Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intermittent connection issue

    Scheduled Pinned Locked Moved DHCP and DNS
    115 Posts 6 Posters 25.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevindd992002
      last edited by

      Ok, so I decided to disable DHCP registration and OpenVPN client registration from unbound since 4 days ago and everything seemed to be working perfectly now! I tried turning on my desktop and no issues at all! Weird thing is that when I had this issue I did not get a lot of unbound restarts as shown in the logs above so I still don't know the cause. There could be a device (when DHCP registration was enabled) in my network that constantly renewing its lease, I don't know, but I should've seen the restarts in the unbound logs. As for the Openvpn client registration, I think that's only for server-to-client OpenVPN connections which I do not use because my OpenVPN connection is server-to-server (site-to-site).

      But yeah, so far so good. Now I'm thinking of implementing a pi-hole DNS server (using the container in docker hub) in my environment. What advantages will I get with using it? Is it just the beautiful interface/graphs that it offers? From what I've read so far, the pi-hole will be the DNS server for the clients (assigned via DHCP) and then it just forwards the requests to pfsense's unbound, right?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        The different with dnsmasq and unbound for forwarding is dnsmasq out of the box forwards to ALL of the forwarders you have set at the same time, and uses just uses the first answer. I don't think you can tell unbound to do that.. Would have to check the unbound docs - but there is no way to set that in the gui of pfsense. This can be good for when you have bad peering isp or issues talking via some paths, etc.

        Well restarting unbound never helps because it flushes your cache. But you do have a lot of timeouts you showed - so something not great with your isp either which could be problems.

        For all we know your isp connections has gotten better, and has zero to do with unbound restarting.

        Again when you have issues with dns - you can not just assume the problem is X, you need to troubleshoot the exact issue your seeing... Not just dns not working sometimes.. Pick something that didn't work and find out why.. Are you still seeing a lot of timeouts in your infra info?

        You can also make sure you setup prefetch with unbound, this can help with problematic issues because it will look up stuff in the background before the ttl expire and it flushes out of the cache. Also setting serve 0 ttl can really help as well. Since now even if the cache expired, it would serve up the last entry when client asks for it - and then look it up in the background again.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        K 2 Replies Last reply Reply Quote 0
        • K
          kevindd992002 @johnpoz
          last edited by

          @johnpoz said in Intermittent connection issue:

          The different with dnsmasq and unbound for forwarding is dnsmasq out of the box forwards to ALL of the forwarders you have set at the same time, and uses just uses the first answer. I don't think you can tell unbound to do that.. Would have to check the unbound docs - but there is no way to set that in the gui of pfsense. This can be good for when you have bad peering isp or issues talking via some paths, etc.

          Well restarting unbound never helps because it flushes your cache. But you do have a lot of timeouts you showed - so something not great with your isp either which could be problems.

          For all we know your isp connections has gotten better, and has zero to do with unbound restarting.

          Again when you have issues with dns - you can not just assume the problem is X, you need to troubleshoot the exact issue your seeing... Not just dns not working sometimes.. Pick something that didn't work and find out why.. Are you still seeing a lot of timeouts in your infra info?

          You can also make sure you setup prefetch with unbound, this can help with problematic issues because it will look up stuff in the background before the ttl expire and it flushes out of the cache. Also setting serve 0 ttl can really help as well. Since now even if the cache expired, it would serve up the last entry when client asks for it - and then look it up in the background again.

          I see. I thought both dnsmasq and unbound forwarding works that way.

          For some reason, I have 0 timeouts now. The one I showed you with a lot of timeouts was when I had DHCP and OpenVPN client registrations in unbound enabled.

          Yeah, that's possible. It could be that the ISP connection has gotten better and is another coincidence. I really don't know but I was trying to pinpoint the issue to one specific module on my whole infra but I still can't isolate it.

          Ok, so I'll enable these three, I guess:

          60b67e6d-a3e2-4d04-9f6e-168447a9aeb2-image.png

          293f4238-2218-4beb-927f-df5f6cf6e800-image.png

          How does the Serve Expired setting help though? So if the record has a TTL of already, it will still serve it to the client and update the cache in the background. What if the record is really no longer valid, how would serving an invalid record to the client help? I'm trying to understand how that setting works.

          1 Reply Last reply Reply Quote 0
          • K
            kevindd992002
            last edited by

            Nevermind! I enabled those three options for both my infras and this problematic infra started getting DNS timeouts again! Tried to ping 8.8.8.8 from Diagnostics -> Ping using the WAN interface and 100% packet loss. When I think that one isolation step solves the problem, it bites me in the back after a few days of trying it. This is insane.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              And lets go over this again - restarting unbound to change a feature has ZERO to do you with pinging anything by IP.. But if your having packetloss then resolving anything or even forwarding is going to be problematic at best.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              K 1 Reply Last reply Reply Quote 0
              • K
                kevindd992002 @johnpoz
                last edited by

                @johnpoz said in Intermittent connection issue:

                And lets go over this again - restarting unbound to change a feature has ZERO to do you with pinging anything by IP.. But if your having packetloss then resolving anything or even forwarding is going to be problematic at best.

                Yes, I completely agree. I just stated what I did and observed, I didn't say that the unbound restart directly caused me having packet losses.

                I still don't get it though. I don't know what to tell these ISP people because all along I still believe that the issue is with their network. I just can't prove it.

                1 Reply Last reply Reply Quote 0
                • B
                  bjohe
                  last edited by

                  @kevindd992002, this is a very interesting thread. I've very similar experience with my pfsense. Some of my testing could give input to further investigations.
                  The problem is almost identical to what you have described. Occationally I cannot access webpages. This typically happens first time starting to browse Internet. It is any type of website, it could be a frequently accessed site or an one time visit. But It also occurs in the middle of when I'm browsing e.g. after a break.
                  But if I open up several tabs and start to access different websites, and constantly refresh and try to access them I finally start to connect to one or several of the websites. However there could still be one of them that is not loading.

                  For e.g. when watching Netflix I could have and issue at the beginning when I start loading the first movie or even connecting to Netflix. However once the movie has started I cannot recall I have ever experienced a loading or connection issues. The same is true for Citrix when logging on to a remote desktop. I could have issues to connect to begin with but once connected I cannot recall any loading/connection issues.

                  I replaced my old Netgear SRX5308 with pfSense on a box from Protecli (amd64) Intel Celeron CPU J3160 @ 1.60GHz 4 CPUs: 1 package x 4 core, AES-NI CPU Crypto: Yes (active).
                  The old SRX5308 never had any connection issues however it was slow and capped my fiber connection. I have installed pfSense 3 times to make sure I have a default installation. Last 3 months I have been searching and reading Internet for trouble shoooting tips. I have tested several tips and none have solved the issue so far.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kevindd992002 @bjohe
                    last edited by

                    I've had spare time and proceeded with the reinstallation of pfsense from scratch and since then I had 0 problems with unbound and no packet loss, so far. I'm not entirely sure if the issue was caused by some bug in pfsense (doubtful) but like @johnpoz said it could be just my ISP fixing something in the backend and was just coincidental to when I reinstalled pfsense. So far so good though, I'll definitely post back if I encounter the same issue (which I certainly hope I won't).

                    1 Reply Last reply Reply Quote 0
                    • K
                      kevindd992002 @johnpoz
                      last edited by

                      @johnpoz said in Intermittent connection issue:

                      The different with dnsmasq and unbound for forwarding is dnsmasq out of the box forwards to ALL of the forwarders you have set at the same time, and uses just uses the first answer. I don't think you can tell unbound to do that.. Would have to check the unbound docs - but there is no way to set that in the gui of pfsense. This can be good for when you have bad peering isp or issues talking via some paths, etc.

                      Well restarting unbound never helps because it flushes your cache. But you do have a lot of timeouts you showed - so something not great with your isp either which could be problems.

                      For all we know your isp connections has gotten better, and has zero to do with unbound restarting.

                      Again when you have issues with dns - you can not just assume the problem is X, you need to troubleshoot the exact issue your seeing... Not just dns not working sometimes.. Pick something that didn't work and find out why.. Are you still seeing a lot of timeouts in your infra info?

                      You can also make sure you setup prefetch with unbound, this can help with problematic issues because it will look up stuff in the background before the ttl expire and it flushes out of the cache. Also setting serve 0 ttl can really help as well. Since now even if the cache expired, it would serve up the last entry when client asks for it - and then look it up in the background again.

                      @johnpoz

                      Does this mean that unbound, by default, when set to forwarding mode queries the DNS servers you set in General sequentially and that you cannot change this behavior?

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        bjohe @kevindd992002
                        last edited by

                        @kevindd992002 and @johnpoz
                        This is my understanding from the documentation. "unbound will use the system DNS servers from System > General Setup or those received from a dynamic WAN, rather than using the root servers directly"

                        When I changed my DNS resolver setting to "Enable Forwarding Mode" most of my intermittent connection issues have disappeared. Sometimes I still have to wait a sec or two before the webpage loads completely, but In general the pages load immediately and there are no long periods of total non-connection.

                        I have not tried using the DNS Forwarder (dnsmasq). The documentation on “DNS Query Forwarding” mentions that DNSSEC need to be disabled but I have not done this. Maybe it works for me as I did check that the DNS servers I choose were supporting DNSSEC.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kevindd992002
                          last edited by

                          I don't see any GUI setting for DNSSEC in dnsmasq so I'm not sure if it's supported. But yeah, if my upstream DNS server is just the ISP modem anyway (double NAT config), I won't use the "simultaneous query of DNS servers" capability of dnsmasq. In that case, would staying with unbound and forwarding be advisable since it has DNSSEC support and other settings that you can customize?

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            kevindd992002 @kevindd992002
                            last edited by

                            @johnpoz Do you still have any ideas on my question?

                            1 Reply Last reply Reply Quote 0
                            • K
                              kevindd992002
                              last edited by

                              Just an update to this issue:

                              My ISP had my account migrated to their VLAN for static (public) IP configs for two weeks testing and I had 0 problems with unbound (resolver). As soon as they transferred me back to using dynamic IP with CGNAT, the issue went back right away when using unbound (resolver). I had to go back to using unbound (forwarder) again as a workaround.

                              They wanted me to switch over to using static IP but to do that I would have to upgrade my subscription with them and pay the extra static IP subscription. That won't happen. I'm trying to fight with them now and convince them that the issue is with their dynamic IP network.

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by

                                Not being able to use the default resolver, unbound, in resolving mode means a severe connection problem.
                                Very standard DNS data traffic is one of the basic Internet minimal requirements.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kevindd992002
                                  last edited by

                                  Exactly. That's what I've been telling them. DNS traffic is nothing special. It's like they're forcing their customers to only forward DNS requests.

                                  GertjanG 1 Reply Last reply Reply Quote 0
                                  • GertjanG
                                    Gertjan @kevindd992002
                                    last edited by

                                    @kevindd992002 said in Intermittent connection issue:

                                    It's like they're forcing their customers

                                    They discovered, like many before, that that info is worth a max. People are using already themself's massively the "let bring everything to 8.8.8.8".
                                    And lets face it : if you are an ISP, and you have to make this deal with nearby Google's data centre to invest in a very costly 50 / 50 % fiber POP between the Google data centre and the ISP centre (ISP users consume a LOT of Youtube traffic !!) then what should this ISP do ? They cash cash out or they 'make this another deal'.
                                    So, yes, DNS is manly 'visible' to they can grab it, and do what they want with it.

                                    Btw : it's the technical point of views that interests me here. I don't care what Google does, neither my ISP. They can have it, I don't care.

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      Get a different ISP? Clearly you pointed out them that their carrier grade nat is broken..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      K 1 Reply Last reply Reply Quote 0
                                      • K
                                        kevindd992002 @johnpoz
                                        last edited by

                                        @Gertjan said in Intermittent connection issue:

                                        @kevindd992002 said in Intermittent connection issue:

                                        It's like they're forcing their customers

                                        They discovered, like many before, that that info is worth a max. People are using already themself's massively the "let bring everything to 8.8.8.8".
                                        And lets face it : if you are an ISP, and you have to make this deal with nearby Google's data centre to invest in a very costly 50 / 50 % fiber POP between the Google data centre and the ISP centre (ISP users consume a LOT of Youtube traffic !!) then what should this ISP do ? They cash cash out or they 'make this another deal'.
                                        So, yes, DNS is manly 'visible' to they can grab it, and do what they want with it.

                                        Btw : it's the technical point of views that interests me here. I don't care what Google does, neither my ISP. They can have it, I don't care.

                                        But I don't forward to 8.8.8.8. I'm trying to resolve. Sorry, not sure what you mean?

                                        @johnpoz said in Intermittent connection issue:

                                        Get a different ISP? Clearly you pointed out them that their carrier grade nat is broken..

                                        I can't, I'm still locked in with them (contract) and I have a point-to-point VPN connection with my other house that's using the same ISP (so best connection quality).

                                        GertjanG 1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan @kevindd992002
                                          last edited by Gertjan

                                          @kevindd992002 said in Intermittent connection issue:

                                          But I don't forward to 8.8.8.8

                                          8.8.8 is just an example. And I was talking about 8.8.8.8, choosen by your ISP, the DNs where they are forwarding to.

                                          @kevindd992002 said in Intermittent connection issue:

                                          I had to go back to using unbound (forwarder) again as a workaround.

                                          To who ?

                                          Sending DNS request to

                                          Hostname 	IP address IPv4 / IPv6 	Organization
                                          a.root-servers.net 	198.41.0.4, 2001:503:ba3e::2:30 	VeriSign, Inc.
                                          b.root-servers.net 	199.9.14.201, 2001:500:200::b 	University of Southern California (ISI)
                                          c.root-servers.net 	192.33.4.12, 2001:500:2::c 	Cogent Communications
                                          d.root-servers.net 	199.7.91.13, 2001:500:2d::d 	University of Maryland
                                          e.root-servers.net 	192.203.230.10, 2001:500:a8::e 	NASA
                                          f.root-servers.net 	192.5.5.241, 2001:500:2f::f 	Internet Systems Consortium, Inc.
                                          g.root-servers.net 	192.112.36.4, 2001:500:12::d0d 	US Department of Defense (NIC)
                                          h.root-servers.net 	198.97.190.53, 2001:500:1::53 	US Army (Research Lab)
                                          i.root-servers.net 	192.36.148.17, 2001:7fe::53 	Netnod
                                          j.root-servers.net 	192.58.128.30, 2001:503:c27::2:30 	VeriSign, Inc.
                                          k.root-servers.net 	193.0.14.129, 2001:7fd::1 	RIPE NCC
                                          l.root-servers.net 	199.7.83.42, 2001:500:9f::42 	ICANN
                                          m.root-servers.net 	202.12.27.33, 2001:dc3::35 	WIDE Project
                                          

                                          or, the DNS you choose to forward to, what is the difference ? Yet you said that the first 13 are not possible.

                                          Read, for example https://securitytrails.com/blog/dns-root-servers and understand something is very wrong.

                                          Reset pfSense to default, and see if it works. If not, take a look at your ISP contract.

                                          @kevindd992002 said in Intermittent connection issue:

                                          I have a point-to-point VPN connection

                                          Aha. That changes a lot.
                                          Use pfSense with default settings (again !) and the resolver will work.
                                          Adding a VPN and suddenly it stops. That make the solution rather simple. : remove things that break things.
                                          Or setup correctly the new things.

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          K 1 Reply Last reply Reply Quote 0
                                          • K
                                            kevindd992002 @Gertjan
                                            last edited by

                                            @Gertjan said in Intermittent connection issue:

                                            @kevindd992002 said in Intermittent connection issue:

                                            But I don't forward to 8.8.8.8

                                            8.8.8 is just an example. And I was talking about 8.8.8.8, choosen by your ISP, the DNs where they are forwarding to.

                                            @kevindd992002 said in Intermittent connection issue:

                                            I had to go back to using unbound (forwarder) again as a workaround.

                                            To who ?

                                            Sending DNS request to

                                            Hostname 	IP address IPv4 / IPv6 	Organization
                                            a.root-servers.net 	198.41.0.4, 2001:503:ba3e::2:30 	VeriSign, Inc.
                                            b.root-servers.net 	199.9.14.201, 2001:500:200::b 	University of Southern California (ISI)
                                            c.root-servers.net 	192.33.4.12, 2001:500:2::c 	Cogent Communications
                                            d.root-servers.net 	199.7.91.13, 2001:500:2d::d 	University of Maryland
                                            e.root-servers.net 	192.203.230.10, 2001:500:a8::e 	NASA
                                            f.root-servers.net 	192.5.5.241, 2001:500:2f::f 	Internet Systems Consortium, Inc.
                                            g.root-servers.net 	192.112.36.4, 2001:500:12::d0d 	US Department of Defense (NIC)
                                            h.root-servers.net 	198.97.190.53, 2001:500:1::53 	US Army (Research Lab)
                                            i.root-servers.net 	192.36.148.17, 2001:7fe::53 	Netnod
                                            j.root-servers.net 	192.58.128.30, 2001:503:c27::2:30 	VeriSign, Inc.
                                            k.root-servers.net 	193.0.14.129, 2001:7fd::1 	RIPE NCC
                                            l.root-servers.net 	199.7.83.42, 2001:500:9f::42 	ICANN
                                            m.root-servers.net 	202.12.27.33, 2001:dc3::35 	WIDE Project
                                            

                                            or, the DNS you choose to forward to, what is the difference ? Yet you said that the first 13 are not possible.

                                            Read, for example https://securitytrails.com/blog/dns-root-serversand understand something is very wrong.

                                            Reset pfSense to default, and see if it works. If not, take a look at your ISP contract.

                                            @kevindd992002 said in Intermittent connection issue:

                                            I have a point-to-point VPN connection

                                            Aha. That changes a lot.
                                            Use pfSense with default settings (again !) and the resolver will work.
                                            Adding a VPN and suddenly it stops. That make the solution rather simple. : remove things that break things.
                                            Or setup correctly the new things.

                                            I'm currently forwarding to another local ISP's DNS servers that's known to be more stable. This works fine. As soon as I use resolver (querying against root hints servers), I get random drops. Are you saying ISP themselves just forward to Google for example? I was under the impression that they act as a resolver.

                                            The link you gave is not found.

                                            If you remember, we've been over the resetting of things to defaults :) It doesn't work. What I've been able to deduce/conclude is what I've explained just recently (resolver vs forwarder).

                                            Not sure how a point to point VPN connection affects this? DNS traffic isn't routing through the tunnel. Also, like I said I did try pfsense with default settings already, to no avail. With a static IP from the ISP, everything works as expected. So there's really something wrong with their dynamic IP VLAN.

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.