Unbound restarting more frequently?

RyanM

I just changed the updates to run daily instead of hourly. It seemed that unbound was restarting pretty regularly and this caused DNS lookups to fail for a few minutes while it did. After making this change, it seems like unbound is still restarting more than daily, any idea why this is? I might need to let it take a few days too, not sure.

Gertjan

Hi,

It's easy to make a restart bomb out of unbound. If you add packages that add a lot of setup info, unbound can even be slow to start.

So, the question is : what's your (unbound) setup ?

RyanM

What is the pertinent info? I haven't had this issue until I updated pfBlockerNG to the 'devel' branch and version 2.2.5_19. When I did that, I added a bunch of feeds (IP and Host). I just went and removed some that were large lists and did not appear to be blocking any of my requests. I will see if that makes a difference, but I wanted to ask on the forum what could be causing this?

chrismacmahon

What is the pertinent info?

The more you can get the better, Let's start out with basics, what version of pfSense are you running, what is the hardware specs, what packages are installed.

Anything else would be great.... the more you get to us, the faster we can assist.

Gertjan

@ryanm said in Unbound restarting more frequently?:

What is the pertinent info?

This

I haven't had this issue until I updated pfBlockerNG to the 'devel' branch and version 2.2.5_19. When I did that, I added a bunch of feeds (IP and Host).

and with these words you answered your question.

Packages can put a big load on the DNS system. The overall winner is probably pfBlockerNG.

Take a look at this page (example) : pfBlockerNG and have a look at the feeds.
Huge files, and these files are all read into the DNS's daemon's memory every time it (re)starts.
Also : something on an interface changes ? DNS restarts.
You have DHCP leases registered into DNS ? On every incoming DHCP lease, DNS restarts ....
Etc.
Cum them up together, and it very possible (== easy) to create a situation where you real notice that the "DNS is down".

RyanM

@chrismacmahon said in Unbound restarting more frequently?:

What is the pertinent info?

The more you can get the better, Let's start out with basics, what version of pfSense are you running, what is the hardware specs, what packages are installed.

Anything else would be great.... the more you get to us, the faster we can assist.

Hopefully screenshots work.

System Info:

Installed Packages:

DNS Resolver Settings:

The Custom options box is set to:

server:  
private-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

I don't think I have changed any advanced settings. Let me know if those are important.

I made 2 big changes recently.

1. I enabled TLS in DNS Resolver by checking the checkboxes in the "DNS Query Forwarding" section.
2. I updated pfBlockerNG to the devel branch and added some feeds (IP and Domain).

Here are the pfBlockerNG settings for IPv4 filters:

And the feeds:

Note that while some of these entries are "Disabled" with a "Frequency" of "Never", that was a change I made this morning to reduce the items pfBlockerNG was filtering. This reduced the number of items for several hundred thousand entries (possibly close to 1M since BBC is around 600k entries and hpHosts is around 350K entries). I am hoping that disabling some of these feeds will keep resolver from restarting, but to be honest I don't know if that was the issue.

RyanM

@gertjan said in Unbound restarting more frequently?:

You have DHCP leases registered into DNS ? On every incoming DHCP lease, DNS restarts ....

I think this might be a bigger factor regarding this issue. I forgot to mention that while setting up the TLS support for DNS I saw this option and it sounded like a good idea. Whoops. I am going to turn this off.

Gertjan

Exact.
Static ones are ok, they are known - and when the lease is renewed, DNS doesn't restart.
Classic DHCP, if checked, will restart DNS.
This is a known subject (I won't call it an issue, but if unbound has a lot of work to do at startup, like rowing through all these pfBlockerNG 's feeds files; and you have a 'light' system (processor, disk, whatever) then yes, it starts to take time).