DNS Failure after a DNSBL reload/update
-
In DNSBL, you enabled the DNSBL IP option…. So when it finds an IP in a Domain based DNSBL feed, those IPs are added to the Blocklist using the settings that are configured in the DNSBL Tab....
Goto the General tab, and enable "Suppression", then do a Force Reload - All... This will remove any loopback or RFC1918 addresses that might be in the list...
The error message might have been when you Disabled DNSBL and that error can happen depending on the timing of disabling DNSBL... So if it just errored once, then don't worry about it.
If you review the Alerts Tab, what does it show as being blocked?
-
Thanks for you time BBcan177,
As per your suggestion I enabled Suppression and did a Force Reload. Then realized I forgot to enable DNSBL first… :-[ so I repeated the Force Reload step after this time enabling DNSBL, no obvious errors in the log and as before, any DNS request to the router fails immediately.
Disabled DNSBL and DNS requests go through again.Everytime I disable DNSBL the error message appears. If I reenable DNSBL, no error message, but also no DNS request is accepted.
There is nothing at all under the DNSBL section in the Alerts tabs.
Logs > Log Files > error.log is empty/blank
Logs > Log Files > dnsbl.log is empty/blank
Logs > Log Files > pfblockerng.log just shows my constant enabling and disabling of the DNSBL partI'm happy to do a uninstall/reinstall, setting everything up again is not difficult, but I have already done it once and nothing changed which seems to imply that not everything is cleared away during an uninstall. Whats the best way to manually removal all the left overs?
-
After second uninstall/reboot/reinstall of pfBlockerNG everything (touch wood!) seems to be working normally again.
I have no idea what I did differently this time.
Thanks to all that responded with help and suggestions.
-
There is definitely some problem with this which I am not able to resolve. I have 4 ADSL lines. These renew their ips every 24 hours. Sometimes, I need to refresh the ip address for what ever reason. Every time any interface's ip is renewed, pfblocker needs to be disabled and enabled again as the dns stops resolving hostnames. I have removed pfblocker and reinstalled it to no avail. Am out of ideas now.
-
When the WAN IP changes, pfsense probably restart/reload unbound.
Depending on your hardware and DNSBL setup, this may takes more than 1-2 minutes to complete. So if 4 IP changes around the same time, pfsense will reload/restart unbound again, before it has finished loading, it may exit with error.
Look at the Status / System Logs / System / General for unbound error messages.
Look at the Status / System Logs / System / DNS Resolver. On my FW unbound will not log anything after a system reboot (and probably WAN IP changes). To have Unbound logs reloads, I go to Status / Services and restart unbound after a reboot.
-
So, in this case, will it help if I have static ips for each of the 4 ADSL lines? I have to option to get static ips from my ISP. The ADSL lines will still renew the ip address every 24 hours but they would always get the same ips.
-
I don't know if unbound restart when the WAN IP renew with the same IP.
Maybe you should ask that question in the DHCP / DNS forum. -
For my original problem, another full uninstall/reinstall/reconfigure seems to have fixed the problem.
I'm still notsure what happened to get it in the state it was in, but it has cleared up for now. fingers crossed.
Thanks to all that spent some time with their help.
-
"full uninstall/reinstall/reconfigure" of what? Just the pfBlockerNG package or the whole pfSense install?
-
Just pfBlockerNG. Deleted all lists manually, did a force update to clear everything, uninstalled the package, rebooted the machine and installed pfBlocker from scratch and re configured from a blank slate.
Not sure what preciusely that fixed, other then to know that it is now working as expected, again.
