DNS dies periodically (due to unbound crashing?)
-
Hi,
On an sg-1100 running 21.05-RELEASE (arm64) (on FreeBSD 12.2-STABLE) I occasionally have the DNS service just...quit. Be forewarned, my DNS setup is a little convoluted, but wonder if this issue is actually unrelated to that. As you can see below, unbound seems to keep restarting every now and then. The log shows this being a regular thing, but here's just a sample:
When I notice the DNS service drop out and go check logs, I see "notice: Restart of unbound 1.12.0." so I suspect this is either the cause (though I'm not sure how) or a symptom.
That said, I did mention a convoluted DNS setup, and I should explain that. I have two subnets behind the sg-1100. One of those zones has everything using pfSense's DNS Resolver directly. The other subnet, however, has a PiHole instance, and the pfSense's DHCP config tells devices in that subnet to use the PiHole as their DNS server. PiHole then filters results, and afterwards, passes on requests to pfSense. On pfSense, pfBlockerNG is running for both subnets, doing filtering before finally passing the requests upstream when needed to a pair of defined public DNS severs.
Anyway, I'm seeing DNS dropping out on both subnets, which implies the PiHole mess is irrelevant. When DNS service drops out, I can wait about 20 minutes for it to come back by itself, or I can reboot pfSense, which immediately restores the DNS resolver. I have not tried killing/restarting individual services running on pfSense.
Any suggestions?
-
@cyberminion said in DNS dies periodically (due to unbound crashing?):
pfBlockerNG is running for both subnets
pfBlockerNG can restart unbound regularly. Do a manual reload of pfBlockerNG and see for yourself.
This option :
will also restart unbound when a new DHCP lease comes in.
Although, checking that option and using pfBlockerNG will make it complaining about it :
That is : the Python mode doesn't 'like' this "DHCP Registration" setting, so, if set, it (pfBlockerNG ) will default to the older "unbound mode" This mode uses more resources and is slower to restart.
@cyberminion said in DNS dies periodically (due to unbound crashing?):
when needed to a pair of defined public DNS severs.
Are you sure ?
unbound should be used as a resolver. With "public DNS" you mean you're forwarding ?@cyberminion said in DNS dies periodically (due to unbound crashing?):
When DNS service drops out, I can wait about 20 minutes for it to come back by itself
This is the real issue : it did not crash, it was just restarting, and this shouldn't take that long.
Or it does so on your system.
Bring your system back to default settings (remove or de activate pfBlockerNG and other packages) and add them back again step by step. Restart unbound with the GUI :
and check with the unbound logs how long it took.
Do this for each step, each feed you add to pfBlockerNG.The Firewall > pfBlockerNG > Update : Reload > All
also shows you how much time it took for unbound to restart :
