Upgraded to 2.5.1 - Unbound DNS stops working
-
-
Did any of this help? I have a unit that I just installed with 2.5.1 having this issue.
-
@stewart
I am still running 2.4.5-RELEASE-p1 because of resolver issues on the SG-3100 for the newer supported releases. Netgate support helped me back out the 21.02 version for ARM CPUs.So I am happy to stay on the old version because of it's stability. However, I had turned on a couple of features that I thought would be helpful, but was experiencing occasional DNS outages that lasted several seconds. I searched the forum for similar issues and found this topic. I turned off the 2 features, and now there are no more intermittent DNS outages, so I popped off a post to say thanks to Gertjan for his good advice.
-
Just wanted to comment here to say I'm having the same issue on a custom install, seems Unbound can't access that IP and it's bombarding it periodically which seems to trigger Unbound to crash.
Going to try disabling registration of DHCP leases and see if that makes it a bit more stable but I don't think that is the primary issue here.
-
@planedrop I disabled those and added Unbound to the watchdog. Client hasn't called and complained since. Not sure if it fixed it but it at least fixed it enough that it's working. I see there is a regression for Unbound in the next version. May be related.
-
@stewart Good to know, I will go ahead and give this a shot then.
-
@Stewart @planedrop
Sort of based on @Gertjan suggestion...
I disabled DNSSEC, and enabled Forwarding and SSL/TLS.
I believe changing to forwarding mode is what resolved the issue.
All other options are still enabled - registering DHCP/Reservations/OpenVPN clients, and have not seen the issue again across 4 different pfSense deployments. -
If you're still on 2.5.1, note there is a stability fix for unbound in 2.5.2. (and 21.05)
Edit: I was thinking of the 21.05 release notes, I guess 2.5.2 isn't quite out yet but apparently soon...
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@mods I definitely prefer to use root servers for my setup personally. If disabling DHCP registration and then having the Watchdog keep track of it works then I'm OK with it personally. If I still have issues I will try this.
I imagine changing to forwarding mode helps, as it's getting such a huge log file built up of that one root IP not being accessible.
But if watchdog can restart it when it goes down then things should be ok.
-
@steveits This is good to see, I guess I could try the RC here soon as this isn't on a prod firewall.
-
@steveits said in Upgraded to 2.5.1 - Unbound DNS stops working:
note there is a [stability fix for unbound in 2.5.2]
That's what I was referring to but it isn't ready yet from what I can see.
-
@stewart yeah I might give it a shot anyway since it's RC and this is non-prod. Not sure yet though as stability does still matter to me quite a lot.
