DNS issues after upgrading from 2.4.3 to 2.4.4

stephenw10

There should be some time before that also, I expect it the restart process to be between:
Nov 5 21:41:24 unbound 51810:0 info: service stopped (unbound 1.7.3).
and
Nov 5 21:41:25 unbound 51810:0 info: start of service (unbound 1.7.3).
For example.

Though that's still within 1s and I have DNSBL enabled. But far less entries than you.

Steve

Inxsible

I have had issues with DNS upgrading to 2.4.4 as well. It was so intense that I would lose internet connectivity every 3-5 mins. Pinging an external IP would work, but pinging anything with a name (www.google.com) wouldn't.

I also have a VPN client running and initially I thought it might be the VPN causing issues. I was going back and forth with my VPN provider to see what I could do. After a lot of reading I went against their tutorials and stopped forwarding DNS queries and started using DNS resolver. Also did a few other things at the time.

Overall, I ended up installing pfSense 4 times and setting things up over and over again. Finally, for me it turned out to be the excess blocking that I had enabled in pfBlocker. I had subscribed to too many lists, I guess. I ran pfSense without pfBlocker for a week and had no issues. Finally I enabled pfBlocker again, but only subscribed to 1 EasyList. This is a lot less than what I was subscribed to with 2.4.3 and still had no issues (in 2.4.3).

I do get a few more ads on my pages than I would like, but at least my wife isn't on my case every 5 mins. :)

I will keep watching this thread to see if there are other pointers that I can tweak in order to block as many ads, junk sites etc. without losing my mind over dropped DNS requests/unbound restarts.

EDIT: I just checked and it seems that I do have the
DHCP Registration, Static DHCP Registration & OpenVPN Clients Registration all checked.

Can't remember if those were all checked when I was having issues or was this something that I enabled after I got stable network, however.

stephenw10

Any idea how many DNSBL entries?

I have 20480 here currently and have never seen any issues.

Steve

Raffi_

@stephenw10 Yup, the service stopped entry in my log had the same time stamp as the restart entry so I left it out since it was negligible.

Raffi_

@inxsible Disable DHCP registration if you're having issues with unbound restarts. It's a feature you probably don't need anyway, so any minor benefit you get from it is not worth the cost of having unbound restarts triggered.

Also, below is a great video on getting things going with pfblocker. You don't have to use all lists and recommendations, but this is where I started and I don't have many false positives.
https://www.youtube.com/watch?v=QwFpMwXEK5w&list=LLKjPM3pDxt_EiYOfJgxsvQQ&t=305s&index=5

Inxsible

@raffi_ Thanks. I will check the video out and see what I can tweak. As for the tutorials that I followed regarding pfBlocker setup were these:

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl-old/

The first couple of times that I set up pfBlocker, I used all the lists that he mentioned in that blog -- except the TLD blocking. Currently, I only use 1 EasyList.

Inxsible

This post is deleted!

luas

We've been on our backup machine since my last post and have had zero problems since disabling DHCP registration.
Confidently, I just wanted to switch back to our production machine - and problems started again. And they didn't stop after a couple of minutes as observed before, but just continued.

One new observation I can share:
pfsense opens an unreasonable amount of DNS requests - I will see around 9000 entries in state table size; most of them are port 53 (DNS). A normal number for our environment for this time of day would rather be around 2500.
The interesting thing is that the other pfsense (which shares the same WAN router in front of pfsense) will show the same symptoms (high RTT time and no DNS), even though it does not receive any requests from the LAN. This leads me to the assumption that either the router in front of pfsense (a Fritz!Box 7362) resigns due to the flood of DNS requests, or the DNS servers themselves throttle because of the massive amount of requests they receive from us.
After switching back to the backup pfsense, problems are instantly gone.

Does anyone have an idea why pfsense would want to start such a mass of DNS requests?

stephenw10

Do you have a large number of aliases with FQDNs in them? Those will all be resolved when the ruleset is generated.

Steve

luas

You mean at Firewall>Aliases?
Only ten IP Aliases. That shouldn't be the problem, I guess.

stephenw10

But do they have a lot of FQDNs in them? They are all resolved when the ruleset is generated which can make a lot of connections in a short time.

Steve

luas

No, only IP addresses, and not more than 20 each.

stephenw10

Hmm, well you could turn up the logging in Unbound to see what is being resolved. You might need to expand the log size if it's a lot of things.

Steve

luas

"Turning up logging" means switching to "Raw display"?

Well, I did another attempt this morning and it seems to work for the time of being.
It seems that, during the last attempt, DHCP registration had accidentally been active. I disabled it immediately upon noticing it, but it probably was too late.

stephenw10

You can set Ubounds log level in the advanced tab. If you set it to level 3 or higher you can see the queries made against it so you would see whatever it is resolving initially.

Steve