DNS unavailable during configuration apply

decibel83

Hi,
I'm using the DNS Resolver on two pfSense 2.4.5 installation in HA configuration with a CARP virtual IP address, and DNS Resolver settings are synchronized between two systems.

Clients are using the CARP virtual IP address as DNS server IP address.

I realised that clients cannot resolve any hostname when I'm applying a configuration change on the DNS server, and this lasts for about 10 seconds.

This is a big problem, could you help me to understand where I'm wrong, please?

Thank you very much!
Bye

Gertjan

@decibel83 said in DNS unavailable during configuration apply:

and this lasts for about 10 seconds.

Unbound, far more capable as dnsmasq (the forwarder) is still a light weight process.
Using some low-bud arm processor, a second or so to have it restarted.
That is, if it reads the config, the hosts file and some other very small config files.

And then came the pfSense packages, like pfBlocker-NG(-devel). People load an insane quantity of feeds, loaded with IP, and DNSBL (these are domain names !) and these lists are loaded by unbound when it starts. Of course, why refresh the lists (some actually change every week, or less frequent) every day if one can reload them every hour ? Unbound will get restarted when it's done.

Btw, 10 seconds is nice.
Some have posted here "why it takes a full minute for unbound to start ?" (and tell afterwards they had a full mega of DNSBL - not realizing that there is a very strong relation between unbound and pfBlockerNG-(devel) ....).

Also : by default, on every new DHCP lease, unbound is restarted .... you should consider to stop that behaviour.

An interface goes up or down ? unbound restarts.
A VPN connection is made ? Same thing.
Check the logs for the how often it restarts, and check for every occasion : is it needed ? You can't stop some of them to happen. For for some of them, you have a choice.

Btw : same thing for any mail server, or web server, or any server : while they restart, they can't (don't) 'serve' ;)

DaddyGo

@decibel83 said in DNS unavailable during configuration apply:

I realised that clients cannot resolve any hostname when I'm applying a configuration change on the DNS server, and this lasts for about 10 seconds.

Hi,

This can be normal, if you also manage large lists...
It will take time for the resolver to reload after the modifications.

if possible, make configuration changes during the lower load period in a production environment...

btw:
more serious hardware also reduces load times...
let's say 10 s seems like a lot, so too ...

decibel83

@Gertjan said in DNS unavailable during configuration apply:

Unbound, far more capable as dnsmasq (the forwarder) is still a light weight process.
Using some low-bud arm processor, a second or so to have it restarted.
That is, if it reads the config, the hosts file and some other very small config files.

My pfSenses are on two virtual machines, the host has 1 Intel Core i9-9900K CPU @ 3.60GHz and the pfSenses have 2 vCore each.

An interface goes up or down ? unbound restarts.
A VPN connection is made ? Same thing.
Check the logs for the how often it restarts, and check for every occasion : is it needed ? You can't stop some of them to happen. For for some of them, you have a choice.

Btw : same thing for any mail server, or web server, or any server : while they restart, they can't (don't) 'serve' ;)

I understand that it should restart when it has to bind a new interface, but why cannot it be reloaded and not restarted when a new host is added?

I understand what you are telling, but it's very dangerous that an entire network cannot resolve when applying a new host. Reloads were invented to avoid this :-)