DNS Resolver not caching correct?
-
I don't know if I should play around with that because everything runs fast and good for now. But I see if my WAN goes down unbound restarts. Any chance to disable this function and keep it running?
-
@mrsunfire said in DNS Resolver not caching correct?:
But I see if my WAN goes down unbound restarts
It's possible that the restart of unbound wasn't needed. If the WAN IP stays the same, then maybe yes, it might not be needed.
I guess you should investigate why the WAN NIC goes down ? Missing an UPS ? Then add one.There are many reasons that a WAN interface change has more effect, and then unbound should restart.
Loadbalancing. VPN usage (the tunnel is rebuild, and unbound should use the tunnel), etc.However : there is no GUI setting that let you choose what to restart, or not.
Just stop ripping out the cable, or have people play with the power plug, and you'll be fine. -
The IP stays the same. I use cable and the inhouse coax is getting renewed. The old one sometimes has ingress and the connection goes down shortly. I have to say that pfSense then switches to my failover WAN2.
Any chance to disable unbound restart?
-
Do you mean your upstream WAN Ethernet goes really down ? The upstream device resets ?
It's a cable modem - your mentioned 'coax' ?@mrsunfire said in DNS Resolver not caching correct?:
Any chance to disable unbound restart?
Not without you actually changing the code.
Btw : the monitoring process will also reset the interface if the upstream gateway becomes unreachable. You could change these settings.
-
Yes the cable modem loses connection to the upstream gateway of my ISP. Then a gateway alarm appears and it switches to my WAN2.
-
@mrsunfire said in DNS Resolver not caching correct?:
Then a gateway alarm appears and it switches to my WAN2.
Ok. Pretty good reason to inform unbound about that event ^^
-
Sure but why is it clearing the cache? An option to prevent that would be nice.
-
@mrsunfire said in DNS Resolver not caching correct?:
Sure but why is it clearing the cache? An option to prevent that would be nice.
Ah, now we are getting to the bottom of the subject.
It's unbound that needs to restart when the state of one of it's interfaces change.
I guess (my words) that unbound can't dynamic bind and unbind to IPs and/or ports.
This means : shutting down, Start again, thus reading the config (which is probably is rebuild because some interface came up = a viable or is missing now).
Side effect : cache is flushed / reset.As far as I know, the cache isn't written when unbound stops to some cache file and read back in when starting.
Don't know if that is even possible - and I'm pretty sure this isn't done by pfSense.Other side effect : people that use packages like pfBlockerNG with huge DNSBL lists will see something else : it will take long time (several tens of seconds) for unbound to start up because it has to read throughout all these lists and loading them.
If unbound restarts often - because, for example, it restarts when a DHCP lease comes in, they will experience DNS outages. -
You could load the cache back
You have to dump it first
unbound-control dump_cache > unbound.dumpThen reload it
cat unbound.dump | unbound-control load_cacheHere is where you could run into a problem with that - petty sure the ttls would be frozen at that moment in time. I have not done much playing with doing something like that - just don't really see the point.. So your stuff resolves again... So first query would be a couple extra ms.. But if your ttl's are frozen at the moment of the dump, then counters restart on reload then you could be serving up expired ttls - and depending on the how long it was down, etc. They could be expired by very long time.. And still have lots of time left on them, so might be getting bad info for whatever the time left on the ttl was?
But sure - guess it could be coded to dump the cache every X minutes or something, and then on restart reload it. Would need easy way for users to flush other than restart.
-
@johnpoz said in DNS Resolver not caching correct?:
You could load the cache back
You have to dump it first
unbound-control dump_cache > unbound.dump
Then reload it
cat unbound.dump | unbound-control load_cacheMe ?
Ok.First, a snapshot from what the cache is doing now :
unbound-control -c /var/unbound/unbound.conf stats_noreset | grep 'cache'Note : adding " -c /var/unbound/unbound.conf '" isn't optional.
Now I dump to cache :
unbound-control -c /var/unbound/unbound.conf dump_cache > unbound.dumpFor fun, look what's in this file : mine was nearly 3 Mega Bytes.
Now, I restart unbound in the GUI. A command line command exists, I'm; lazy and googled already to much this morning.
Another check :
unbound-control -c /var/unbound/unbound.conf stats_noreset | grep 'cache'to see that unbound is running with an empty cache now.
Show time :
cat unbound.dump | unbound-control -c /var/unbound/unbound.conf load_cacheand re check again to see that "things" have been loaded :
unbound-control -c /var/unbound/unbound.conf stats_noreset | grep 'cache'That seems to work - indeed
You're right - I can ^^
But pfSense can't / doesn't know how to do so.
(I can of course edit the related source files where unbound is restarted - it's just plain PHP .... but hey, all is fine for me already )And yes, you're right. Mighty DNS gods would come down to earth when people start to load in old cache info and issues like that ....
There are already to much "issues" with DNS/unbound - or, take note : it works perfectly well out of the box. -
No didn't mean for you to do it ;) Just stating how it "could" be done hehehehe
Guess it could be somewhat useful for someones who's unbound is restarting all the time.. I would look to why that is happening and stop it.. For example dhcp registration, or maybe pfblocker restarting every hour on a cron or something.
Or maybe your connecting is flipping over to backup, or going down whatever.. The dhcp is easy, just don't have it register dhcp leases. Your connecting going down or flipping might be harder to fix - but that shouldn't be happening on a regular basis that is for sure.
As to how often pfblocker restarts unbound - have to get with BBcan on that, off the top not sure when it might restart unbound.
