2.4.4_1: unbound frequently stops answering domain overrides

lnguyen

Unbound was updated to 1.8.1 and has a bug where its single threaded. Enter this in custom options under Services | DNS Resolver

server:
so-reuseport: no

See this thread for the details:
https://forum.netgate.com/topic/138274/unbound-1-8-1-only-single-thread-processing-dns-requests/5

matsan

@lnguyen
Thanks. Added that and keeping fingers crossed :-)

lnguyen

@matsan I had to restart the DNS Resolver service again so that workaround may not be related to this bug.

lnguyen

@matsan I disabled DNSSEC and that seems to be a workaround but compromises DNS security.

matsan

@lnguyen said in 2.4.4_1: unbound frequently stops answering domain overrides:

@matsan I disabled DNSSEC and that seems to be a workaround but compromises DNS security.

Will try that as well. Restarted once this morning already...

lnguyen

@matsan Did disabling DNSSEC work for you?

matsan

@lnguyen
So far so good.

John41

@lnguyen I am not the original person that started this thread but I had a problem that seems the same. I always had the problem where my Domain Override in DNS Resolver would stop working. With 2.4.3 and older it would happen not very often. With 2.4.4-RELEASE-p2 it happens relatively often. If I simply save/apply settings on the DNS Resolver page (may work for other pages...not sure) it then works for a while. I don't need to change anything. There is nothing in the logs that I can see.

I disabled DNSSEC and that seems to have kept things working. I will also try the method referenced where unbound threading config is changed.

lnguyen

@john41 I had no issues with domain override (across IPSec VPN) until 2.4.4-p1. It is still an issue with 2.4.4-p2. @jimp Should I open a bug report for this on redmine?

lnguyen

I did notice that only forward zone domain overrides failed with DNSSEC enabled. Reverse zone donain overrides work perfectly fine whether DNSSEC is disabled or enabled.