DNS issues after upgrading from 2.4.3 to 2.4.4
-
@raffi_ Thanks. I will check the video out and see what I can tweak. As for the tutorials that I followed regarding pfBlocker setup were these:
https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl-old/
The first couple of times that I set up pfBlocker, I used all the lists that he mentioned in that blog -- except the TLD blocking. Currently, I only use 1 EasyList.
-
This post is deleted! -
We've been on our backup machine since my last post and have had zero problems since disabling DHCP registration.
Confidently, I just wanted to switch back to our production machine - and problems started again. And they didn't stop after a couple of minutes as observed before, but just continued.One new observation I can share:
pfsense opens an unreasonable amount of DNS requests - I will see around 9000 entries in state table size; most of them are port 53 (DNS). A normal number for our environment for this time of day would rather be around 2500.
The interesting thing is that the other pfsense (which shares the same WAN router in front of pfsense) will show the same symptoms (high RTT time and no DNS), even though it does not receive any requests from the LAN. This leads me to the assumption that either the router in front of pfsense (a Fritz!Box 7362) resigns due to the flood of DNS requests, or the DNS servers themselves throttle because of the massive amount of requests they receive from us.
After switching back to the backup pfsense, problems are instantly gone.Does anyone have an idea why pfsense would want to start such a mass of DNS requests?
-
Do you have a large number of aliases with FQDNs in them? Those will all be resolved when the ruleset is generated.
Steve
-
You mean at Firewall>Aliases?
Only ten IP Aliases. That shouldn't be the problem, I guess. -
But do they have a lot of FQDNs in them? They are all resolved when the ruleset is generated which can make a lot of connections in a short time.
Steve
-
No, only IP addresses, and not more than 20 each.
-
Hmm, well you could turn up the logging in Unbound to see what is being resolved. You might need to expand the log size if it's a lot of things.
Steve
-
"Turning up logging" means switching to "Raw display"?
Well, I did another attempt this morning and it seems to work for the time of being.
It seems that, during the last attempt, DHCP registration had accidentally been active. I disabled it immediately upon noticing it, but it probably was too late. -
You can set Ubounds log level in the advanced tab. If you set it to level 3 or higher you can see the queries made against it so you would see whatever it is resolving initially.
Steve
