Unbound DNS Resolver crashing randomly
-
For what it's worth, I saw this on rare occasion during RC testing. In my case, the crash was usually shortly after reboot. Since GA, it's been stable for me, but I also haven't been rebooting.
-
-
I did install Service Watchdog after the repeated crashing. So far it looks to be fine. But the underlying issue needs to be fixed.
-
To combat DNS cache poisoning issues, I'm now exclusively using unbound as my resolver, and I just saw this happen this morning.
I restarted the service and setup Service watchdog. I also just set up email notifications as well so if it happens, I'll check logs for that time and maybe one of us will be able to get something useful from logs. -
Might it be crashing because someone outside the network is hammering it maliciously? Not sure if thats possibly the case?
I'm reading that:A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. (yes I know - Thats bind. Might it be happening with unbound?)
FreeBSD Security Advisory - By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can trick unbound(8) resolver into following an endless series of delegations, which consumes a lot of resources. (this is unbound)
Anyway - Just wondering if this is less of a general stability issue and more of a someone is trying to hack my DNS issue.
At any rate, I'd rather my DNS get periodically restarted than to be misdirected. Wonder if the advanced setting might offer a way to prevent this from happening if this is the case seeing as how Trel is experiencing this and its fairly clear his DNS previously was being screwed with.
-
try increasing verbosity of logging to 2 on services: dns resolver: advanced settings
try attaching it to your next post after a crash (might be good to clear resolver log and then restart it … can be done in Status: System logs: Resolver )
I wonder if this is what I experienced the other day as well, loads of webpages even some in the google cache were becoming unavailable.
-
Happened again..
This webpage is not available
The server at www.samsung.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Internet from accessing the network.
-
Still - No one knows anything about your settings in dns resolver or system > general….
-
Default settings. This is a clean install. Just did a plain vanilla install this morning to rule out any user entered settings killing it.
Definite issue in the resolver. Noticed this happening frequently while using eBay android app. Never saw such issues in 2.1.5
-
Cool - 64bit? Pure hardware. No VM?
-
Yup amd64 on i3
-
This issue has started to become a nuisance. Kids have started to complain about it happening every 30 mins. Sometimes twice every 15 mins. Did a clean install again but it's still the same.
No errors logged and service is up the whole time. Only way temporary solution is to do a manual service restart.Is anyone working on fixing this?
-
Since noone can reproduce it, pretty much doubt anyone's working on it. Maybe you have some lolcats in there?! :o
-
Could be…
-
I wonder if a packet dump of DNS traffic on the WAN port is in order.
-
Others seeing similar issue as well
https://forum.pfsense.org/index.php?topic=88272.0
-
…yeah, but nobody want's to play with me anymore ;-) ...not even doktormotor :-D
-
But mine works.
And in response to the "default" install, I set explicit/specific in the page Services: DNS Resolver(General settings):Enabled True.
Network Interfaces : LAN's & Localhost
Outgoing Network Interfaces : All
All others choices are set False. -
I'm guessing it's not really crashed from the sounds of it (read: it's still running). This sounds like the issue in the "lolcats" thread doktornotor linked.
Go to Services>DNS Resolver, Advanced, make sure you have "Harden Glue" and "Harden DNSSEC data" both enabled.
-
@cmb:
I'm guessing it's not really crashed from the sounds of it (read: it's still running). This sounds like the issue in the "lolcats" thread doktornotor linked.
Go to Services>DNS Resolver, Advanced, make sure you have "Harden Glue" and "Harden DNSSEC data" both enabled.
Yes. This was the issue. This was the new symptom after enabling DNSSEC (without Harden Glue).
I posted this before I realized it was a symptom of the same issue when DNSSEC was turned on.
