WARNING: Don't enable TLS to upstream DNS servers in pfSense 2.4.4
-
There's a memory leak in Unbound 1.7.3 which is included in pfSense 2.4.4. If you enable TLS to your upstream DNS servers bad things will happen. Here's a graph showing what you can expect if you enable TLS. Note the memory usage skyrocketing and then swap being used. If you run pfSense on an SD card and pfSense starts to aggressively use swap you can shorten the life of your SD card.
In my case pfSense would eventually reboot resulting in a denial of service due to running out of memory but your results may very.
PS: This should be pinned at the top of the forum until a fix has been issued.
-
@imcdona pfSense 2.4.4-p1 was released with an updated version of Unbound (1.8.1) a few hours ago. No idea if it fixes your issue or not though but the release notes refer to fixing memory leaks in Unbound.
More information here: https://www.netgate.com/blog/pfsense-2-4-4-release-p1-now-available.html -
Unbound 1.8.1 has been in pfSense for a few weeks now and yes, it does resolve the bug.
There's another small bug in 1.8.1 where threading isn't enabled though. It's explained here, along with a fix I found.Only really an issue if your pfSense gets heaps of DNS requests.
-
@muppet said in WARNING: Don't enable TLS to upstream DNS servers in pfSense 2.4.4:
There's another small bug in 1.8.1 where threading isn't enabled though. It's explained here, along with a fix I found.
I reported the threading bug in two separate posts on the forum two days ago. JIMP had said he posted an update and I commented that there was a threading bug and was ignored. Now you've got 2.4.4_1 out and Unbound still has issues. This doesn't instill confidence.
-
@imcdona You know I don't work for Netgate, right?
-
@muppet I understand and I appreciate your help in getting this resolved. My comments are directed at Netgate.
-
@imcdona The official place to report bugs is here: https://redmine.pfsense.org/projects/pfsense/issues. Reporting of bugs in the forum isn't a guaranteed way of getting them addressed.
-
@imcdona said in WARNING: Don't enable TLS to upstream DNS servers in pfSense 2.4.4:
I reported the threading bug in two separate posts on the forum two days ago. JIMP had said he posted an update and I commented that there was a threading bug and was ignored. Now you've got 2.4.4_1 out and Unbound still has issues. This doesn't instill confidence.
At that point the release was already built, and this wouldn't have been a significant enough issue to stop the entire release process and restart all the testing needed.
It's also easily worked around by adding this to your custom options if it matters:
server: so-reuseport: no
-
@gsiemon said in WARNING: Don't enable TLS to upstream DNS servers in pfSense 2.4.4:
The official place to report bugs is here: https://redmine.pfsense.org/projects/pfsense/issues. Reporting of bugs in the forum isn't a guaranteed way of getting them addressed.
I'm well aware of the bug tracker. I specifically posted in the forum in response to a reply from Netgate staff saying that Unbound could be upgraded to 1.8.1. My thought was that since there is already a discussion going on regarding the issue I'd continue the conversation in the forum rather than add to the bug report for something that may or may not be related.
I did finally end up reporting the issue to the bug tracker after getting no response from Netgate in the forum thread they were a part of.