Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound DNS Resolver crashing randomly

    Scheduled Pinned Locked Moved General pfSense Questions
    35 Posts 17 Posters 10.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dennypageD Offline
      dennypage
      last edited by

      For what it's worth, I saw this on rare occasion during RC testing. In my case, the crash was usually shortly after reboot. Since GA, it's been stable for me, but I also haven't been rebooting.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        @BBcan177:

        Maybe the Service Watchguard could be used…

        Yes, this certainly works.

        1 Reply Last reply Reply Quote 0
        • A Offline
          asterix
          last edited by

          I did install Service Watchdog after the repeated crashing. So far it looks to be fine. But the underlying issue needs to be fixed.

          1 Reply Last reply Reply Quote 0
          • T Offline
            Trel
            last edited by

            To combat DNS cache poisoning issues, I'm now exclusively using unbound as my resolver, and I just saw this happen this morning.
            I restarted the service and setup Service watchdog.  I also just set up email notifications as well so if it happens, I'll check logs for that time and maybe one of us will be able to get something useful from logs.

            1 Reply Last reply Reply Quote 0
            • K Offline
              kejianshi
              last edited by

              Might it be crashing because someone outside the network is hammering it maliciously?  Not sure if thats possibly the case?
              I'm reading that:

              A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash.  (yes I know - Thats bind.  Might it be happening with unbound?)

              FreeBSD Security Advisory - By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can trick unbound(8) resolver into following an endless series of delegations, which consumes a lot of resources. (this is unbound)

              Anyway - Just wondering if this is less of a general stability issue and more of a someone is trying to hack my DNS issue.

              At any rate, I'd rather my DNS get periodically restarted than to be misdirected.  Wonder if the advanced setting might offer a way to prevent this from happening if this is the case seeing as how Trel is experiencing this and its fairly clear his DNS previously was being screwed with.

              1 Reply Last reply Reply Quote 0
              • F Offline
                firewalluser
                last edited by

                @heper:

                try increasing verbosity of logging to 2 on services: dns resolver: advanced settings

                try attaching it to your next post after a crash (might be good to clear resolver log and then restart it … can be done in  Status: System logs: Resolver )

                I wonder if this is what I experienced the other day as well, loads of webpages even some in the google cache were becoming unavailable.

                Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                Asch Conformity, mainly the blind leading the blind.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  asterix
                  last edited by

                  Happened again..

                  This webpage is not available

                  The server at www.samsung.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Internet from accessing the network.

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kejianshi
                    last edited by

                    Still - No one knows anything about your settings in dns resolver or system > general….

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      asterix
                      last edited by

                      Default settings. This is a clean install. Just did a plain vanilla install this morning to rule out any user entered settings killing it.

                      Definite issue in the resolver. Noticed this happening frequently while using eBay android app. Never saw such issues in 2.1.5

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kejianshi
                        last edited by

                        Cool - 64bit?  Pure hardware.  No VM?

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          asterix
                          last edited by

                          Yup  amd64 on i3

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            asterix
                            last edited by

                            This issue has started to become a nuisance. Kids have started to complain about it happening every 30 mins. Sometimes twice every 15 mins. Did a clean install again but it's still the same.
                            No errors logged and service is up the whole time. Only way temporary solution is to do a manual service restart.

                            Is anyone working on fixing this?

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              doktornotor Banned
                              last edited by

                              Since noone can reproduce it, pretty much doubt anyone's working on it. Maybe you have some lolcats in there?!  :o

                              1 Reply Last reply Reply Quote 0
                              • K Offline
                                kejianshi
                                last edited by

                                Could be…

                                pctechsupportcat.jpg
                                pctechsupportcat.jpg_thumb

                                1 Reply Last reply Reply Quote 0
                                • H Offline
                                  Harvy66
                                  last edited by

                                  I wonder if a packet dump of DNS traffic on the WAN port is in order.

                                  1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    asterix
                                    last edited by

                                    Others seeing similar issue as well

                                    https://forum.pfsense.org/index.php?topic=88272.0

                                    1 Reply Last reply Reply Quote 0
                                    • 2 Offline
                                      2chemlud Banned
                                      last edited by

                                      …yeah, but nobody want's to play with me anymore ;-) ...not even doktormotor :-D

                                      1 Reply Last reply Reply Quote 0
                                      • H Offline
                                        hda
                                        last edited by

                                        But mine works.
                                        And in response to the "default" install, I set explicit/specific in the page Services: DNS Resolver(General settings):

                                        Enabled True.
                                        Network Interfaces : LAN's & Localhost
                                        Outgoing Network Interfaces : All
                                        All others choices are set False.

                                        J 1 Reply Last reply Reply Quote 0
                                        • C Offline
                                          cmb
                                          last edited by

                                          I'm guessing it's not really crashed from the sounds of it (read: it's still running). This sounds like the issue in the "lolcats" thread doktornotor linked.

                                          Go to Services>DNS Resolver, Advanced, make sure you have "Harden Glue" and "Harden DNSSEC data" both enabled.

                                          1 Reply Last reply Reply Quote 0
                                          • T Offline
                                            Trel
                                            last edited by

                                            @cmb:

                                            I'm guessing it's not really crashed from the sounds of it (read: it's still running). This sounds like the issue in the "lolcats" thread doktornotor linked.

                                            Go to Services>DNS Resolver, Advanced, make sure you have "Harden Glue" and "Harden DNSSEC data" both enabled.

                                            Yes.  This was the issue.  This was the new symptom after enabling DNSSEC (without Harden Glue).
                                            I posted this before I realized it was a symptom of the same issue when DNSSEC was turned on.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.