Unbound seems to be restarting frequently

renegade

Similar issue on 2.4.1. already posted in pfblocker forum as i thought the error occurres from that side.

Nov 14 23:03:28 	unbound 	45240:0 	info: start of service (unbound 1.6.6).
Nov 14 23:02:57 	unbound 	45240:0 	info: service stopped (unbound 1.6.6).
Nov 14 23:02:57 	unbound 	45240:0 	info: start of service (unbound 1.6.6).
Nov 14 23:02:25 	unbound 	45240:0 	info: service stopped (unbound 1.6.6).
Nov 14 23:00:08 	filterdns 		adding entry 2a02:26f0:6a:280::3d5 to pf table certbot for host acme-v01.api.letsencrypt.org
Nov 14 23:00:08 	filterdns 		adding entry 2a02:26f0:6a:293::3d5 to pf table certbot for host acme-v01.api.letsencrypt.org
Nov 14 23:00:08 	filterdns 		adding entry 104.74.107.171 to pf table certbot for host acme-v01.api.letsencrypt.org 

renegade

are there any further investigations?
do you need more information/ logs?

Rai80

@renegade:

Similar issue on 2.4.1. already posted in pfblocker forum as i thought the error occurres from that side.

Nov 14 23:03:28 	unbound 	45240:0 	info: start of service (unbound 1.6.6).
Nov 14 23:02:57 	unbound 	45240:0 	info: service stopped (unbound 1.6.6).
Nov 14 23:02:57 	unbound 	45240:0 	info: start of service (unbound 1.6.6).
Nov 14 23:02:25 	unbound 	45240:0 	info: service stopped (unbound 1.6.6).
Nov 14 23:00:08 	filterdns 		adding entry 2a02:26f0:6a:280::3d5 to pf table certbot for host acme-v01.api.letsencrypt.org
Nov 14 23:00:08 	filterdns 		adding entry 2a02:26f0:6a:293::3d5 to pf table certbot for host acme-v01.api.letsencrypt.org
Nov 14 23:00:08 	filterdns 		adding entry 104.74.107.171 to pf table certbot for host acme-v01.api.letsencrypt.org 

Exact same issue here. Im on version 2.4.2.

It is solved when disabling DHCP registrations in DNS.

renegade

Please help! PfSense makes my internet unusable :(

Nov 18 10:58:23	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:57:51	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:47:31	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:47:00	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:47:00	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:46:28	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:41:26	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:40:55	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:31:13	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:30:42	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:27:40	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:27:08	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:12:35	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:12:04	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:10:21	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:09:49	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:09:08	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:08:37	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:02:36	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:02:05	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 10:02:05	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 10:01:33	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:47:30	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:46:59	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:46:59	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:46:27	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:31:13	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:30:42	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:30:03	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:29:32	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:16:18	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:15:47	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:14:59	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:14:27	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:12:44	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:12:12	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:11:02	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:10:30	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:02:33	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:02:02	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 09:02:02	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 09:01:30	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:47:29	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:46:58	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:46:58	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:46:26	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:31:13	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:30:42	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:24:07	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:23:36	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:20:02	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:19:31	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:19:26	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:18:55	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:17:22	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:16:51	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:15:07	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:14:36	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:02:30	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:01:59	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 08:01:59	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 08:01:27	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:47:28	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:46:57	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:46:57	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:46:25	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:34:07	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:33:36	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:31:13	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:30:42	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:25:38	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:25:07	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:21:50	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:21:19	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:19:46	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:19:14	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:17:31	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:16:59	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:02:27	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:01:56	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 07:01:56	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 07:01:25	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:55:00	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:54:28	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:46:56	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:46:24	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:43:53	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:43:22	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:43:22	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:42:51	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:31:13	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:30:41	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:24:14	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:23:42	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:22:09	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:21:37	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:19:54	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:19:23	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:02:24	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:01:53	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 06:01:53	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 06:01:22	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:47:26	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:46:55	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:46:55	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:46:23	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:43:33	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:43:02	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:41:43	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:41:11	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:31:44	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:31:12	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:31:12	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:30:41	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:26:36	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:26:04	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:24:32	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:24:01	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:22:18	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:21:46	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:02:21	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:01:50	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 05:01:50	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 05:01:19	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:46:54	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:46:22	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:44:23	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:43:52	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:31:12	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:30:41	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:29:30	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:28:59	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:28:59	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:28:28	unbound	41920:0	info: service stopped (unbound 1.6.6).
Nov 18 04:26:56	unbound	41920:0	info: start of service (unbound 1.6.6).
Nov 18 04:26:24	unbound	41920:0	info: service stopped (unbound 1.6.6).

Traveler

At the risk of necroposting, here is a related bug for unbound [1] and related merge request [2].

[1] https://redmine.pfsense.org/issues/5413
[2] https://github.com/pfsense/FreeBSD-ports/pull/751

swixo

This issue is causing issues on my fairly new deployment. I'd call it a deal-breaker had I found it sooner.

Does anyone have any insight as to whether it will be fixed or not?

s

Gertjan

Fixed :

!

swixo

@gertjan said in Unbound seems to be restarting frequently:

Fixed :

!

How is that fixed? It is still HUPping the resolver, and flushing the cache.

s

bmeeks

@swixo said in Unbound seems to be restarting frequently:

@gertjan said in Unbound seems to be restarting frequently:

Fixed :

!

How is that fixed? It is still HUPping the resolver, and flushing the cache.

s

Usually, it is the renewal of DHCP leases which results in the DHCP service restarting unbound (the DNS resolver, or forwarder, if using forwarding mode) so that it will reload its database of hostname/IP pairs. Unchecking that box prevents DHCP from registering the hosts' new leases with DNS. That, in turn, means unbound does not get restarted frequently.,

Another source of frequent unbound restarts is using the pfBlockerNG-devel package and its DNSBL feature. This is especially true with the new Python module integration. This setup can give the same symptoms as the DHCP leases scenario described above.

I will not disagree that there are better ways to fix this -- namely patching the DHCP system so that it uses the unbound control app to selectively load domains instead of flushing the entire cache and starting over with everything as it does now. But unless and until the pfSense developer team makes a change, the only two known solutions are to turn off the "Register DHCP leases in the DNS Resolver" option, and/or stop using the features of pfBlockerNG-devel that fiddle with unbound and frequently restart it.

swixo

@bmeeks said in Unbound seems to be restarting frequently:

@swixo said in Unbound seems to be restarting frequently:

@gertjan said in Unbound seems to be restarting frequently:

Fixed :

!

How is that fixed? It is still HUPping the resolver, and flushing the cache.

s

Usually, it is the renewal of DHCP leases which results in the DHCP service restarting unbound (the DNS resolver, or forwarder, if using forwarding mode) so that it will reload its database of hostname/IP pairs. Unchecking that box prevents DHCP from registering the hosts' new leases with DNS. That, in turn, means unbound does not get restarted frequently.,

Another source of frequent unbound restarts is using the pfBlockerNG-devel package and its DNSBL feature. This is especially true with the new Python module integration. This setup can give the same symptoms as the DHCP leases scenario described above.

I will not disagree that there are better ways to fix this -- namely patching the DHCP system so that it uses the unbound control app to selectively load domains instead of flushing the entire cache and starting over with everything as it does now. But unless and until the pfSense developer team makes a change, the only two known solutions are to turn off the "Register DHCP leases in the DNS Resolver" option, and/or stop using the features of pfBlockerNG-devel that fiddle with unbound and frequently restart it.

Right. We don't disagree. I understand that NOT registering local hosts from DHCP makes it not happen. But thats pretty 1990. Registering local hosts is very convenient and should work. And work without purging the DNS cache - by HUPping the deamon and restarting it.

I have been trying to find some subtle DNS failures and I have traced it to times when resolver is killed/restarting. It also occasionally leads to other small problems that would be considered annoyances.

It's a surprise that so much of this community is happy to just disable an important feature like registering DHCP leases with DNS and defend the practice because it fixes an other issue.

s

bmeeks

@swixo said in Unbound seems to be restarting frequently:

@bmeeks said in Unbound seems to be restarting frequently:

@swixo said in Unbound seems to be restarting frequently:

@gertjan said in Unbound seems to be restarting frequently:

Fixed :

!

How is that fixed? It is still HUPping the resolver, and flushing the cache.

s

Usually, it is the renewal of DHCP leases which results in the DHCP service restarting unbound (the DNS resolver, or forwarder, if using forwarding mode) so that it will reload its database of hostname/IP pairs. Unchecking that box prevents DHCP from registering the hosts' new leases with DNS. That, in turn, means unbound does not get restarted frequently.,

Another source of frequent unbound restarts is using the pfBlockerNG-devel package and its DNSBL feature. This is especially true with the new Python module integration. This setup can give the same symptoms as the DHCP leases scenario described above.

I will not disagree that there are better ways to fix this -- namely patching the DHCP system so that it uses the unbound control app to selectively load domains instead of flushing the entire cache and starting over with everything as it does now. But unless and until the pfSense developer team makes a change, the only two known solutions are to turn off the "Register DHCP leases in the DNS Resolver" option, and/or stop using the features of pfBlockerNG-devel that fiddle with unbound and frequently restart it.

Right. We don't disagree. I understand that NOT registering local hosts from DHCP makes it not happen. But thats pretty 1990. Registering local hosts is very convenient and should work. And work without purging the DNS cache - by HUPping the deamon and restarting it.

I have been trying to find some subtle DNS failures and I have traced it to times when resolver is killed/restarting. It also occasionally leads to other small problems that would be considered annoyances.

It's a surprise that so much of this community is happy to just disable an important feature like registering DHCP leases with DNS and defend the practice because it fixes an other issue.

s

Yeah, I'm not trying to defend the situation. I'm not impacted by it because I use Windows AD for DHCP and DNS. Just making sure you understood the two most likely causes and a solution (although certainly it's not a optimum one). You and I may be among the minority here, though, with regards to the importance of DNS working with DHCP clients. The view of many here is you just use static IP addresses with DHCP reservations, and update the DNS Resolver accordingly. I'm definitely not in that camp, especially for a larger business network where it is much easier to use DHCP "freestyle" and have it register hostnames for you in DNS.

Unbound itself also has an issue. The latest release of pfSense rolled back unbound to an earlier version to correct an issue with random segfaults.

swixo

You and I may be among the minority here, though, with regards to the importance of DNS working with DHCP clients. The view of many here is you just use static IP addresses with DHCP reservations, and update the DNS Resolver accordingly.

I used to do this to. Thirty years ago. It is much better to have local DHCP hosts registered. ESPECIALLY if you have multiple sites and tunnels between them.

Gertjan

@swixo

Switching of dhcpleases, the process that parses the DHCP leases list, and HUPs unbound, is, I totally agree, just a band aide.

But unbound doesn't work like, for example, bind (named) who is capable of re reading some file, and dealing with the changes on the fly, without completely restarting.

Btw @bmeeks, I'm using pfBlocker(latest) and its using unbound-control to 'inject' DNSBL changes. When pfBlocker found an updated DNSBL list, it parses out the changes, and communicates them to unbound.
For me, unbound restarts ones or twice a week, and even these restarts do not loose the DNS cache, as it is dump before the stop, and read back in when it restarts. That is, if pfBlocker was restarting it.

The thing is : unbound does the job, and is small enough - bind, with all it dependency, is huge, as it has much more capabilities.
It was working well, in the past, even with big networks connected to pfSense : devices do not tend to renew their lease every 5 minutes or so. But then some smart guy came allong and thought : hey, what if we feed unbound with host names that we want to short cut to ground ?
Big, no, huge DNSBL lists were build, and unbound needed a lot more time to start. People started to detect DNS outages.

pfSense doesn't control unbound, as it is an entire open source project of it's own. I never understood why unbound doesn't have some interface with ISC DHCP, the DHCP server used by pfSense.
It seems rather logic that on a device that has a resolver like unbound, their could also be a DHCP server, thus there are leases for the local devices, who wanted to have their host names registered in the local DNS.

dhcpleases should be rewritten to use unbound-control, instead of detecting a new lease, writing it to one of the files that unbound reads on start, and then pulling the trigger on unbound.

Keep in mind that other events can also restart unbound, such as interfaces that go up and down, etc.

bmeeks

@gertjan said in Unbound seems to be restarting frequently:

@swixo

Btw @bmeeks, I'm using pfBlocker(latest) and its using unbound-control to 'inject' DNSBL changes. When pfBlocker found an updated DNSBL list, it parses out the changes, and communicates them to unbound.
For me, unbound restarts ones or twice a week, and even these restarts do not loose the DNS cache, as it is dump before the stop, and read back in when it restarts. That is, if pfBlocker was restarting it.

Big, no, huge DNSBL lists were build, and unbound needed a lot more time to start. People started to detect DNS outages.

Yes, the "huge" DNSBL lists were what I was referring to. pfBlockerNG and the DNSBL feature can certainly be a useful tool, but many users manage to shoot themselves in the foot with it as evidenced by the many posts I see here on the Forums. And instead of being only a moderately painful "BB-gun" (an air-powered, small caliber weapon for those who might not be familiar with the common American name), the tool can be the equivalent of shooting your foot off with an American AC-130 gunship (a.k.a. "Angel of Death") when used with huge lists of domains to block. That chokes unbound by generating long startup times as the lists are parsed. And until unbound starts, it can't do DNS lookups.

stompro

Hello, I'm just getting up to speed on this issue. I've noticed the constant restarts of unbound... but it hasn't actually caused us any problems normally.

But now we are looking at using Cisco Umbrella DNS filtering, which seems to have some limits to the number of lookups that you can perform per day.

So the fact that unbound gets restarted and the cache gets cleared is now an issue due to the cache being cleared, resulting in way more upstream dns requests. I understand I can turn off registering dynamic dhcp leases, but that is a really nice feature.

Just to give a practical example, we are looking at signing up for 50 licenses, which are allowed 3000 lookups each a day, so 150K total for our 23 locations.

One of our busier branches had 150K queries to unbound in the last day, with about 12K cache misses. So with unbound doing it's constant restarting, we may have blown all our queries with one branch.

What is needed to move forward, there seems to be a roadmap at https://github.com/pfsense/FreeBSD-ports/pull/751

If that solution generally seems acceptable, then do the extra config bits just need to be added? Adding the view and the acl entries for interfaces that can use unbound?

It would probably be good to make sure the correct precedence of dns entries is respected with this solution, and things like that.

Gertjan

@stompro said in Unbound seems to be restarting frequently:

but that is a really nice feature.

On network(s) with many devices, or network(s) that have a faulty implementation of the DHCP client, or network(s) with devices that loose their connection very often (Wifi), the current implementation of how lease info, the hostname + IP, is updated in the resolver unbound, is completely flawed **.

A question that every admin has to ask for himself : what devices in a network need to be known by 'name' ?
Most of our portable devices, and most PC's TV's whatever : we don't care. Only server type devices like printers, NAS, scanners, cameras etc need to have their name assigned.
And if possible not the default name these devices propose but a name chosen by the admin.
For these devices : make a static mac DHCP lease entry. This type of devices are not added a lot to our networks, none of us is installing a new network printer and NAS every day.
Shut down "DHCP Registration".
And done.
Bonus : you have a build in list in pfSense with all your important network devices, part of pfSense config.
All the important devices (servers) or less important devices can use the default DHCP-client mode. The admin control from pfSense what their IP / DNS etc will be. No more f*ck *ps when people start to assign static addresses (and forget half the stuff needed).
With the upcoming IPv6 it will be even easier to administer all this stuff in one place : pfSense.

I made entries a long time ago for all devices that I access by wire.
https://github.com/pfsense/FreeBSD-ports/pull/751 uses a potential good solution.
Another approach might be : as unbound can uses "call back functions" for nearly every important resolve step, and it has chooses python to be the call back script method, its easy to add another python script "made by pfSense" that loads the file content of the DHCP-leases file if it was changed. If not, it serves IP or reverse right out the in python memory array.
Exactly like pfBlockerNG-devel using the 'python' mode.

** edit : that is : pfSense, with a dozen or so devices that behave correctly, like 24 hours leases, so 12 or so renewals take place every day, the situation is pretty non noticeable.
But when these devices start to emit big quantities of DNS traffic, users will start to notice something.

johnpoz

@stompro said in Unbound seems to be restarting frequently:

which are allowed 3000 lookups each a day

That is a really low number.. Out of curiosity if they block something, what is the TTL they send on the blocked IP they send you back? What exactly do they send back for a query that is blocked? Do they send back an IP that points you to a block page? Do they just send back 0.0.0.0, do they send back NX, Refused? What is the ttl if they send you back an IP of any kind?

A client looking for something, be it blocked or not if the ttl is low, or even if its high could produce a insane amount of queries depending on what is sent back, and what is actually cached.

I agree unbound clearing its cache sure isn't going to be helpful in lowering the number of queries sent upstream..

Until they change how registration of dhcp is done so it doesn't restart and clear the cache of unbound.. Turning that off is one solution.

Another solution might be to use another local cache, that isn't restarted that unbound forwards to. Also you might want to look into increasing min TTL to lower number of queries.

Also when you find stuff that is being blocked by them, creating a local block for that - so its not forwarded upstream could be way to reduce your overall number of queries sent to them.

swixo

@gertjan said in Unbound seems to be restarting frequently:

Shut down "DHCP Registration".
And done.

Except that this is a documented feature and should work properly. It doesn't. This is a workaround and in some cases undesirable.

johnpoz

@swixo said in Unbound seems to be restarting frequently:

This is a workaround and in some cases undesirable.

I don't think anyone would disagree with that. It has been a sore point for a long time.

Agree it not very desirable for unbound to restart and loose its cache on every dhcp, etc.

Gertjan

@swixo said in Unbound seems to be restarting frequently:

Except that this is a documented feature and should work properly. It doesn't.

Sure and it's serious. pfSense is perfect. The issue is fare to 'old'.
But I have this impression that not many people notice it / are bothered with it / always look at the dashboard page and never to the page that actually matters most : the log pages. Dono why. maybe the log pages are less pretty.

@swixo said in Unbound seems to be restarting frequently:

This is a workaround and in some cases undesirable.

Workaround ?
I used two available options in the GUI. Telling pfSense not to use the names DHCP devices gave it (because most use really stupid non significant,t names) : I like to chose my own names.
I like to chose what IP is used by what device, like servers from 192.168.1.20 to 20 - cameras from 30 to 50 - NAS and printers from 60 to 70 - and all PC's start after 80.
And again : no need to 'login' into every LAN device to set up DHCP/network related stuff. No need to know and learn all these thee devices. I control their network behaviour from pfSense.

That's not a work around : it a huge feature. I even presume that all 'big' or 'company' networks are set up like that.

Btw : I work f for a hotel and I decide who sleeps on which room, the clients don't chose.

No coding needed here. Just very ordinary classic network 'book keeping' and vey ancient network knowledge.

My opinion is based on a small (60 devices ?) company network of course, @home I care less, I only want to now where my NAS is ;)

@johnpoz said in Unbound seems to be restarting frequently:

I don't think anyone would disagree with that

I call it a bug (flaw, whatever).
Still, as sais, no workaround needed IMHO.
Even if the dhcpleases change = unbound restart issue wouldn't exist, I would myself allocate my network device devices.
Doing so so under pfSense even squashed a bug.