DNS Resolver Timeouts
-
Well my take is that you having issues with ipsec interface then.. If the connection is updown or having issue then sure unbound could have issues sending on that interface.
Not sure how you think sending dns over a vpn is going to fix a connectivity problem.. If you have connectivity issues over this connection, then your going to have problems..
Putting the traffic inside a tunnel is just going to make it harder to troubleshoot that..
-
@johnpoz said in DNS Resolver Timeouts:
Well my take is that you having issues with ipsec interface then.. If the connection is updown or having issue then sure unbound could have issues sending on that interface.
Not sure how you think sending dns over a vpn is going to fix a connectivity problem.. If you have connectivity issues over this connection, then your going to have problems..
Putting the traffic inside a tunnel is just going to make it harder to troubleshoot that..
That's the thing, the IPsec interface is very stable (as you can see in the graph ping monitor). I'm also using it for a couple of site-to-site traffic traversal and I don't have any issues with it.
Well, since the IPsec tunnel is stable, forwarding DNS requests to the DNS server on the other side "can" server as a workaround. I'm just testing it because sending over DNS requests from a branch site to a main site in an enterprise environment is kinda common so why not try it in my home setup.
-
Well your remote site clearly doesn't think something is stable or is having issues if your getting errors like you posted..
You have something wrong that is clear - what that something is, is the tricky part.. If your vpn is stable - why not move the dns function off the pfsense box and just route the traffic through pfsense.
-
@johnpoz said in DNS Resolver Timeouts:
Well your remote site clearly doesn't think something is stable or is having issues if your getting errors like you posted..
You have something wrong that is clear - what that something is, is the tricky part.. If your vpn is stable - why not move the dns function off the pfsense box and just route the traffic through pfsense.
Right, it's just unbound though so I don't know.
Yeah, I thought of that as well. Since I have pihole anyway, I probably can try forwarding from pihole directly to the DNS servers and see if there's any difference. The only downside to that is I lose the static DHCP DNS entries I have in pfsense.
-
Can these system tunables be related to any of the issues I'm having?
I disabled redirect because it was recommended in a thread about the PCEngines APU2C4 with pfsense.
-
@kevindd992002 said in DNS Resolver Timeouts:
it was recommended in a thread about the PCEngines APU2C4 with pfsense.
Why would that be an issue.. with some specific box? Doesn't make any sense to me at all.. Prob yet another idiot on the net thinking something they changed had some effect on whatever issue they were having without a clue..
What is the reasoning behind why some apu2c4 would have issues with redirects?
I don't see how that could be causing an issue with unbound.. Or your sendto or binding errors.
I lose the static DHCP DNS entries I have in pfsense.
No you could have conditional forward setup on your downstream dns to query pfsense for those.. Domain Override is what its called in unbound.
Do you even have a pppoe connection? I believe I found the thread where that was mentioned do to a kernel problem in freebsd.. But my take is that is related to pppoe connection?
And corrected in 2.4.5?
-
@johnpoz said in DNS Resolver Timeouts:
@kevindd992002 said in DNS Resolver Timeouts:
it was recommended in a thread about the PCEngines APU2C4 with pfsense.
Why would that be an issue.. with some specific box? Doesn't make any sense to me at all.. Prob yet another idiot on the net thinking something they changed had some effect on whatever issue they were having without a clue..
What is the reasoning behind why some apu2c4 would have issues with redirects?
I don't see how that could be causing an issue with unbound.. Or your sendto or binding errors.
Here's some specific posts about it and it was explained in detail:
https://forum.netgate.com/post/908003
https://forum.netgate.com/post/908186
https://forum.netgate.com/post/908187I don't think @dugeem is an idiot at all. He knows his stuff, from the looks of it. The issue is not APU2C4 specific as explained in the posts.
But yeah, I'm just thinking hard of all the "basic" modifications I did so far with pfsense to see if I messed up something but I doubt it because there isn't really a lot of modifications here.
Oh, you're right! I forgot about domain override. Yeah, that makes sense.
Another option (just for the heck of it) I'm testing now is to use dnsmasq to forward to the main site DNS server.
-
Now that I use pihole exclusively (forwarding to Google DNS servers), I don't experience any issues anymore. Doesn't that mean the issue is with pfsense's unbound? I was expecting the issue to persist with pihole too if it's an ISP problem, no?
-
@kevindd992002 said in DNS Resolver Timeouts:
Now that I use pihole exclusively (forwarding to Google DNS servers)
No not really, what it could mean is your isp has issues talking to the other NS when you resolve.
I don't recall if tested before, but did you try setting up unbound to just forward to google?
when you talk to multiple NS, ie resolve with unbound - you would be taking different paths all across the internet. If your ISP has peering issues, when when you forward - you are only ever asking google to do the resolving.
Also - if you are having bind errors and sendto errors, then yeah that could be a problem with resolving.. Which you wouldn't run into if your just forwarding through pfsense. If its not a network issue, fix why your having sendto and binding errors.
-
@johnpoz said in DNS Resolver Timeouts:
@kevindd992002 said in DNS Resolver Timeouts:
Now that I use pihole exclusively (forwarding to Google DNS servers)No not really, what it could mean is your isp has issues talking to the other NS when you resolve.
I don't recall if tested before, but did you try setting up unbound to just forward to google?
when you talk to multiple NS, ie resolve with unbound - you would be taking different paths all across the internet. If your ISP has peering issues, when when you forward - you are only ever asking google to do the resolving.
Yes, we did test unbound forwarding to only the Google DNS servers. With that in set, I still see timeouts in Status -> DNS Resolver and when that happens the problem is very evident in simply browsing the Internet on any of my device. Everybody in the house will complain.
I understand about unbound resolving and taking considerably more paths all across the Internet and could have a problem with shitty ISP's like mine. But if I forward to just two DNS servers, I would expect it to work just fine. Hell, the issue is even present if I use unbound to forward to my ISP's "own DNS servers"!
-
@kevindd992002 said in DNS Resolver Timeouts:
But if I forward to just two DNS servers, I would expect it to work just fine.
Not if your getting those sendto and bind errors.
-
@johnpoz Those sendto and bind errors are ONLY happening when forwarding to the DNS server that is on the other end of the tunnel. I never get those errors when I forward to the Google DNS servers.
-
Ok then they prob related to vpn connection and binding to the vpn interface.
Well you have something wrong, with your config, your setup, with your hardware or your ISP..
If there was something inherently wrong - then the forum would be on fire with people complaining that unbound can not resolve/forward.
If you have found a solution - then good. But you have not actually troubleshooted what the actual problem is..
It also could of just been hey your isp had a problem, and currently they are not.
I don't recall all the stuff that has been done - but it could be that unbound just restarting on dhcp leases, etc. There are many things that can cause problems - but without troubleshooting it down to what that is, then yeah using pihole seems like a good solution if that is working for you.
-
@johnpoz said in DNS Resolver Timeouts:
Ok then they prob related to vpn connection and binding to the vpn interface.
Well you have something wrong, with your config, your setup, with your hardware or your ISP..
If there was something inherently wrong - then the forum would be on fire with people complaining that unbound can not resolve/forward.
If you have found a solution - then good. But you have not actually troubleshooted what the actual problem is..
It also could of just been hey your isp had a problem, and currently they are not.
Right, that makes sense. When I have time this week, I can try switching between pfsense unbound and pihole (should be pretty easy) and compare the behavior of both for around the same time period.
If you still remember, I have two pfsense boxes with exactly the same hardware and very similar settings. They also are in the same ISP. The only difference is that the other one has a higher tier subscription (400/400) with a public static IP. This one that has the problem has a lower tier subscription (100/100) but is behind a CGNAT.
I still want to be able to solve this even though I have pihole as a workaround. I just can't leave a topic open without any explanation.
-
I also did turn off the dhcp leases stuff as part of my troubleshooting. I mean I have all of those enabled on the site with the pfsense that has unbound resolving and it has 0 problems so I really don't think those are the issue. And it's not like we have tons of devices in the house. We probably just have 10 or so devices and with two people in the house.
-
K kevindd992002 referenced this topic on Nov 30, 2021, 3:32 PM
-
Sorry for necroing an old thread but I have the same exact issue now but this time with a totally different ISP. What the hell is wrong with this. As long as the connection is CGNAT, unbound resolving intermittently works. I'm really tired of troubleshooting this.
@johnpoz do you still have any ideas?