DNS Failure after a DNSBL reload/update
Its possible my google skills are failing me but I can't find anything on this topic, if someone could point me in the right direction I'd appreciated it
I'm running pfBlockerNG v 2.1.1_4 on pfSense 2.3.2
pfBlockerNG update runs just after midnight and as of a couple of days ago whenever the update runs the end result is that no device on the LAN side of the network can get any response from the DNS Resolver. I can replicate the behavior by manually starting a Reload and letting it run through to the end (where it shos the number of IPS per list etc) and once it is completed, bam, no DNS to any device.
To fix it I untick the Enable DNSBL check box, click save, re tick the Enable DNSBL check box and click save again, wait a moment and DNS is back up and running.
Now to pre-empt the obvious question "What have you changed in the last couple of days?", the answer is "nothing", which I can say with complete certainty because for the last week I have been interstate on business and haven't been home and it was working when I left. This leads me to think there is something in one of the IP lists is causing a problem somewhere, somehow…. maybe??
I will tonight start removing lists one by one to see if I can isolate it, but I was just wondering if this behaviour has been seen before or has any ideas as to its cause.
I am having similar issues with two installations. As the OP, I too have not changed anything. Running the latest build of pfBlockerNG and 2.3.2-RELEASE of pfSense.
You didn't provide much information about the issue.
Go to the Firewall / pfBlockerNG / Log Browser and take look at pfblockerng.log, dnsbl.log, error.log.
Look at Status / System Logs / System / General
Look at Status / System Logs / System / DNS Resolver. However you might need to restart Unbound in Status / Services in order for Unbound to log messages after reboot
Go to Dashboard so see if there are Crash reports.
Do you have DHCP Registration and/or Static DHCP options enabled in the Unbound Resolver? I have seen some issues with DNSBL when those options are enabled….
I think what's happening, is that when the resolver is reloading the DNSBL database and validating it, that process can take a little longer to complete and at that time, it might be colliding with the background DHCP renewal code etc...
Check the resolver.log file. You can also increase the Log level settings in the Resolver to get more details... Don't go all the way to "5" as its way too detailed... try "3-4"
I have also seen some people with IPv6 settings issues.. (see the Resolver logs)
Do you have DHCP Registration and/or Static DHCP options enabled in the Unbound Resolver? No I don't
What I did do was
Unticked "Keep Settings" then disable DNSBL and pfBlockerNG and then uninstall it.
Rebooted the router and reinstalled pfBlockerNG.
Enabled pfBlockerNG and added some IPv$ blocklists (keeping DNSBL disabled)
Enabled DNSBL and the built in easylist but added NO further block lists
Run a Force Update
Result - any attempt to access DNS fails.
The following now appears as a warning in pfsense (top right hand corner of the main screen, in red, whatever it is called)
There were error(s) loading the rules: /tmp/rules.debug:24: cannot load "/var/db/aliastables/pfB_DNSBLIP.txt": No such file or directory - The line in question reads : table <pfB_DNSBLIP> persist file "/var/db/aliastables/pfB_DNSBLIP.txt" @ 2016-09-26 15:02:27
Looking at the DNSBL log shows :
===[ DNSBL Process ]================================================ [ DNSBL_IP ] Updating aliastable... 28 addresses added.1 addresses deleted. Total IP count = 28
I have nothing in the DNSBL > DNSBL Feeds …. where is this DNSBL_IP coming from?
In Firewall > Aliases > All it lists is an SIP alias I manually added and the 3 lists from the pfBlockerNG IPv4 feeds I have enabled.
In the Resolver Log (set to level 3) I see nothing at all after I enable DNSBL, every attempt to hit the DNS (eg ping <hostname-i-havent-been-to>) never makes it through to the Resolver. Unticking the Enable DNSBL checkbox and hitting save makes the DNS Resolver work (e.g. ping <different-hostname-i-havent-been-to>now works).</different-hostname-i-havent-been-to></hostname-i-havent-been-to>
In DNSBL, you enabled the DNSBL IP option…. So when it finds an IP in a Domain based DNSBL feed, those IPs are added to the Blocklist using the settings that are configured in the DNSBL Tab....
Goto the General tab, and enable "Suppression", then do a Force Reload - All... This will remove any loopback or RFC1918 addresses that might be in the list...
The error message might have been when you Disabled DNSBL and that error can happen depending on the timing of disabling DNSBL... So if it just errored once, then don't worry about it.
If you review the Alerts Tab, what does it show as being blocked?
Thanks for you time BBcan177,
As per your suggestion I enabled Suppression and did a Force Reload. Then realized I forgot to enable DNSBL first… :-[ so I repeated the Force Reload step after this time enabling DNSBL, no obvious errors in the log and as before, any DNS request to the router fails immediately.
Disabled DNSBL and DNS requests go through again.
Everytime I disable DNSBL the error message appears. If I reenable DNSBL, no error message, but also no DNS request is accepted.
There is nothing at all under the DNSBL section in the Alerts tabs.
Logs > Log Files > error.log is empty/blank
Logs > Log Files > dnsbl.log is empty/blank
Logs > Log Files > pfblockerng.log just shows my constant enabling and disabling of the DNSBL part
I'm happy to do a uninstall/reinstall, setting everything up again is not difficult, but I have already done it once and nothing changed which seems to imply that not everything is cleared away during an uninstall. Whats the best way to manually removal all the left overs?
After second uninstall/reboot/reinstall of pfBlockerNG everything (touch wood!) seems to be working normally again.
I have no idea what I did differently this time.
Thanks to all that responded with help and suggestions.
There is definitely some problem with this which I am not able to resolve. I have 4 ADSL lines. These renew their ips every 24 hours. Sometimes, I need to refresh the ip address for what ever reason. Every time any interface's ip is renewed, pfblocker needs to be disabled and enabled again as the dns stops resolving hostnames. I have removed pfblocker and reinstalled it to no avail. Am out of ideas now.
When the WAN IP changes, pfsense probably restart/reload unbound.
Depending on your hardware and DNSBL setup, this may takes more than 1-2 minutes to complete. So if 4 IP changes around the same time, pfsense will reload/restart unbound again, before it has finished loading, it may exit with error.
Look at the Status / System Logs / System / General for unbound error messages.
Look at the Status / System Logs / System / DNS Resolver. On my FW unbound will not log anything after a system reboot (and probably WAN IP changes). To have Unbound logs reloads, I go to Status / Services and restart unbound after a reboot.
So, in this case, will it help if I have static ips for each of the 4 ADSL lines? I have to option to get static ips from my ISP. The ADSL lines will still renew the ip address every 24 hours but they would always get the same ips.
I don't know if unbound restart when the WAN IP renew with the same IP.
Maybe you should ask that question in the DHCP / DNS forum.
For my original problem, another full uninstall/reinstall/reconfigure seems to have fixed the problem.
I'm still notsure what happened to get it in the state it was in, but it has cleared up for now. fingers crossed.
Thanks to all that spent some time with their help.
"full uninstall/reinstall/reconfigure" of what? Just the pfBlockerNG package or the whole pfSense install?
Just pfBlockerNG. Deleted all lists manually, did a force update to clear everything, uninstalled the package, rebooted the machine and installed pfBlocker from scratch and re configured from a blank slate.
Not sure what preciusely that fixed, other then to know that it is now working as expected, again.