITS

Forwarding mode is disabled in the current configuration.

Gertjan

@smsigroupit said in DNS Issues After Upgrading to 25.07:

how to do dig test and nslookup test while resolving?

As shown above. See my second post.

Also run this command on the command line (console or SSH, menu option 8 )

grep 'info: start' /var/log/resolver.log

this shows you how often the resolver (re) starts.

A restating resolver can't resolve ;)
That said, a restart typically uses a couple of seconds.

@smsigroupit said in DNS Issues After Upgrading to 25.07:

The only change made was switching DNS-BL mode to Python mode, which resolved the issue.

Yeah, that one pops up all the time now.
The new way how KEA transmits leases into the DNS (unbound) is by parsing the actual unbound local cache, and inserting only new DNS info, and removing old lease info.
If the old classic pfBlockerng DNSBL method is uses (= one big file with all the DNSBL info in one go) this cache can become very big. Unbound will also take a lot of time to read and parse this file on every startup. During this startup, DNS doesn't work.
That's one of the reason the python mode was invented : it's better faster and asks less resources.
I really thought everybody wanted that, and everybody who was using pfBlockerng and DNSBL, was using python mode by now. Apparently ... not everybody. Anyway, you solved that now.

smsigroupit

@Gertjan

grep 'info: start' /var/log/resolver.log

Aug 11 00:55:11 shoemakersfw unbound[29460]: [29460:0] info: start of service (unbound 1.23.0).
Aug 11 06:39:58 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:03 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:08 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:14 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:22 shoemakersfw unbound[42672]: [42672:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:28 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:33 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:46 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:55 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:41:00 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:43:07 shoemakersfw unbound[61105]: [61105:0] info: start of service (unbound 1.23.0).
Aug 11 06:44:40 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
Aug 11 06:44:58 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
Aug 11 06:45:21 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
Aug 11 06:45:26 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:00 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:06 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:13 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:18 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
Aug 11 13:19:57 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
Aug 11 13:20:03 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:19 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:25 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:49 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:56 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
Aug 11 13:45:50 shoemakersfw unbound[41576]: [41576:0] info: start of service (unbound 1.23.0).
Aug 11 13:46:33 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
Aug 11 13:48:57 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
Aug 12 00:03:21 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 00:04:11 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:26 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:33 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:39 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).

dig cnn.com +trace

; <<>> DiG 9.20.6 <<>> cnn.com +trace
;; global options: +cmd
. 57054 IN NS g.root-servers.net.
. 57054 IN NS h.root-servers.net.
. 57054 IN NS i.root-servers.net.
. 57054 IN NS j.root-servers.net.
. 57054 IN NS k.root-servers.net.
. 57054 IN NS l.root-servers.net.
. 57054 IN NS m.root-servers.net.
. 57054 IN NS a.root-servers.net.
. 57054 IN NS b.root-servers.net.
. 57054 IN NS c.root-servers.net.
. 57054 IN NS d.root-servers.net.
. 57054 IN NS e.root-servers.net.
. 57054 IN NS f.root-servers.net.
. 57054 IN RRSIG NS 8 0 518400 20250824200000 20250811190000 46441 . Ch2FL9ZmmZExl/aFERtrjuInzUz1gfMiVPS3jsoz3PBaNmKS50N/dfFq 5R2Irct7wBLVAHdgKKFjPvTSFSrznKZSKPg4muqMsS4+CJ55di/GUNhh lSCOp6ZBElRqfPTM464L2wDSaTn6JQ6ZICxrIAPaBPjdKLIE8kVY6XJP wq5RsTCUXUnEkZEmanLLOiAMaNHTIAZ83nSiyraQ0rTG8rbvcooHA54C FU7B9MLpCnDVII/qUYb/M/lqFYSoi3uobopqwTnhYnlwfF62Ao/K6LC/ +eMguMIfLJ5rs+8C/8EYZtzmJPPAGNaK/FFq19mRbKMQ0ZleX/7clH5+ b4PgTg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20250825050000 20250812040000 46441 . DVTu+B/+DFQ/7N53YKXuJdaUtPomtpmH9++OS2K5Z4xf2SGpVuwZi4H8 47FmcUFd68+sXU61DCEj+jYMPKUsQYbr8ymtXZMSpC/9NRV2BQn+1D7E KhAMMPU/ltt14DU0j0+hYt2p6ABoSy9FpNaCLvfjwnKPMApf5jYpzFfD FmM6Q5PpQNthq2mKmBcJWZjuTvA32Iys15nJot+Zg1tcVD88T03Wm+F8 ojU0ecjCU+1U28GgibVuhCMZwDKzhNI83a2Cetdxi7hKyYQllnpq/SOt PLTmgqPkZk6w5NS9csKycoXyolW0UFNGVV6osjGUE1FIiA0LRUDoYEC2 7X4R6Q==
;; Received 1167 bytes from 170.247.170.2#53(b.root-servers.net) in 47 ms

cnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250819002508 20250811231508 20545 com. IgcCaCYvFc9ADNjiGojHLa7mrwCn9mzzwOxHxHdhhypOuigpHPHtbgA2 CoMOVJ38n57s7Kkh7iP2/fdKRX9Shg==
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN NSEC3 1 1 0 - FVT7K43DJ0K7KJ384M71US54D3690VUI NS DS RRSIG
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN RRSIG NSEC3 13 2 900 20250816012853 20250809001853 20545 com. 0afRonASH5vKKxyBxzPqwOS3DMKhEpoCuBnWuKh4qCeSlaa5xA2YZpHz y/wj2VEI7qXN2PQQCLJD64EH1P74eg==
;; Received 546 bytes from 192.31.80.30#53(d.gtld-servers.net) in 205 ms

;; UDP setup with 2600:9000:5304:da00::1#53(2600:9000:5304:da00::1) for cnn.com failed: host unreachable.
;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.195.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.194.75#53(ns-587.awsdns-09.net) in 27 ms

; <<>> DiG 9.20.6 <<>> cnn.com +trace +nodnssec
;; global options: +cmd
. 56974 IN NS f.root-servers.net.
. 56974 IN NS g.root-servers.net.
. 56974 IN NS h.root-servers.net.
. 56974 IN NS i.root-servers.net.
. 56974 IN NS j.root-servers.net.
. 56974 IN NS k.root-servers.net.
. 56974 IN NS l.root-servers.net.
. 56974 IN NS m.root-servers.net.
. 56974 IN NS a.root-servers.net.
. 56974 IN NS b.root-servers.net.
. 56974 IN NS c.root-servers.net.
. 56974 IN NS d.root-servers.net.
. 56974 IN NS e.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; UDP setup with 2001:500:a8::e#53(2001:500:a8::e) for cnn.com failed: host unreachable.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
;; Received 860 bytes from 192.36.148.17#53(i.root-servers.net) in 34 ms

;; UDP setup with 2001:502:8cc::30#53(2001:502:8cc::30) for cnn.com failed: host unreachable.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
;; Received 189 bytes from 192.5.6.30#53(a.gtld-servers.net) in 207 ms

;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.195.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.196.218#53(ns-1242.awsdns-27.org) in 26 ms

Gertjan

@smsigroupit

About the (restarts) :
Check with the system log what happened, why unbound was told to restart.
A very common reason is : an interface used by unbound was taken down for a moment.
If possible, stop this from happening.

About the dig : dig bypasses the resolver (unbound), it does all the work 'itself'.
As it get back DNS records with IPv6 addresses, it will use these to 'check' them. Because your don't have Ipv6 support, these will fail.

A cleaner result can be obtained by specifying dig to use IPv4 only :

dig -4 cnn.com +trace

But dig isn't the resolver.
There are special options for unbound that you can specify here :

so you can inform unbound not to use Ipv6 (just to be sure).

smsigroupit

@Gertjan

is this the correct parameters to inform unbound not to use Ipv6?

server:
do-ip6: no

Gertjan

@smsigroupit said in DNS Issues After Upgrading to 25.07:

server:
do-ip6: no

That's the one.

smsigroupit

@Gertjan

Thank you for your assistance. I will continue to monitor the system status.