Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore

ggzengel

If I understand it right?

You have local DNS entries which appear in /etc/hosts?
And now the first of the external DNS servers is not responding and local IPs (from /etc/hosts) are not resolved in alias table?

Normally nsswitch.conf looks like:
hosts: files dns

What shows yours?

blueivy

@ggzengel:

If I understand it right?

You have local DNS entries which appear in /etc/hosts?

Yes. All of them were static DHCP leases. All of them resolved using Diagnostics -> Ping  and Disagnostics -> DNS Lookup in pfSense.

And now the first of the external DNS servers is not responding and local IPs (from /etc/hosts) are not resolved in alias table?

They don't appear in the aliases tables. And filterdns entries were missing from the System|DNS Resolver logs.

Normally nsswitch.conf looks like:
hosts: files dns

What shows yours?

It is:

hosts: files dns

Exactly the same.

ggzengel

I think you should open a bug in redmine.

blueivy

@ggzengel:

I think you should open a bug in redmine.

I would do normally. But there is already a bug open for this. The way it was also completely dismissed without waiting for further information and pushed back to the forum means I'm not going to waste my time going through the hoops to do it. I appreciate that there was not a lot of information given on the issue raised but the way it was handled was poor. Pre-empting an issue as not a bug 'because we don't see it here' is a naive viewpoint and a does not encourage people to feedback on their project.

But I do appreciate your help in this ggzengel. Between the pair of us it lead me to find what I did. It's been much appreciated.

ggzengel

I restarted my pfsense and got only one filterdns and it's working.
Now I will have a look how long it will be stable.

ChrisCCC

Hi All,

I know this is an old topic, but I too, have noticed this issue occurring since an upgrade to 2.4.2. This definitely wasn't an issue previously, and very few config changes have been made since the upgrade.

I don't fully understand the process used to build these FQDN aliases, but I'll provide as much info as possible, in the hope it helps narrow down the root cause.

I've created a test Alias, called Host_Test, containing the FQDN 'www.test.com'.

• Viewing the table entry for this alias shows an empty table.

• DNS servers for the firewall are set to 8.8.8.8 and 8.8.4.4. DNS forwarders or resolver are not in use.

• DNS resolution for this hostname is working fine for both DNS servers under status -> DNS Lookup.

• Runninng 'ps -A | grep filterdns' shows there is a process running called filterdns.

• If I view the log under System -> DNS Resolver, I can see that on the date of the upgrade (I assume on first boot after) there are entries such as the below, for all almost all FQDN aliases configured on the firewall. There have since been no events logged in this log.

filterdns failed to resolve host s186.fmp12-hosting.co.uk will retry later again.

This firewall has an HA partner, which doesn't seem to be experiencing the problem. Based on the total lack of logs since the primary firewall's initial boot, I'm wondering if the root cause is the process hanging (I assume 'filterdns' is the relevant process). Is it possible to safely kill and restart this process, or are there other considerations when doing this?

ChrisCCC

Quick followup. It looks like the process was hung. It's currently working after running "killall -9 filterdns" then saving and applying an Alias to restart the process.

What's potentially concerning is how soon after bootup this process seems to have stopped responding. Not sure if this is a one off for me, or something peculiar that's happening since the upgrade. I'll update this post if I notice the issue reoccur, especially after the next reboot.

Valeriy

I can confirm the issue and workaround by ChrisCCC
(Filter DNS service hangs, killall - 9 filterdns and then Filter reload (in pfSense GUI) solves the issue.)

I got the same problem after upgrade to 2.4

Currently running snapshot [2.4.3-DEVELOPMENT (amd64) built on Sun Jan 07 20:44:55 CST 2018]

Things to consider (in no particular order), that might be causing it:

• I have substantial amount of hostname records in different  Firewall aliases (hundreds)

• After a while some hosts become obsolete (i.e. hostname does not resolve to IP address)

• sometimes DNS servers might not be responding quickly (for such a big volume of DNS queries, perhaps)

I guess something is broken in filterdns algorithm after release 2.4: either after incorrect response from DNS server or absense of response causes it to hang.

snarfattack

Thanks for the workaround… this bug is driving me nuts too. Killing filterdns fixed the issue, at least temporarily for me. After a couple updates, it'll fail again.

Valeriy

It drove me crazy too, I wish I could have read this thread before I spent a few hours looking what is wrong.

Also,
https://forum.pfsense.org/index.php?topic=141441.15 is same topic.
Maybe Moderators can merge it?

echu2016

Does any body having this issue uses pfblocker ? In my case removing this PKG and replacing it by url tables aliases solved the issue.
Filterdns was receiving several sighup signals before, before hanging.

trees spanning the land

@Valeriy:

• I have substantial amount of hostname records in different  Firewall aliases (hundreds)

^This seems to be the problem, I had an alias with a list of Hundreds if not thousands of server Host names deleting them and then simply going to the other aliases with empty tables and clicking save to trigger a filter reload and update to the tables for those aliases has fixed the issue.

For everyone having this issue I'd recommend checking your Aliases to see if possibly you or someone else maybe added an alias into the firewall with a very large amount of hostnames and doing a backup of them and trying a delete and re-applying the other affected ones.

If we get some people coming back saying this is the cause then the devs will know what to investigate and hopefully get a fix put out for it.

I'm On 2.4.4-DEVELOPMENT If anyone finds that info Helpful.

qwertyface

I've just experienced this issue, and I think I have a solution.

For a while (including before the upgrade) I'd been seeing errors saying something like:```
There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table <bogonsv6> persist file "/etc/bogonsv6"
@ 2018-05-16 19:13:38

From [https://forum.pfsense.org/index.php?topic=145990](https://forum.pfsense.org/index.php?topic=145990) I learned that the size of the BogonsV6 file grew substantially recently. The thread suggests increasing maximum table entries. While investigating, I noticed that the tables for my aliases were empty (**Diagnostics** > **Tables**). After increasing the maximum table entries, my aliases were showing up in the tables view.

I think this was probably a latent issue before the upgrade, caused by the size of the BogonsV6 table, and it's the reboot which has caused it, not the upgrade.

downtown

I resolved this by cleaning up old aliases and ones that no longer resolved, as mentioned above. I had already increased my max table size.

Fug1

I've just experienced this bug, as well. I'm currently running 2.4.4-RELEASE-p1 (amd64).

To resolve, I had to kill filterdns and re-save the affected alias table.

The affected fqdn entry was a local host (dhcp) and also manually entered in dns resolver. nslookup on the hostname worked fine, but the IP address wouldn't populate in the alias table. Once I killed filterdns and re-saved the alias table, all is working again.

I already had the firewall table size increased to 400k, so that wasn't the issue for me.